Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Privacy Protection Malware Threat Please Help


  • This topic is locked This topic is locked
8 replies to this topic

#1 Answerer

Answerer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 04 July 2008 - 03:01 AM

Hi guys,

Seems I've contracted the windows-privacy-protection.com malware that seems to be all over the web atm.
Your's was the first forum link i found when i googled the problem and you helped this guy out http://www.bleepingcomputer.com/forums/t/152543/spyware-i-cant-get-rid-off/
I followed the first step described here but soon realised that the two of us had very different logs so I went no further. I've run deckards system scan and it gave me the following main.txt (don't seem to have extra.txt, i have run dss more than once and i think it appeared the first time, i'm not sure where on my computer this file would be though). Everything from the notepad appears below the dashed line
---------------------------------------------------------------------------------------------------------------------------------------------------------------



Deckard's System Scanner v20071014.68
Run by leanneb on 2008-07-04 17:54:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as leanneb.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:42 PM, on 4/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\leanneb\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\leanneb.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csiro.au/intranet/index.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.csiro.au/intranet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yghw] "C:\Program Files\Common Files\?dobe\j?vaw.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Movies Extractor Scout - {E4296A88-6900-46A9-8473-84768BB7FFAF} - C:\Program Files\Movies Extractor Scout\flashextract.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nexus.csiro.au
O17 - HKLM\Software\..\Telephony: DomainName = nexus.csiro.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nexus.csiro.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nexus.csiro.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 12608 bytes

-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-04 17:43:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-04 17:42:47 0 d-------- C:\Program Files\Spyware Doctor
2008-07-04 17:42:47 0 d-------- C:\Documents and Settings\leanneb\Application Data\PC Tools
2008-07-04 17:30:16 1152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-04 17:30:12 0 d-------- C:\Program Files\SpyNoMore
2008-07-04 17:30:09 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-04 17:22:04 12288 --a------ C:\WINDOWS\y.exe
2008-07-04 17:22:04 29952 --a------ C:\WINDOWS\xplugin.dll
2008-07-04 17:22:04 20224 --a------ C:\WINDOWS\x.exe
2008-07-04 17:22:04 30976 --a------ C:\WINDOWS\winmgnt.exe
2008-07-04 17:22:03 10240 --a------ C:\WINDOWS\window.exe
2008-07-04 17:22:03 11008 --a------ C:\WINDOWS\winajbm.dll
2008-07-04 17:22:03 31488 --a------ C:\WINDOWS\win64.exe
2008-07-04 17:22:03 29952 --a------ C:\WINDOWS\win32e.exe
2008-07-04 17:22:03 16384 --a------ C:\WINDOWS\waol.exe
2008-07-04 17:22:03 16640 --a------ C:\WINDOWS\users32.exe
2008-07-04 17:22:02 31744 --a------ C:\WINDOWS\time.exe
2008-07-04 17:22:02 20992 --a------ C:\WINDOWS\systemcritical.exe
2008-07-04 17:22:02 26880 --a------ C:\WINDOWS\systeem.exe
2008-07-04 17:22:02 28416 --a------ C:\WINDOWS\svcinit.exe
2008-07-04 17:22:01 29696 --a------ C:\WINDOWS\svchost32.exe
2008-07-04 17:22:01 30464 --a------ C:\WINDOWS\sistem.exe
2008-07-04 17:22:01 18944 --a------ C:\WINDOWS\searchword.dll
2008-07-04 17:22:00 13312 --a------ C:\WINDOWS\rundll16.exe
2008-07-04 17:22:00 15104 --a------ C:\WINDOWS\quicken.exe
2008-07-04 17:22:00 20224 --a------ C:\WINDOWS\qttasks.exe
2008-07-04 17:22:00 13312 --a------ C:\WINDOWS\olehelp.exe
2008-07-04 17:21:59 16896 --a------ C:\WINDOWS\notepad32.exe
2008-07-04 17:21:59 12032 --a------ C:\WINDOWS\mtwirl32.dll
2008-07-04 17:21:59 23296 --a------ C:\WINDOWS\mswsc20.dll
2008-07-04 17:21:59 29952 --a------ C:\WINDOWS\mswsc10.dll
2008-07-04 17:21:59 9984 --a------ C:\WINDOWS\msupdate.exe
2008-07-04 17:21:59 12544 --a------ C:\WINDOWS\mssys.exe
2008-07-04 17:21:59 9472 --a------ C:\WINDOWS\msspi.dll
2008-07-04 17:21:58 24320 --a------ C:\WINDOWS\msconfd.dll
2008-07-04 17:21:58 32256 --a------ C:\WINDOWS\loader.exe
2008-07-04 17:21:58 32768 --a------ C:\WINDOWS\internet.exe
2008-07-04 17:21:57 24320 --a------ C:\WINDOWS\inetinf.exe
2008-07-04 17:21:57 29952 --a------ C:\WINDOWS\iexplorer.exe
2008-07-04 17:21:56 30720 --a------ C:\WINDOWS\iedll.exe
2008-07-04 17:21:55 15360 --a------ C:\WINDOWS\helpcvs.exe
2008-07-04 17:21:55 10240 --a------ C:\WINDOWS\gfmnaaa.dll
2008-07-04 17:21:55 19712 --a------ C:\WINDOWS\funny.exe
2008-07-04 17:21:55 0 d-------- C:\Temp
2008-07-04 17:21:54 20480 --a------ C:\WINDOWS\funniest.exe
2008-07-04 17:21:54 15616 --a------ C:\WINDOWS\explorer32.exe
2008-07-04 17:21:54 22016 --a------ C:\WINDOWS\explore.exe
2008-07-04 17:21:54 13824 --a------ C:\WINDOWS\editpad.exe
2008-07-04 17:21:54 30208 --a------ C:\WINDOWS\dnsrelay.dll
2008-07-04 17:21:53 14592 --a------ C:\WINDOWS\directx32.exe
2008-07-04 17:21:53 25088 --a------ C:\WINDOWS\ctrlpan.dll
2008-07-04 17:21:53 31232 --a------ C:\WINDOWS\ctfmon32.exe
2008-07-04 17:21:53 15360 --a------ C:\WINDOWS\cpan.dll
2008-07-04 17:21:52 20480 --a------ C:\WINDOWS\clrssn.exe
2008-07-04 17:21:52 15872 --a------ C:\WINDOWS\avpcc.dll
2008-07-04 17:21:52 25088 --a------ C:\WINDOWS\accesss.exe
2008-07-04 17:15:09 0 d-------- C:\Program Files\Trend Micro
2008-07-04 16:59:42 68096 --a------ C:\WINDOWS\zip.exe
2008-07-04 16:59:42 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-04 16:59:42 212480 --a------ C:\WINDOWS\swxcacls.exe
2008-07-04 16:59:42 136704 --a------ C:\WINDOWS\swsc.exe
2008-07-04 16:59:42 161792 --a------ C:\WINDOWS\swreg.exe
2008-07-04 16:59:42 98816 --a------ C:\WINDOWS\sed.exe
2008-07-04 16:59:42 80412 --a------ C:\WINDOWS\grep.exe
2008-07-04 16:59:42 89504 --a------ C:\WINDOWS\fdsv.exe
2008-07-04 16:41:20 0 d-------- C:\Program Files\IObit
2008-07-03 23:55:06 0 d-------- C:\WINDOWS\system32\pRI
2008-07-03 23:55:03 0 d-------- C:\WINDOWS\system32\yrt
2008-07-03 23:54:56 0 d-------- C:\WINDOWS\system32\modtrux01
2008-07-03 19:49:39 0 d-------- C:\Program Files\The Witcher
2008-06-20 13:40:58 90073 --a------ C:\WINDOWS\system32\iftuyszv.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-04 17:30:09 0 d-------- C:\Program Files\Common Files
2008-07-03 20:22:08 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-02 00:34:01 0 d-------- C:\Documents and Settings\leanneb\Application Data\Orbit


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [06/05/2004 02:52 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [06/05/2004 02:48 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 07:04 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 12:04 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 10:32 PM]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [23/08/2001 10:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03/08/2004 10:31 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 08:00 PM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [07/10/2003 09:48 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/08/2007 04:23 PM]
"nwiz"="nwiz.exe" [17/08/2007 04:23 PM C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/02/2007 07:26 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [12/02/2008 08:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/08/2007 04:23 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [15/06/2006 11:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 10:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [04/07/2008 05:30 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [02/10/2007 04:27 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:26 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03/02/2004 03:42 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/04/2007 01:31 PM]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27/06/2006 03:21 PM]
"Yghw"="C:\Program Files\Common Files\?dobe\j?vaw.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [4/08/2005 3:13:08 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/02/2007 7:22:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Domain_policy.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1724584-c27a-11dc-88f2-806d6172696f}]
AutoRun\command- E:\Installer.exe

*Newly Created Service* - ENTDRV51
*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - MCHINJDRV
*Newly Created Service* - SDAUXSERVICE
*Newly Created Service* - SDCORESERVICE



-- End of Deckard's System Scanner: finished at 2008-07-04 17:56:00 ------------

---------------------------------------------------------------------------------------------------------------------------------------------------------------

If someone could help me out I'd be very grateful, i also have combofix however given the need to turn off the internet to run it i've gone with dss for the moment, if combofix is better let me know.

Cheers

Edited by Answerer, 04 July 2008 - 05:36 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:30 AM

Posted 04 July 2008 - 07:57 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Answerer

Answerer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 04 July 2008 - 08:46 PM

I unfortunately do not have the windows XP install disc on me and as such haven't installed the windows recovery console, nevertheless here is the combofix log and hijackthis log (from deckards system scan)

---------------------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 08-07-03.3 - leanneb 2008-07-05 11:35:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT 10:00]
Running from: C:\Documents and Settings\leanneb\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-05 11:37 . 2008-07-05 11:37 <DIR> d-------- C:\Temp
2008-07-04 17:43 . 2008-07-04 18:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-04 17:42 . 2008-07-05 11:29 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-04 17:42 . 2008-07-04 17:42 <DIR> d-------- C:\Documents and Settings\leanneb\Application Data\PC Tools
2008-07-04 17:42 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-07-04 17:42 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-04 17:42 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-04 17:42 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-04 17:42 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-04 17:30 . 2008-07-04 17:35 <DIR> d-------- C:\Program Files\SpyNoMore
2008-07-04 17:30 . 2008-07-04 17:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-04 17:30 . 2008-07-04 17:30 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-04 17:15 . 2008-07-04 17:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 17:11 . 2008-07-04 17:11 <DIR> d-------- C:\Deckard
2008-07-04 16:41 . 2008-07-04 16:41 <DIR> d-------- C:\Program Files\IObit
2008-07-03 23:55 . 2008-07-03 23:55 <DIR> d-------- C:\WINDOWS\system32\yrt
2008-07-03 23:55 . 2008-07-03 23:55 <DIR> d-------- C:\WINDOWS\system32\pRI
2008-07-03 23:54 . 2008-07-03 23:54 <DIR> d-------- C:\WINDOWS\system32\modtrux01
2008-07-03 20:01 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-07-03 20:01 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-07-03 20:01 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-07-03 20:01 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-07-03 19:49 . 2008-07-03 20:22 <DIR> d-------- C:\Program Files\The Witcher
2008-06-20 13:40 . 2008-06-20 13:40 90,073 --a------ C:\WINDOWS\system32\iftuyszv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 10:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 10:02 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-07-03 09:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-01 14:34 --------- d-----w C:\Documents and Settings\leanneb\Application Data\Orbit
2008-02-28 02:19 44,184 ----a-w C:\Documents and Settings\leanneb\Application Data\GDIPFONTCACHEV1.DAT
2007-04-22 23:51 8,852,094 ----a-w C:\Program Files\stk-WW-10001.exe
2007-04-13 15:40 25,980,320 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-03-09 09:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_17.21.18.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 07:07:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 01:29:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-02 08:55:39 73,434 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-04 07:43:59 73,434 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-02 08:55:39 447,990 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-04 07:43:59 447,990 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yghw"="C:\Program Files\Common Files\?dobe\j?vaw.exe" [?]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:26 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 15:42 401491]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 13:31 68856]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 15:21 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-05-06 14:52 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-05-06 14:48 118784]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 22:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 20:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-17 16:23 8478720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-02 19:26 185896]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-12 20:22 29744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-17 16:23 81920]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 11:36 229376]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2008-07-04 17:30 1064400]
"nwiz"="nwiz.exe" [2007-08-17 16:23 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:26 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cscript" [X]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-08-04 15:13:08 1474576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-02-02 19:22:51 124912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\REPLAY~1\iac25_32.ax
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Domain_policy.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Download

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-12 20:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1724584-c27a-11dc-88f2-806d6172696f}]
\Shell\AutoRun\command - E:\Installer.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 12:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-05 01:30:43 C:\WINDOWS\Tasks\CSIRO IT Tasks.job"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 11:37:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-05 11:38:44
ComboFix-quarantined-files.txt 2008-07-05 01:38:28
ComboFix2.txt 2008-07-04 07:21:53

Pre-Run: 15,862,337,536 bytes free
Post-Run: 15,876,747,264 bytes free

217 --- E O F --- 2007-11-17 11:17:48

---------------------------------------------------------------------------------------------------------------------------------------------------------------


Here is the hijackthis log

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Deckard's System Scanner v20071014.68
Run by leanneb on 2008-07-05 11:39:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as leanneb.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:24 AM, on 5/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\leanneb\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\leanneb.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csiro.au/intranet/index.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.csiro.au/intranet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yghw] "C:\Program Files\Common Files\?dobe\j?vaw.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Movies Extractor Scout - {E4296A88-6900-46A9-8473-84768BB7FFAF} - C:\Program Files\Movies Extractor Scout\flashextract.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nexus.csiro.au
O17 - HKLM\Software\..\Telephony: DomainName = nexus.csiro.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nexus.csiro.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nexus.csiro.au
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

--
End of file - 10257 bytes

-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 11:38:57 11264 --a------ C:\WINDOWS\y.exe
2008-07-05 11:38:56 24064 --a------ C:\WINDOWS\xplugin.dll
2008-07-05 11:38:56 29696 --a------ C:\WINDOWS\x.exe
2008-07-05 11:38:56 22272 --a------ C:\WINDOWS\winmgnt.exe
2008-07-05 11:38:56 29440 --a------ C:\WINDOWS\window.exe
2008-07-05 11:38:56 9472 --a------ C:\WINDOWS\winajbm.dll
2008-07-05 11:38:55 20992 --a------ C:\WINDOWS\win64.exe
2008-07-05 11:38:55 16384 --a------ C:\WINDOWS\win32e.exe
2008-07-05 11:38:55 28928 --a------ C:\WINDOWS\waol.exe
2008-07-05 11:38:55 17408 --a------ C:\WINDOWS\users32.exe
2008-07-05 11:38:55 29952 --a------ C:\WINDOWS\time.exe
2008-07-05 11:38:55 19968 --a------ C:\WINDOWS\systemcritical.exe
2008-07-05 11:38:55 20992 --a------ C:\WINDOWS\systeem.exe
2008-07-05 11:38:54 27136 --a------ C:\WINDOWS\svcinit.exe
2008-07-05 11:38:54 30208 --a------ C:\WINDOWS\svchost32.exe
2008-07-05 11:38:54 27904 --a------ C:\WINDOWS\sistem.exe
2008-07-05 11:38:54 31744 --a------ C:\WINDOWS\searchword.dll
2008-07-05 11:38:52 14848 --a------ C:\WINDOWS\rundll16.exe
2008-07-05 11:38:52 27136 --a------ C:\WINDOWS\quicken.exe
2008-07-05 11:38:51 27904 --a------ C:\WINDOWS\qttasks.exe
2008-07-05 11:38:51 30464 --a------ C:\WINDOWS\olehelp.exe
2008-07-05 11:38:51 15616 --a------ C:\WINDOWS\notepad32.exe
2008-07-05 11:38:51 25088 --a------ C:\WINDOWS\mtwirl32.dll
2008-07-05 11:38:51 29696 --a------ C:\WINDOWS\mswsc20.dll
2008-07-05 11:38:50 8192 --a------ C:\WINDOWS\mswsc10.dll
2008-07-05 11:38:50 20992 --a------ C:\WINDOWS\msupdate.exe
2008-07-05 11:38:50 11264 --a------ C:\WINDOWS\mssys.exe
2008-07-05 11:38:50 20480 --a------ C:\WINDOWS\msspi.dll
2008-07-05 11:38:50 9728 --a------ C:\WINDOWS\msconfd.dll
2008-07-05 11:38:50 24320 --a------ C:\WINDOWS\loader.exe
2008-07-05 11:38:49 11264 --a------ C:\WINDOWS\internet.exe
2008-07-05 11:38:49 27904 --a------ C:\WINDOWS\inetinf.exe
2008-07-05 11:38:49 30208 --a------ C:\WINDOWS\iexplorer.exe
2008-07-05 11:38:48 25088 --a------ C:\WINDOWS\iedll.exe
2008-07-05 11:38:48 22016 --a------ C:\WINDOWS\helpcvs.exe
2008-07-05 11:38:48 0 d-------- C:\Temp
2008-07-05 11:38:47 24576 --a------ C:\WINDOWS\gfmnaaa.dll
2008-07-05 11:38:47 23040 --a------ C:\WINDOWS\funny.exe
2008-07-05 11:38:46 20480 --a------ C:\WINDOWS\funniest.exe
2008-07-05 11:38:46 11264 --a------ C:\WINDOWS\explorer32.exe
2008-07-05 11:38:46 24064 --a------ C:\WINDOWS\explore.exe
2008-07-05 11:38:46 13824 --a------ C:\WINDOWS\editpad.exe
2008-07-05 11:38:46 32256 --a------ C:\WINDOWS\dnsrelay.dll
2008-07-05 11:38:45 16384 --a------ C:\WINDOWS\directx32.exe
2008-07-05 11:38:45 11520 --a------ C:\WINDOWS\ctrlpan.dll
2008-07-05 11:38:45 19456 --a------ C:\WINDOWS\ctfmon32.exe
2008-07-05 11:38:45 13312 --a------ C:\WINDOWS\cpan.dll
2008-07-05 11:38:45 27136 --a------ C:\WINDOWS\clrssn.exe
2008-07-05 11:38:44 15872 --a------ C:\WINDOWS\avpcc.dll
2008-07-05 11:38:44 30720 --a------ C:\WINDOWS\accesss.exe
2008-07-04 17:43:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-04 17:42:47 0 d-------- C:\Program Files\Spyware Doctor
2008-07-04 17:42:47 0 d-------- C:\Documents and Settings\leanneb\Application Data\PC Tools
2008-07-04 17:30:16 1152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-04 17:30:12 0 d-------- C:\Program Files\SpyNoMore
2008-07-04 17:30:09 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-04 17:15:09 0 d-------- C:\Program Files\Trend Micro
2008-07-04 16:59:42 68096 --a------ C:\WINDOWS\zip.exe
2008-07-04 16:59:42 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-04 16:59:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-04 16:59:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-04 16:59:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-04 16:59:42 98816 --a------ C:\WINDOWS\sed.exe
2008-07-04 16:59:42 80412 --a------ C:\WINDOWS\grep.exe
2008-07-04 16:59:42 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-04 16:41:20 0 d-------- C:\Program Files\IObit
2008-07-03 23:55:06 0 d-------- C:\WINDOWS\system32\pRI
2008-07-03 23:55:03 0 d-------- C:\WINDOWS\system32\yrt
2008-07-03 23:54:56 0 d-------- C:\WINDOWS\system32\modtrux01
2008-07-03 19:49:39 0 d-------- C:\Program Files\The Witcher
2008-06-20 13:40:58 90073 --a------ C:\WINDOWS\system32\iftuyszv.exe <Not Verified; Microsoft; XML Media>


-- Find3M Report ---------------------------------------------------------------

2008-07-04 17:30:09 0 d-------- C:\Program Files\Common Files
2008-07-03 20:22:08 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-02 00:34:01 0 d-------- C:\Documents and Settings\leanneb\Application Data\Orbit


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [06/05/2004 02:52 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [06/05/2004 02:48 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 07:04 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 12:04 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03/08/2004 10:32 PM]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [23/08/2001 10:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03/08/2004 10:31 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 10:32 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 08:00 PM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [07/10/2003 09:48 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/08/2007 04:23 PM]
"nwiz"="nwiz.exe" [17/08/2007 04:23 PM C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/02/2007 07:26 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [12/02/2008 08:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/08/2007 04:23 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [15/06/2006 11:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 10:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [04/07/2008 05:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:26 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03/02/2004 03:42 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/04/2007 01:31 PM]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27/06/2006 03:21 PM]
"Yghw"="C:\Program Files\Common Files\?dobe\j?vaw.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [4/08/2005 3:13:08 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/02/2007 7:22:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Domain_policy.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1724584-c27a-11dc-88f2-806d6172696f}]
AutoRun\command- E:\Installer.exe




-- End of Deckard's System Scanner: finished at 2008-07-05 11:39:49 ------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:30 AM

Posted 05 July 2008 - 12:04 AM

Hi,

I unfortunately do not have the windows XP install disc on me and as such haven't installed the windows recovery console

Not sure if you have read the instructions on the Combofix page, but it also says there:

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:....

So read from there and perform the instructions how to install the Recovery Console with Combofix.

Also, did you purchase SpyNoMore? If not, then uninstall it.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\iftuyszv.exe
Folder::
C:\WINDOWS\system32\yrt
C:\WINDOWS\system32\pRI
C:\WINDOWS\system32\modtrux01
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Answerer

Answerer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 05 July 2008 - 05:38 AM

Many thanks for the assistance, after running combofix with your changes my system appears to be back to normal now. Heres the combofix and hijackthis log just in case, but just wanted to say, thanks so much for your fast and effective response :thumbsup:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 08-07-03.3 - leanneb 2008-07-05 20:28:07.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT 10:00]
Running from: C:\Documents and Settings\leanneb\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\leanneb\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\iftuyszv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\modtrux01
C:\WINDOWS\system32\modtrux01\modtrux011065.exe
C:\WINDOWS\system32\pRI
C:\WINDOWS\system32\pRI\kscomdll3.exe
C:\WINDOWS\system32\yrt
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-05 20:29 . 2008-07-05 20:29 <DIR> d-------- C:\Temp
2008-07-04 17:43 . 2008-07-05 20:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-04 17:42 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-07-04 17:30 . 2008-07-04 17:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-04 17:30 . 2008-07-04 17:30 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-04 17:15 . 2008-07-04 17:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 17:11 . 2008-07-04 17:11 <DIR> d-------- C:\Deckard
2008-07-04 16:41 . 2008-07-04 16:41 <DIR> d-------- C:\Program Files\IObit
2008-07-03 20:01 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-07-03 20:01 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-07-03 20:01 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-07-03 20:01 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-07-03 19:49 . 2008-07-03 20:22 <DIR> d-------- C:\Program Files\The Witcher

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-03 10:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 10:02 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-01 14:34 --------- d-----w C:\Documents and Settings\leanneb\Application Data\Orbit
2008-02-28 02:19 44,184 ----a-w C:\Documents and Settings\leanneb\Application Data\GDIPFONTCACHEV1.DAT
2007-04-22 23:51 8,852,094 ----a-w C:\Program Files\stk-WW-10001.exe
2007-04-13 15:40 25,980,320 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-03-09 09:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_17.21.18.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 07:07:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 10:15:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-02 08:55:39 73,434 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-05 01:46:24 73,434 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-02 08:55:39 447,990 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-05 01:46:24 447,990 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yghw"="C:\Program Files\Common Files\?dobe\j?vaw.exe" [?]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:26 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 15:42 401491]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 13:31 68856]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 15:21 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-05-06 14:52 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-05-06 14:48 118784]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 22:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 20:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-17 16:23 8478720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-02 19:26 185896]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-12 20:22 29744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-17 16:23 81920]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 11:36 229376]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"nwiz"="nwiz.exe" [2007-08-17 16:23 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:26 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2005-08-04 15:13:08 1474576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-02-02 19:22:51 124912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\REPLAY~1\iac25_32.ax
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Domain_policy.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Download

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-12 20:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1724584-c27a-11dc-88f2-806d6172696f}]
\Shell\AutoRun\command - E:\Installer.exe

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 12:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-05 10:15:57 C:\WINDOWS\Tasks\CSIRO IT Tasks.job"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 20:29:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-05 20:30:35
ComboFix-quarantined-files.txt 2008-07-05 10:30:06
ComboFix2.txt 2008-07-05 10:25:47
ComboFix3.txt 2008-07-05 01:38:45
ComboFix4.txt 2008-07-04 07:21:53

Pre-Run: 15,841,226,752 bytes free
Post-Run: 15,824,912,384 bytes free

210 --- E O F --- 2007-11-17 11:17:48
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Heres the hijackthis log

---------------------------------------------------------------------------------------------------------------------------------------------------------------------
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [12/02/2008 08:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/08/2007 04:23 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [15/06/2006 11:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 10:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:26 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03/02/2004 03:42 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/04/2007 01:31 PM]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27/06/2006 03:21 PM]
"Yghw"="C:\Program Files\Common Files\?dobe\j?vaw.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [4/08/2005 3:13:08 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/02/2007 7:22:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Domain_policy.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1724584-c27a-11dc-88f2-806d6172696f}]
AutoRun\command- E:\Installer.exe

*Newly Created Service* - ENTDRV51



-- End of Deckard's System Scanner: finished at 2008-07-05 20:35:57 ------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thank you miekiemoes and thank you bleeping computer forums.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:30 AM

Posted 05 July 2008 - 12:14 PM

Hi,

Check and fix next entry in HijackThis:

O4 - HKCU\..\Run: [Yghw] "C:\Program Files\Common Files\?dobe\j?vaw.exe"

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Then * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Answerer

Answerer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 06 July 2008 - 07:22 AM

Cheers, made all the changes you suggested and uninstalled combofix, computers working like a charm :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:30 AM

Posted 06 July 2008 - 08:24 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:30 AM

Posted 11 July 2008 - 02:53 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users