Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Appreciated


  • This topic is locked This topic is locked
17 replies to this topic

#1 Fhjull

Fhjull

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 20 July 2006 - 07:07 PM

My problem is that i've inadvertently installed some software that was literally jampacked with Trojans downloaders and other spyware nasties. Yes i know, i'm an idiot. I've ran Spybot, Adaware, AVG and housecall which found and rooted out alot of stuff but im still getting random popup ads.

Would appreciate any input on this, i have very little knowledge in this matter
here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:29 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Franco\Mes documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rfxtg.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dafwqtg.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmtgcn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Franco\Local Settings\Temp\{A717E9CD-5EFB-4ECB-9F58-0BB93CD089DA}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD12732F-37EA-4DC1-B7D6-125D20E43DB9}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Edited by Fhjull, 20 July 2006 - 07:17 PM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:15 AM

Posted 20 July 2006 - 07:25 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Fhjull

Fhjull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 20 July 2006 - 07:39 PM

Here is the log from Combofix

Start Time= Thu 07/20/2006 20:36:52.57
Running from: C:\Documents and Settings\Franco\Bureau

(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Franco\Application Data\Sskcwrd.dll
C:\Documents and Settings\Franco\Application Data\Sskknwrd.dll
C:\Documents and Settings\Franco\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Franco\Local Settings\Temporary Internet Files\Ssk.log
C:\WINDOWS\Prefetch\SSK.EXE-20EC298C.pf


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



20:33:37.28
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



72 R‚p(s) 24,608,358,400 C:\Program Files\octets libres
22 R‚p(s) 24,608,358,400 C:\Documents and Settings\Franco\Application Data\octets libres
2006-07-20 19:35 36,864 C:\WINDOWS\system32\tdopsxxl.exe
2006-07-20 19:32 <REP> C:\Program Files\fichiers communs
2006-07-20 19:31 <REP> C:\Program Files\cowabanga
2006-07-20 19:26 32,976 C:\WINDOWS\system32\uninsticn.exe
2006-07-20 17:46 24,576 C:\WINDOWS\system32ssec.exe
2006-07-20 17:27 776,096 C:\WINDOWS\system32\drivers\avg7core.sys
2006-07-20 17:27 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-20 17:27 4,992 C:\WINDOWS\system32\drivers\avgtdi.sys
2006-07-20 17:27 4,288 C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-07-20 17:27 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-20 17:27 27,776 C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-20 17:27 23,424 C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-07-20 17:27 <REP> C:\Program Files\grisoft
2006-07-20 17:27 <REP> C:\Documents and Settings\Franco\Application Data\microsoft
2006-07-20 17:27 <REP> C:\Documents and Settings\Franco\Application Data\avg7
2006-07-20 16:18 <REP> C:\Program Files\curerom
2006-07-20 16:17 405,504 C:\WINDOWS\system32\irsmtgcn.dll
2006-07-20 16:17 24,576 C:\WINDOWS\system32\msxml3a.dll
2006-07-20 16:17 114,688 C:\WINDOWS\system32\irssyncd.exe
2006-07-20 16:15 156,672 C:\WINDOWS\system32\oins.exe
2006-07-20 16:15 129,649 C:\WINDOWS\elpp100drop.exe
2006-07-20 16:15 <REP> C:\Program Files\elticons
2006-07-20 16:15 <REP> C:\Program Files\acco
2006-07-20 16:14 57,344 C:\WINDOWS\kiuj0v.exe
2006-07-20 16:14 53,248 C:\WINDOWS\system32\inicfg32.dll
2006-07-20 16:14 45,056 C:\WINDOWS\zuckdha.exe
2006-07-20 16:14 45,056 C:\WINDOWS\system32tfthot.exe
2006-07-20 16:14 380,928 C:\WINDOWS\system32\winnb58.dll
2006-07-20 16:14 36,864 C:\WINDOWS\thiselt.exe
2006-07-20 16:14 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-20 16:14 319,294 C:\WINDOWS\yoinsi.exe
2006-07-20 16:14 303,104 C:\WINDOWS\system32\winnb57.dll
2006-07-20 16:14 28,672 C:\WINDOWS\system32ftuninst.exe
2006-07-20 16:14 28,672 C:\WINDOWS\system32\hvzead7v.exe
2006-07-20 16:14 226,536 C:\WINDOWS\whcc-giant.exe
2006-07-20 16:14 102,400 C:\WINDOWS\mirar.exe
2006-07-20 16:14 0 C:\Documents and Settings\Franco\Application Data\internaldb41.dat
2006-07-20 15:55 <REP> C:\Program Files\rockstar games
2006-07-20 15:55 <REP> C:\Program Files\installshield installation information
2006-07-20 15:42 <REP> C:\Documents and Settings\Franco\Application Data\utorrent
2006-07-20 13:08 <REP> C:\Program Files\mirc
2006-07-19 22:08 <REP> C:\Documents and Settings\Franco\Application Data\my games
2006-07-19 22:04 170 C:\WINDOWS\wininit.ini
2006-07-19 22:04 <REP> C:\Program Files\mozilla firefox
2006-07-19 04:49 <REP> C:\Program Files\soulseek-test
2006-07-17 20:13 <REP> C:\Documents and Settings\Franco\Application Data\macromedia
2006-07-17 17:28 287 C:\WINDOWS\game.ini
2006-07-17 17:22 <REP> C:\Program Files\activision
2006-07-17 15:28 <REP> C:\Program Files\winrar
2006-07-17 14:14 <REP> C:\Program Files\microsoft games
2006-07-17 03:57 23 C:\WINDOWS\blendsettings.ini
2006-07-14 23:14 <REP> C:\Program Files\spybot - search & destroy
2006-07-14 20:14 <REP> C:\Documents and Settings\Franco\Application Data\mozilla
2006-07-14 19:43 4,517 C:\WINDOWS\rdt.ini
2006-07-14 19:42 3,117 C:\WINDOWS\system32\{313f2786-67c0-424b-9f55-90801d86f182}.exe
2006-07-13 15:13 36,864 C:\WINDOWS\system32\ahnciup.exe
2006-07-12 19:23 <REP> C:\Program Files\photo_resizer_pro
2006-07-11 00:47 98,304 C:\WINDOWS\system32\cmdlineext.dll
2006-07-09 00:53 <REP> C:\Program Files\ffdshow
2006-07-09 00:36 <REP> C:\Program Files\quicktime alternative
2006-07-09 00:36 <REP> C:\Documents and Settings\Franco\Application Data\apple computer
2006-07-09 00:35 <REP> C:\Program Files\quicktime
2006-07-07 23:54 <REP> C:\Program Files\ubi soft
2006-07-07 13:03 951,946 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-06 20:01 <REP> C:\Program Files\diablo ii
2006-07-06 19:31 21,840 C:\WINDOWS\system32\sintfnt.dll
2006-07-06 19:31 17,212 C:\WINDOWS\system32\sintf32.dll
2006-07-06 19:31 12,067 C:\WINDOWS\system32\sintf16.dll
2006-07-06 19:22 3,563 C:\WINDOWS\ascd_tmp.ini
2006-07-06 17:18 <REP> C:\Program Files\gl excess
2006-07-06 16:10 <REP> C:\Program Files\realtek ac97
2006-07-06 13:59 <REP> C:\Program Files\difx
2006-07-04 13:17 <REP> C:\Program Files\uoam
2006-07-04 13:11 <REP> C:\Program Files\ultima online
2006-07-04 13:01 <REP> C:\Program Files\razor
2006-07-04 02:26 <REP> C:\Program Files\internet explorer
2006-07-03 00:11 <REP> C:\Program Files\Fichiers communs\installshield
2006-07-02 23:25 <REP> C:\Program Files\limewire
2006-07-02 21:19 <REP> C:\Program Files\lucasarts
2006-07-02 14:42 <REP> C:\Program Files\ubisoft
2006-07-02 13:58 <REP> C:\Program Files\google
2006-07-02 13:33 <REP> C:\Program Files\java
2006-07-02 13:33 <REP> C:\Documents and Settings\Franco\Application Data\sun
2006-07-02 13:33 <REP> C:\Documents and Settings\Franco\Application Data\google
2006-07-01 18:29 <REP> C:\Program Files\stardock
2006-07-01 01:14 <REP> C:\Program Files\bethesda softworks
2006-06-30 20:46 <REP> C:\Program Files\lavasoft
2006-06-30 20:46 <REP> C:\Documents and Settings\Franco\Application Data\lavasoft
2006-06-30 18:35 <REP> C:\Program Files\Fichiers communs\java
2006-06-30 16:17 <REP> C:\Program Files\firaxis games
2006-06-30 16:15 <REP> C:\Program Files\poweriso
2006-06-30 16:14 34,308 C:\WINDOWS\system32\bassmod.dll
2006-06-30 15:16 359,040 C:\WINDOWS\system32\drivers\tcpip.sys
2006-06-28 03:06 <REP> C:\Documents and Settings\Franco\Application Data\real
2006-06-27 18:18 <REP> C:\Program Files\bandwidth monitor pro
2006-06-22 15:58 <REP> C:\Documents and Settings\Franco\Application Data\help
2006-06-22 14:30 <REP> C:\Program Files\Fichiers communs\adobe
2006-06-22 14:30 <REP> C:\Program Files\adobe
2006-06-22 14:30 <REP> C:\Documents and Settings\Franco\Application Data\intertrust
2006-06-22 14:30 <REP> C:\Documents and Settings\Franco\Application Data\adobe
2006-06-22 02:47 <REP> C:\Program Files\real alternative
2006-06-22 02:47 <REP> C:\Program Files\media player classic
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
2006-06-20 17:12 94,208 C:\WINDOWS\diiunin.exe
2006-06-19 16:50 <REP> C:\Program Files\duke3d atomic winxp
2006-06-18 23:40 43,520 C:\WINDOWS\system32\drivers\amdk8.sys
2006-06-18 22:26 <REP> C:\Program Files\thrixxx
2006-06-16 19:01 223,128 C:\WINDOWS\system32\drivers\dtscsi.sys
2006-06-16 19:01 <REP> C:\Program Files\daemon tools
2006-06-16 19:00 96,256 C:\WINDOWS\system32\drivers\sptd2397.sys
2006-06-16 19:00 642,560 C:\WINDOWS\system32\drivers\sptd.sys
2006-06-12 21:48 <REP> C:\Program Files\msn messenger
2006-06-10 23:57 <REP> C:\Program Files\voyage of columbus 3d screensaver
2006-06-10 23:57 <REP> C:\Program Files\3planesoft screensaver manager
2006-06-10 22:56 <REP> C:\Program Files\galleon 3d screensaver
2006-06-10 02:28 <REP> C:\Documents and Settings\Franco\Application Data\acd systems
2006-06-10 02:27 <REP> C:\Program Files\Fichiers communs\acd systems
2006-06-10 02:27 <REP> C:\Program Files\acd systems
2006-06-09 02:02 <REP> C:\Program Files\winamp
2006-06-08 15:05 <REP> C:\Program Files\black isle
2006-06-08 13:25 <REP> C:\Documents and Settings\Franco\Application Data\fltk.org
2006-06-08 11:41 626,688 C:\WINDOWS\system32\dfxg11.dll
2006-06-08 11:41 <REP> C:\Program Files\dfx
2006-06-07 23:36 <REP> C:\Documents and Settings\Franco\Application Data\media player classic
2006-06-07 22:56 <REP> C:\Documents and Settings\Franco\Application Data\cyberlink
2006-06-07 20:58 <REP> C:\Documents and Settings\Franco\Application Data\leadertech
2006-06-07 20:54 <REP> C:\Program Files\novalogic
2006-06-07 19:40 <REP> C:\Program Files\cyberlink
2006-06-07 19:38 <REP> C:\Program Files\uninstall information
2006-06-07 19:38 <REP> C:\Program Files\Fichiers communs\microsoft shared
2006-06-07 19:38 <REP> C:\Documents and Settings\Franco\Application Data\identities
2006-06-07 19:21 477 C:\WINDOWS\win.ini
2006-06-07 19:21 4,205 C:\WINDOWS\odbcinst.ini
2006-06-07 19:21 0 C:\WINDOWS\control.ini
2006-06-07 19:21 0 C:\msdos.sys
2006-06-07 19:21 <REP> C:\Program Files\xerox
2006-06-07 19:21 <REP> C:\Program Files\windows media player
2006-06-07 19:21 <REP> C:\Program Files\microsoft frontpage
2006-06-07 19:20 <REP> C:\Program Files\windowsupdate
2006-06-07 19:20 <REP> C:\Program Files\services en ligne
2006-06-07 19:19 <REP> C:\Program Files\outlook express
2006-06-07 19:19 <REP> C:\Program Files\netmeeting
2006-06-07 19:19 <REP> C:\Program Files\movie maker
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\system
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\services
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\mssoap
2006-06-07 19:18 37 C:\WINDOWS\vbaddin.ini
2006-06-07 19:18 36 C:\WINDOWS\vb.ini
2006-06-07 19:18 <REP> C:\Program Files\windows nt
2006-06-07 19:18 <REP> C:\Program Files\online services
2006-06-07 19:18 <REP> C:\Program Files\msn gaming zone
2006-06-07 19:18 <REP> C:\Program Files\messenger
2006-06-07 19:18 <REP> C:\Program Files\complus applications
2006-06-07 19:17 <REP> C:\Program Files\msn
2006-06-07 15:15 231 C:\WINDOWS\system.ini
2006-06-07 15:10 62 C:\Documents and Settings\Franco\Application Data\desktop.ini
2006-06-07 15:10 <REP> C:\Program Files\Fichiers communs\speechengines
2006-06-07 15:10 <REP> C:\Program Files\Fichiers communs\odbc
2006-06-02 17:03 16,966,144 C:\WINDOWS\system32\voyage of columbus 3d screensaver.exe
2006-06-01 19:09 208,896 C:\WINDOWS\system32\nvuninst.exe
2006-06-01 17:22 888,832 C:\WINDOWS\system32\nvmobls.dll
2006-06-01 17:22 86,016 C:\WINDOWS\system32\nvmctray.dll
2006-06-01 17:22 81,920 C:\WINDOWS\system32\nvwddi.dll
2006-06-01 17:22 794,624 C:\WINDOWS\system32\nvcplui.exe
2006-06-01 17:22 7,618,560 C:\WINDOWS\system32\nvcpl.dll
2006-06-01 17:22 581,632 C:\WINDOWS\system32\nvhwvid.dll
2006-06-01 17:22 5,652,480 C:\WINDOWS\system32\nvdisps.dll
2006-06-01 17:22 5,632,000 C:\WINDOWS\system32\nvoglnt.dll
2006-06-01 17:22 5,246,976 C:\WINDOWS\system32\nvdispsr.dll
2006-06-01 17:22 466,944 C:\WINDOWS\system32\nvshell.dll
2006-06-01 17:22 462,848 C:\WINDOWS\system32\nvmccssr.dll
2006-06-01 17:22 45,056 C:\WINDOWS\system32\nvmccsrs.dll
2006-06-01 17:22 442,368 C:\WINDOWS\system32\nvappbar.exe
2006-06-01 17:22 425,984 C:\WINDOWS\system32\keystone.exe
2006-06-01 17:22 4,529,408 C:\WINDOWS\system32\nv4_disp.dll
2006-06-01 17:22 35,840 C:\WINDOWS\system32\nvcodins.dll
2006-06-01 17:22 35,840 C:\WINDOWS\system32\nvcod.dll
2006-06-01 17:22 311,296 C:\WINDOWS\system32\nvexpbar.dll
2006-06-01 17:22 3,925,920 C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-06-01 17:22 3,100,672 C:\WINDOWS\system32\nvgames.dll
2006-06-01 17:22 286,720 C:\WINDOWS\system32\nvnt4cpl.dll
2006-06-01 17:22 229,376 C:\WINDOWS\system32\nvmccs.dll
2006-06-01 17:22 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-06-01 17:22 2,977,792 C:\WINDOWS\system32\nvvitvsr.dll
2006-06-01 17:22 2,924,544 C:\WINDOWS\system32\nvvitvs.dll
2006-06-01 17:22 2,916,352 C:\WINDOWS\system32\nvgamesr.dll
2006-06-01 17:22 2,859,008 C:\WINDOWS\system32\nvmoblsr.dll
2006-06-01 17:22 196,608 C:\WINDOWS\system32\nvapi.dll
2006-06-01 17:22 188,416 C:\WINDOWS\system32\nvmccss.dll
2006-06-01 17:22 155,715 C:\WINDOWS\system32\nvsvc32.exe
2006-06-01 17:22 147,456 C:\WINDOWS\system32\nvcolor.exe
2006-06-01 17:22 1,740,800 C:\WINDOWS\system32\nvwssr.dll
2006-06-01 17:22 1,662,976 C:\WINDOWS\system32\nvwdmcpl.dll
2006-06-01 17:22 1,519,616 C:\WINDOWS\system32\nwiz.exe
2006-06-01 17:22 1,466,368 C:\WINDOWS\system32\nview.dll
2006-06-01 17:22 1,339,392 C:\WINDOWS\system32\nvdspsch.exe
2006-06-01 17:22 1,257,472 C:\WINDOWS\system32\nvwss.dll
2006-06-01 17:22 1,019,904 C:\WINDOWS\system32\nvwimg.dll
2006-06-01 17:22 1,011,712 C:\WINDOWS\system32\nvcpluir.dll
2006-06-01 16:09 1,013,760 C:\WINDOWS\system32\voyage_of_columbus_3d_screensaver.scr
2006-05-11 07:18 10,527,232 C:\WINDOWS\system32\rtlcpl.exe
2006-05-03 02:56 127,078 C:\WINDOWS\system32\javaws.exe
2006-05-03 01:19 53,346 C:\WINDOWS\system32\javaw.exe
2006-05-03 01:19 49,248 C:\WINDOWS\system32\java.exe
2006-04-30 09:45 36,864 C:\WINDOWS\system32\frapsvid.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-20 20:33 683 C:\Combo.bat
2006-07-20 17:27 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-20 17:27 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-20 16:17 405,504 C:\WINDOWS\system32\irsmtgcn.dll
2006-07-20 16:17 36,864 C:\WINDOWS\system32\tdopsxxl.exe
2006-07-20 16:17 24,576 C:\WINDOWS\system32\msxml3a.dll
2006-07-20 16:17 114,688 C:\WINDOWS\system32\irssyncd.exe
2006-07-20 16:15 156,672 C:\WINDOWS\system32\oins.exe
2006-07-20 16:15 129,649 C:\WINDOWS\elpp100drop.exe
2006-07-20 16:14 57,344 C:\WINDOWS\kiuj0v.exe
2006-07-20 16:14 53,248 C:\WINDOWS\system32\inicfg32.dll
2006-07-20 16:14 45,056 C:\WINDOWS\zuckdha.exe
2006-07-20 16:14 45,056 C:\WINDOWS\system32tfthot.exe
2006-07-20 16:14 380,928 C:\WINDOWS\system32\WinNB58.dll
2006-07-20 16:14 376,832 C:\WINDOWS\876057.exe
2006-07-20 16:14 36,864 C:\WINDOWS\thiselt.exe
2006-07-20 16:14 36,864 C:\WINDOWS\system32\ahnciup.exe
2006-07-20 16:14 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-20 16:14 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-20 16:14 319,294 C:\WINDOWS\YOINSI.exe
2006-07-20 16:14 303,104 C:\WINDOWS\system32\WinNB57.dll
2006-07-20 16:14 28,672 C:\WINDOWS\system32ftuninst.exe
2006-07-20 16:14 28,672 C:\WINDOWS\system32\hvzead7v.exe
2006-07-20 16:14 24,576 C:\WINDOWS\system32ssec.exe
2006-07-20 16:14 226,536 C:\WINDOWS\whCC-GIANT.exe
2006-07-20 16:14 142 C:\WINDOWS\aqnvw.dll
2006-07-20 16:14 102,400 C:\WINDOWS\mirar.exe
2006-07-19 22:04 170 C:\WINDOWS\wininit.ini
2006-07-17 17:28 287 C:\WINDOWS\game.ini
2006-07-14 19:43 4,517 C:\WINDOWS\rdt.ini
2006-07-14 19:42 3,117 C:\WINDOWS\system32\{313F2786-67C0-424B-9F55-90801D86F182}.exe
2006-07-07 16:49 36 C:\WINDOWS\iprel.bat
2006-07-07 16:49 34 C:\WINDOWS\ipren.bat
2006-07-07 16:49 29 C:\WINDOWS\ip.bat
2006-07-06 19:23 35,587 C:\WINDOWS\system32\rmlan.exe
2006-07-06 19:23 28,672 C:\WINDOWS\system32\UnLAN.exe
2006-07-06 16:14 60,416 C:\WINDOWS\ALCFDRTM.EXE
2006-07-06 16:10 577,536 C:\WINDOWS\soundman.exe
2006-07-06 16:10 40,960 C:\WINDOWS\system32\ChCfg.exe
2006-07-06 16:10 135,168 C:\WINDOWS\system32\RtlCPAPI.dll
2006-07-06 16:10 10,527,232 C:\WINDOWS\system32\RTLCPL.exe
2006-07-06 16:09 315,392 C:\WINDOWS\alcupd.exe
2006-07-06 16:09 217,088 C:\WINDOWS\alcrmv.exe
2006-07-04 12:36 179,712 C:\WINDOWS\UOUninst.exe
2006-07-02 21:19 299,520 C:\WINDOWS\uninst.exe
2006-07-02 14:45 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-02 14:45 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-02 14:45 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-02 14:45 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-02 14:45 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-02 14:45 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-02 14:45 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-02 14:45 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-02 14:45 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-02 14:45 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-02 14:45 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-02 13:33 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-02 13:33 49,248 C:\WINDOWS\system32\java.exe
2006-07-02 13:33 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-01 14:09 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-07-01 14:09 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-07-01 01:26 23 C:\WINDOWS\BlendSettings.ini
2006-07-01 01:24 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-06-30 16:16 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-06-30 16:14 34,308 C:\WINDOWS\system32\BASSMOD.dll
2006-06-27 18:17 86,016 C:\WINDOWS\unvise32.exe
2006-06-22 14:30 306,688 C:\WINDOWS\IsUninst.exe
2006-06-22 02:47 6,656 C:\WINDOWS\system32\pndx5016.dll
2006-06-22 02:47 5,632 C:\WINDOWS\system32\pndx5032.dll
2006-06-22 02:47 278,528 C:\WINDOWS\system32\pncrt.dll
2006-06-22 02:47 176,167 C:\WINDOWS\system32\rmoc3260.dll
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
2006-06-20 17:12 94,208 C:\WINDOWS\DIIUnin.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"SCDEmuApp.exe"="C:\\Program Files\\PowerISO\\SCDEmuApp.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Bandwidth Monitor Pro"="\"C:\\Program Files\\Bandwidth Monitor Pro\\Bandwidth Monitor Pro.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder

Completion time: Thu 07/20/2006 20:37:12.73
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#4 Fhjull

Fhjull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 21 July 2006 - 12:14 PM

From Spysweeper:

11:36 PM: Removal process completed. Elapsed time 00:00:41
11:36 PM: Preparing to restart your computer. Please wait...
11:36 PM: Warning: Quarantine process could not restart Explorer.
11:36 PM: Warning: Launched explorer.exe
11:36 PM: Failed to quarantine C:\Program Files\Internet Explorer\IEXPLORE.EXE
11:36 PM: Failed to quarantine C:\WINDOWS\explorer.exe
11:36 PM: Failed to quarantine trojan-downloader-ruin
11:36 PM: Warning: Unable to quarantine C:\WINDOWS\explorer.exe. This is a protected operating system file.
11:36 PM: Quarantining All Traces: trojan-downloader-ruin

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:15 AM

Posted 21 July 2006 - 04:36 PM

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


===============


Now I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Fhjull

Fhjull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 21 July 2006 - 06:40 PM

I haven't been experiencing anymore popups or any weird activity, but spy sweeper still reports Trojan-downloader-ruin as present and is unable to quarantine it. AVG/adaware/spybot dont report anything.

L2M-D Log:
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 7/21/2006 7:15:03 PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrateurs - Succeeded



New Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:38:07 PM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Franco\Mes documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dafwqtg.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SCDEmuApp.exe] "C:\Program Files\PowerISO\SCDEmuApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [dmvni.exe] C:\WINDOWS\system32\dmvni.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Franco\Local Settings\Temp\{A717E9CD-5EFB-4ECB-9F58-0BB93CD089DA}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD12732F-37EA-4DC1-B7D6-125D20E43DB9}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



And finally, Hijackthis uninstall list:
3Planesoft Screensaver Manager 1.0
ACDSee 8
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Shockwave Player
Age of Empires III
AMIP (remove only)
AMIPConfigurator (remove only)
AVG Free Edition
Bandwidth Monitor Pro
Call of Duty® 2
DFX for Winamp
Diablo II
ffdshow
Fraps
Galactic Civilizations II
Galleon 3D Screensaver 1.3
GL Excess v1.2v
Google Earth
GTA San Andreas
HentaII-026.003
Heroes of Might and Magic V
HijackThis 1.99.1
IL-2 Sturmovik: Forgotten Battles
IL-2 Sturmovik: Forgotten Battles AEP
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 7
Joint Operations: Typhoon Rising
LimeWire 4.12.3
LucasArts' Grim Fandango
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft Flight Simulator 2004 A Century of Flight
mIRC
MSN Messenger 7.5
Neverwinter Nights Platinum Edition
NVIDIA Drivers
Oblivion
Package de pilotes Windows - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
PowerDVD
PowerISO
PunkBuster for Joint Operations
QuickTime Alternative 1.71 Beta 2
Real Alternative 1.49
Realtek AC'97 Audio
SoulSeek 157 test 8
Spy Sweeper
Spybot - Search & Destroy 1.4
ULi LAN Driver
Ultima Online: The Second Age
UO Auto-Map
Voyage of Columbus 3D Screensaver 1.0
Winamp (remove only)
Windows Installer 3.1 (KB893803)
WinRAR archiver



Thanks!

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:15 AM

Posted 21 July 2006 - 08:26 PM

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Fhjull

Fhjull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 22 July 2006 - 01:03 AM

Fixwareout report:
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\saimd
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmias.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMFIC.EXE 61,961 2004-08-03
C:\WINDOWS\SYSTEM32\DMIAS.EXE 61,961 2004-08-03
C:\WINDOWS\SYSTEM32\DMRYJ.EXE 61,961 2004-08-03
C:\WINDOWS\SYSTEM32\DMVBD.EXE 61,961 2004-08-03
C:\WINDOWS\SYSTEM32\DMVNI.EXE 61,961 2004-08-03
C:\WINDOWS\SYSTEM32\DMYCZ.EXE 61,961 2004-08-03
Other suspects
Directory of C:\WINDOWS\system32
{313F2786-67C0-424B-9F55-90801D86F182}.exe


Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:01:39 AM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Franco\Mes documents\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dafwqtg.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SCDEmuApp.exe] "C:\Program Files\PowerISO\SCDEmuApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Franco\Local Settings\Temp\{A717E9CD-5EFB-4ECB-9F58-0BB93CD089DA}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD12732F-37EA-4DC1-B7D6-125D20E43DB9}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:15 AM

Posted 22 July 2006 - 08:55 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dafwqtg.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD12732F-37EA-4DC1-B7D6-125D20E43DB9}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\..\{21A79046-CC17-4842-A9E4-BB31D3B5D2C1}: NameServer = 85.255.115.156,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.156 85.255.112.87
O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll



================


Now lets check some settings on your system.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


===============


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\SYSTEM32\DMFIC.EXE
    C:\WINDOWS\SYSTEM32\DMIAS.EXE
    C:\WINDOWS\SYSTEM32\DMRYJ.EXE
    C:\WINDOWS\SYSTEM32\DMVBD.EXE
    C:\WINDOWS\SYSTEM32\DMVNI.EXE
    C:\WINDOWS\SYSTEM32\DMYCZ.EXE
    C:\WINDOWS\system32\{313F2786-67C0-424B-9F55-90801D86F182}.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
===============


Please run Combofix once again and post the resulting log along with a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Fhjull

Fhjull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 22 July 2006 - 12:53 PM

I did not get the PendingFileRenameOperations prompt after running Killbox.
Here are the logs

-Killbox log:
Pocket Killbox version 2.0.0.648
Running on Windows XP as Franco(Administrator)
was started @ Saturday, July 22, 2006, 1:32 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\DMFIC.EXE


# 2 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\DMIAS.EXE


# 3 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\DMRYJ.EXE


# 4 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\DMVBD.EXE


# 5 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\DMVNI.EXE


# 6 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\DMYCZ.EXE


I Rebooted @ 1:34:53 PM
Killbox Closed(Exit) @ 1:34:53 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Franco(Administrator)
was started @ Saturday, July 22, 2006, 1:38 PM

Killbox Closed(Exit) @ 1:40:13 PM
__________________________________________________




-ComboFix:
Start Time= Sat 07/22/2006 13:40:30.40
Running from: C:\Documents and Settings\Franco\Bureau

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



73 R‚p(s) 25,564,504,064 C:\Program Files\octets libres
23 R‚p(s) 25,564,495,872 C:\Documents and Settings\Franco\Application Data\octets libres
202 fichier(s) 22,696,295 C:\WINDOWS\system32\drivers\octets
2006-07-22 13:37 <REP> C:\Program Files\mozilla firefox
2006-07-22 13:20 <REP> C:\Program Files\mirc
2006-07-22 01:51 <REP> C:\Program Files\soulseek-test
2006-07-21 19:49 <REP> C:\Program Files\internet explorer
2006-07-20 23:21 <REP> C:\Program Files\elticons
2006-07-20 23:10 589 C:\WINDOWS\win.ini
2006-07-20 23:10 <REP> C:\Program Files\webroot
2006-07-20 23:10 <REP> C:\Documents and Settings\Franco\Application Data\webroot
2006-07-20 19:35 36,864 C:\WINDOWS\system32\tdopsxxl.exe
2006-07-20 19:32 <REP> C:\Program Files\fichiers communs
2006-07-20 19:31 <REP> C:\Program Files\cowabanga
2006-07-20 17:27 776,096 C:\WINDOWS\system32\drivers\avg7core.sys
2006-07-20 17:27 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-20 17:27 4,992 C:\WINDOWS\system32\drivers\avgtdi.sys
2006-07-20 17:27 4,288 C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-07-20 17:27 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-20 17:27 27,776 C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-20 17:27 23,424 C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-07-20 17:27 <REP> C:\Program Files\grisoft
2006-07-20 17:27 <REP> C:\Documents and Settings\Franco\Application Data\microsoft
2006-07-20 17:27 <REP> C:\Documents and Settings\Franco\Application Data\avg7
2006-07-20 16:18 <REP> C:\Program Files\curerom
2006-07-20 16:17 24,576 C:\WINDOWS\system32\msxml3a.dll
2006-07-20 16:15 156,672 C:\WINDOWS\system32\oins.exe
2006-07-20 16:15 <REP> C:\Program Files\acco
2006-07-20 16:14 380,928 C:\WINDOWS\system32\winnb58.dll
2006-07-20 16:14 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-20 16:14 0 C:\Documents and Settings\Franco\Application Data\internaldb41.dat
2006-07-20 15:55 <REP> C:\Program Files\rockstar games
2006-07-20 15:55 <REP> C:\Program Files\installshield installation information
2006-07-20 15:42 <REP> C:\Documents and Settings\Franco\Application Data\utorrent
2006-07-19 22:08 <REP> C:\Documents and Settings\Franco\Application Data\my games
2006-07-19 22:04 170 C:\WINDOWS\wininit.ini
2006-07-17 20:13 <REP> C:\Documents and Settings\Franco\Application Data\macromedia
2006-07-17 17:28 287 C:\WINDOWS\game.ini
2006-07-17 17:22 <REP> C:\Program Files\activision
2006-07-17 15:28 <REP> C:\Program Files\winrar
2006-07-17 14:14 <REP> C:\Program Files\microsoft games
2006-07-17 03:57 23 C:\WINDOWS\blendsettings.ini
2006-07-14 23:14 <REP> C:\Program Files\spybot - search & destroy
2006-07-14 20:14 <REP> C:\Documents and Settings\Franco\Application Data\mozilla
2006-07-13 15:13 36,864 C:\WINDOWS\system32\ahnciup.exe
2006-07-12 19:23 <REP> C:\Program Files\photo_resizer_pro
2006-07-11 00:47 98,304 C:\WINDOWS\system32\cmdlineext.dll
2006-07-09 00:53 <REP> C:\Program Files\ffdshow
2006-07-09 00:36 <REP> C:\Program Files\quicktime alternative
2006-07-09 00:36 <REP> C:\Documents and Settings\Franco\Application Data\apple computer
2006-07-09 00:35 <REP> C:\Program Files\quicktime
2006-07-07 23:54 <REP> C:\Program Files\ubi soft
2006-07-07 16:54 252,928 C:\WINDOWS\wruninstall.dll
2006-07-07 16:53 8,704 C:\WINDOWS\system32\ssiefr.exe
2006-07-07 16:53 208,896 C:\WINDOWS\system32\wrlogonntf.dll
2006-07-07 16:53 20,992 C:\WINDOWS\system32\wrlzma.dll
2006-07-07 16:41 15,360 C:\WINDOWS\system32\drivers\sshrmd.sys
2006-07-07 16:41 14,848 C:\WINDOWS\system32\drivers\sskbfd.sys
2006-07-07 16:41 13,824 C:\WINDOWS\system32\drivers\ssfs041a.sys
2006-07-07 16:41 117,248 C:\WINDOWS\system32\drivers\ssidrv.sys
2006-07-07 13:03 951,946 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-06 20:01 <REP> C:\Program Files\diablo ii
2006-07-06 19:31 21,840 C:\WINDOWS\system32\sintfnt.dll
2006-07-06 19:31 17,212 C:\WINDOWS\system32\sintf32.dll
2006-07-06 19:31 12,067 C:\WINDOWS\system32\sintf16.dll
2006-07-06 17:18 <REP> C:\Program Files\gl excess
2006-07-06 16:10 <REP> C:\Program Files\realtek ac97
2006-07-06 13:59 <REP> C:\Program Files\difx
2006-07-04 13:17 <REP> C:\Program Files\uoam
2006-07-04 13:11 <REP> C:\Program Files\ultima online
2006-07-04 13:01 <REP> C:\Program Files\razor
2006-07-03 00:11 <REP> C:\Program Files\Fichiers communs\installshield
2006-07-02 23:25 <REP> C:\Program Files\limewire
2006-07-02 21:19 <REP> C:\Program Files\lucasarts
2006-07-02 14:42 <REP> C:\Program Files\ubisoft
2006-07-02 13:58 <REP> C:\Program Files\google
2006-07-02 13:33 <REP> C:\Program Files\java
2006-07-02 13:33 <REP> C:\Documents and Settings\Franco\Application Data\sun
2006-07-02 13:33 <REP> C:\Documents and Settings\Franco\Application Data\google
2006-07-01 18:29 <REP> C:\Program Files\stardock
2006-07-01 01:14 <REP> C:\Program Files\bethesda softworks
2006-06-30 20:46 <REP> C:\Program Files\lavasoft
2006-06-30 20:46 <REP> C:\Documents and Settings\Franco\Application Data\lavasoft
2006-06-30 18:35 <REP> C:\Program Files\Fichiers communs\java
2006-06-30 16:17 <REP> C:\Program Files\firaxis games
2006-06-30 16:15 <REP> C:\Program Files\poweriso
2006-06-30 16:14 34,308 C:\WINDOWS\system32\bassmod.dll
2006-06-30 15:16 359,040 C:\WINDOWS\system32\drivers\tcpip.sys
2006-06-28 03:06 <REP> C:\Documents and Settings\Franco\Application Data\real
2006-06-27 18:18 <REP> C:\Program Files\bandwidth monitor pro
2006-06-22 15:58 <REP> C:\Documents and Settings\Franco\Application Data\help
2006-06-22 14:30 <REP> C:\Program Files\Fichiers communs\adobe
2006-06-22 14:30 <REP> C:\Program Files\adobe
2006-06-22 14:30 <REP> C:\Documents and Settings\Franco\Application Data\intertrust
2006-06-22 14:30 <REP> C:\Documents and Settings\Franco\Application Data\adobe
2006-06-22 02:47 <REP> C:\Program Files\real alternative
2006-06-22 02:47 <REP> C:\Program Files\media player classic
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
2006-06-20 17:12 94,208 C:\WINDOWS\diiunin.exe
2006-06-19 16:50 <REP> C:\Program Files\duke3d atomic winxp
2006-06-18 23:40 43,520 C:\WINDOWS\system32\drivers\amdk8.sys
2006-06-18 22:26 <REP> C:\Program Files\thrixxx
2006-06-16 19:01 223,128 C:\WINDOWS\system32\drivers\dtscsi.sys
2006-06-16 19:01 <REP> C:\Program Files\daemon tools
2006-06-16 19:00 96,256 C:\WINDOWS\system32\drivers\sptd2397.sys
2006-06-16 19:00 642,560 C:\WINDOWS\system32\drivers\sptd.sys
2006-06-12 21:48 <REP> C:\Program Files\msn messenger
2006-06-10 23:57 <REP> C:\Program Files\voyage of columbus 3d screensaver
2006-06-10 23:57 <REP> C:\Program Files\3planesoft screensaver manager
2006-06-10 22:56 <REP> C:\Program Files\galleon 3d screensaver
2006-06-10 02:28 <REP> C:\Documents and Settings\Franco\Application Data\acd systems
2006-06-10 02:27 <REP> C:\Program Files\Fichiers communs\acd systems
2006-06-10 02:27 <REP> C:\Program Files\acd systems
2006-06-09 02:02 <REP> C:\Program Files\winamp
2006-06-08 15:05 <REP> C:\Program Files\black isle
2006-06-08 13:25 <REP> C:\Documents and Settings\Franco\Application Data\fltk.org
2006-06-08 11:41 626,688 C:\WINDOWS\system32\dfxg11.dll
2006-06-08 11:41 <REP> C:\Program Files\dfx
2006-06-07 23:36 <REP> C:\Documents and Settings\Franco\Application Data\media player classic
2006-06-07 22:56 <REP> C:\Documents and Settings\Franco\Application Data\cyberlink
2006-06-07 20:58 <REP> C:\Documents and Settings\Franco\Application Data\leadertech
2006-06-07 20:54 <REP> C:\Program Files\novalogic
2006-06-07 19:40 <REP> C:\Program Files\cyberlink
2006-06-07 19:38 <REP> C:\Program Files\uninstall information
2006-06-07 19:38 <REP> C:\Program Files\Fichiers communs\microsoft shared
2006-06-07 19:38 <REP> C:\Documents and Settings\Franco\Application Data\identities
2006-06-07 19:21 4,205 C:\WINDOWS\odbcinst.ini
2006-06-07 19:21 0 C:\WINDOWS\control.ini
2006-06-07 19:21 <REP> C:\Program Files\xerox
2006-06-07 19:21 <REP> C:\Program Files\windows media player
2006-06-07 19:21 <REP> C:\Program Files\microsoft frontpage
2006-06-07 19:20 <REP> C:\Program Files\windowsupdate
2006-06-07 19:20 <REP> C:\Program Files\services en ligne
2006-06-07 19:19 <REP> C:\Program Files\outlook express
2006-06-07 19:19 <REP> C:\Program Files\netmeeting
2006-06-07 19:19 <REP> C:\Program Files\movie maker
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\system
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\services
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\mssoap
2006-06-07 19:18 37 C:\WINDOWS\vbaddin.ini
2006-06-07 19:18 36 C:\WINDOWS\vb.ini
2006-06-07 19:18 <REP> C:\Program Files\windows nt
2006-06-07 19:18 <REP> C:\Program Files\online services
2006-06-07 19:18 <REP> C:\Program Files\msn gaming zone
2006-06-07 19:18 <REP> C:\Program Files\messenger
2006-06-07 19:18 <REP> C:\Program Files\complus applications
2006-06-07 19:17 <REP> C:\Program Files\msn
2006-06-07 15:15 231 C:\WINDOWS\system.ini
2006-06-07 15:10 62 C:\Documents and Settings\Franco\Application Data\desktop.ini
2006-06-07 15:10 <REP> C:\Program Files\Fichiers communs\speechengines
2006-06-07 15:10 <REP> C:\Program Files\Fichiers communs\odbc
2006-06-02 17:03 16,966,144 C:\WINDOWS\system32\voyage of columbus 3d screensaver.exe
2006-06-01 19:09 208,896 C:\WINDOWS\system32\nvuninst.exe
2006-06-01 17:22 888,832 C:\WINDOWS\system32\nvmobls.dll
2006-06-01 17:22 86,016 C:\WINDOWS\system32\nvmctray.dll
2006-06-01 17:22 81,920 C:\WINDOWS\system32\nvwddi.dll
2006-06-01 17:22 794,624 C:\WINDOWS\system32\nvcplui.exe
2006-06-01 17:22 7,618,560 C:\WINDOWS\system32\nvcpl.dll
2006-06-01 17:22 581,632 C:\WINDOWS\system32\nvhwvid.dll
2006-06-01 17:22 5,652,480 C:\WINDOWS\system32\nvdisps.dll
2006-06-01 17:22 5,632,000 C:\WINDOWS\system32\nvoglnt.dll
2006-06-01 17:22 5,246,976 C:\WINDOWS\system32\nvdispsr.dll
2006-06-01 17:22 466,944 C:\WINDOWS\system32\nvshell.dll
2006-06-01 17:22 462,848 C:\WINDOWS\system32\nvmccssr.dll
2006-06-01 17:22 45,056 C:\WINDOWS\system32\nvmccsrs.dll
2006-06-01 17:22 442,368 C:\WINDOWS\system32\nvappbar.exe
2006-06-01 17:22 425,984 C:\WINDOWS\system32\keystone.exe
2006-06-01 17:22 4,529,408 C:\WINDOWS\system32\nv4_disp.dll
2006-06-01 17:22 35,840 C:\WINDOWS\system32\nvcodins.dll
2006-06-01 17:22 35,840 C:\WINDOWS\system32\nvcod.dll
2006-06-01 17:22 311,296 C:\WINDOWS\system32\nvexpbar.dll
2006-06-01 17:22 3,925,920 C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-06-01 17:22 3,100,672 C:\WINDOWS\system32\nvgames.dll
2006-06-01 17:22 286,720 C:\WINDOWS\system32\nvnt4cpl.dll
2006-06-01 17:22 229,376 C:\WINDOWS\system32\nvmccs.dll
2006-06-01 17:22 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-06-01 17:22 2,977,792 C:\WINDOWS\system32\nvvitvsr.dll
2006-06-01 17:22 2,924,544 C:\WINDOWS\system32\nvvitvs.dll
2006-06-01 17:22 2,916,352 C:\WINDOWS\system32\nvgamesr.dll
2006-06-01 17:22 2,859,008 C:\WINDOWS\system32\nvmoblsr.dll
2006-06-01 17:22 196,608 C:\WINDOWS\system32\nvapi.dll
2006-06-01 17:22 188,416 C:\WINDOWS\system32\nvmccss.dll
2006-06-01 17:22 155,715 C:\WINDOWS\system32\nvsvc32.exe
2006-06-01 17:22 147,456 C:\WINDOWS\system32\nvcolor.exe
2006-06-01 17:22 1,740,800 C:\WINDOWS\system32\nvwssr.dll
2006-06-01 17:22 1,662,976 C:\WINDOWS\system32\nvwdmcpl.dll
2006-06-01 17:22 1,519,616 C:\WINDOWS\system32\nwiz.exe
2006-06-01 17:22 1,466,368 C:\WINDOWS\system32\nview.dll
2006-06-01 17:22 1,339,392 C:\WINDOWS\system32\nvdspsch.exe
2006-06-01 17:22 1,257,472 C:\WINDOWS\system32\nvwss.dll
2006-06-01 17:22 1,019,904 C:\WINDOWS\system32\nvwimg.dll
2006-06-01 17:22 1,011,712 C:\WINDOWS\system32\nvcpluir.dll
2006-06-01 16:09 1,013,760 C:\WINDOWS\system32\voyage_of_columbus_3d_screensaver.scr
2006-05-11 07:18 10,527,232 C:\WINDOWS\system32\rtlcpl.exe
2006-05-03 02:56 127,078 C:\WINDOWS\system32\javaws.exe
2006-05-03 01:19 53,346 C:\WINDOWS\system32\javaw.exe
2006-05-03 01:19 49,248 C:\WINDOWS\system32\java.exe
2006-04-30 09:45 36,864 C:\WINDOWS\system32\frapsvid.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-20 23:21 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-20 23:10 8,704 C:\WINDOWS\system32\ssiefr.EXE
2006-07-20 23:10 684,032 C:\WINDOWS\libeay32.dll
2006-07-20 23:10 252,928 C:\WINDOWS\WRUninstall.dll
2006-07-20 23:10 208,896 C:\WINDOWS\system32\WRLogonNtf.dll
2006-07-20 23:10 20,992 C:\WINDOWS\system32\wrlzma.dll
2006-07-20 23:10 155,648 C:\WINDOWS\ssleay32.dll
2006-07-20 17:27 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-20 17:27 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-20 16:17 36,864 C:\WINDOWS\system32\tdopsxxl.exe
2006-07-20 16:17 24,576 C:\WINDOWS\system32\msxml3a.dll
2006-07-20 16:15 156,672 C:\WINDOWS\system32\oins.exe
2006-07-20 16:14 380,928 C:\WINDOWS\system32\WinNB58.dll
2006-07-20 16:14 36,864 C:\WINDOWS\system32\ahnciup.exe
2006-07-20 16:14 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-20 16:14 142 C:\WINDOWS\aqnvw.dll
2006-07-19 22:04 170 C:\WINDOWS\wininit.ini
2006-07-17 17:28 287 C:\WINDOWS\game.ini
2006-07-07 16:49 36 C:\WINDOWS\iprel.bat
2006-07-07 16:49 34 C:\WINDOWS\ipren.bat
2006-07-07 16:49 29 C:\WINDOWS\ip.bat
2006-07-06 19:23 35,587 C:\WINDOWS\system32\rmlan.exe
2006-07-06 19:23 28,672 C:\WINDOWS\system32\UnLAN.exe
2006-07-06 16:14 60,416 C:\WINDOWS\ALCFDRTM.EXE
2006-07-06 16:10 577,536 C:\WINDOWS\soundman.exe
2006-07-06 16:10 40,960 C:\WINDOWS\system32\ChCfg.exe
2006-07-06 16:10 135,168 C:\WINDOWS\system32\RtlCPAPI.dll
2006-07-06 16:10 10,527,232 C:\WINDOWS\system32\RTLCPL.exe
2006-07-06 16:09 315,392 C:\WINDOWS\alcupd.exe
2006-07-06 16:09 217,088 C:\WINDOWS\alcrmv.exe
2006-07-04 12:36 179,712 C:\WINDOWS\UOUninst.exe
2006-07-02 21:19 299,520 C:\WINDOWS\uninst.exe
2006-07-02 14:45 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-02 14:45 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-02 14:45 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-02 14:45 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-02 14:45 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-02 14:45 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-02 14:45 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-02 14:45 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-02 14:45 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-02 14:45 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-02 14:45 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-02 13:33 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-02 13:33 49,248 C:\WINDOWS\system32\java.exe
2006-07-02 13:33 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-01 14:09 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-07-01 14:09 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-07-01 01:26 23 C:\WINDOWS\BlendSettings.ini
2006-07-01 01:24 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-06-30 16:16 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-06-30 16:14 34,308 C:\WINDOWS\system32\BASSMOD.dll
2006-06-27 18:17 86,016 C:\WINDOWS\unvise32.exe
2006-06-22 14:30 306,688 C:\WINDOWS\IsUninst.exe
2006-06-22 02:47 6,656 C:\WINDOWS\system32\pndx5016.dll
2006-06-22 02:47 5,632 C:\WINDOWS\system32\pndx5032.dll
2006-06-22 02:47 278,528 C:\WINDOWS\system32\pncrt.dll
2006-06-22 02:47 176,167 C:\WINDOWS\system32\rmoc3260.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"SCDEmuApp.exe"="\"C:\\Program Files\\PowerISO\\SCDEmuApp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe\""
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="\"RunDLL32.exe\" NvMCTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Bandwidth Monitor Pro"="\"C:\\Program Files\\Bandwidth Monitor Pro\\Bandwidth Monitor Pro.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job

Completion time: Sat 07/22/2006 13:40:38.14
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt




-HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 1:50:11 PM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Franco\Mes documents\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SCDEmuApp.exe] "C:\Program Files\PowerISO\SCDEmuApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Franco\Local Settings\Temp\{A717E9CD-5EFB-4ECB-9F58-0BB93CD089DA}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Edited by Fhjull, 22 July 2006 - 01:53 PM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:15 AM

Posted 22 July 2006 - 09:57 PM

Use Killbox just as you did before to delete these files.

C:\WINDOWS\system32\tdopsxxl.exe
C:\WINDOWS\system32\oins.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\media_motor_bundle.exe
C:\Documents and Settings\Franco\Application Data\internaldb41.dat
C:\WINDOWS\system32\ahnciup.exe



Can you tell what these tasks are for?

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Fhjull

Fhjull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 23 July 2006 - 01:42 PM

Done.

And no i can't tell what these tasks are, I have not Scheduled any myself.

here is a new combofix log

Start Time= Sun 07/23/2006 14:35:30.06
Running from: C:\Documents and Settings\Franco\Bureau

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



73 R‚p(s) 25,290,506,240 C:\Program Files\octets libres
23 R‚p(s) 25,290,506,240 C:\Documents and Settings\Franco\Application Data\octets libres
202 fichier(s) 22,696,295 C:\WINDOWS\system32\drivers\octets
2006-07-23 14:23 <REP> C:\Program Files\mozilla firefox
2006-07-23 14:12 <REP> C:\Program Files\mirc
2006-07-23 02:10 <REP> C:\Program Files\soulseek-test
2006-07-22 21:08 <REP> C:\Documents and Settings\Franco\Application Data\utorrent
2006-07-21 19:49 <REP> C:\Program Files\internet explorer
2006-07-20 23:21 <REP> C:\Program Files\elticons
2006-07-20 23:10 589 C:\WINDOWS\win.ini
2006-07-20 23:10 <REP> C:\Program Files\webroot
2006-07-20 23:10 <REP> C:\Documents and Settings\Franco\Application Data\webroot
2006-07-20 19:32 <REP> C:\Program Files\fichiers communs
2006-07-20 19:31 <REP> C:\Program Files\cowabanga
2006-07-20 17:27 776,096 C:\WINDOWS\system32\drivers\avg7core.sys
2006-07-20 17:27 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-20 17:27 4,992 C:\WINDOWS\system32\drivers\avgtdi.sys
2006-07-20 17:27 4,288 C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-07-20 17:27 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-20 17:27 27,776 C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-20 17:27 23,424 C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-07-20 17:27 <REP> C:\Program Files\grisoft
2006-07-20 17:27 <REP> C:\Documents and Settings\Franco\Application Data\microsoft
2006-07-20 17:27 <REP> C:\Documents and Settings\Franco\Application Data\avg7
2006-07-20 16:18 <REP> C:\Program Files\curerom
2006-07-20 16:17 24,576 C:\WINDOWS\system32\msxml3a.dll
2006-07-20 16:15 <REP> C:\Program Files\acco
2006-07-20 15:55 <REP> C:\Program Files\rockstar games
2006-07-20 15:55 <REP> C:\Program Files\installshield installation information
2006-07-19 22:08 <REP> C:\Documents and Settings\Franco\Application Data\my games
2006-07-19 22:04 170 C:\WINDOWS\wininit.ini
2006-07-17 20:13 <REP> C:\Documents and Settings\Franco\Application Data\macromedia
2006-07-17 17:28 287 C:\WINDOWS\game.ini
2006-07-17 17:22 <REP> C:\Program Files\activision
2006-07-17 15:28 <REP> C:\Program Files\winrar
2006-07-17 14:14 <REP> C:\Program Files\microsoft games
2006-07-17 03:57 23 C:\WINDOWS\blendsettings.ini
2006-07-14 23:14 <REP> C:\Program Files\spybot - search & destroy
2006-07-14 20:14 <REP> C:\Documents and Settings\Franco\Application Data\mozilla
2006-07-12 19:23 <REP> C:\Program Files\photo_resizer_pro
2006-07-11 00:47 98,304 C:\WINDOWS\system32\cmdlineext.dll
2006-07-09 00:53 <REP> C:\Program Files\ffdshow
2006-07-09 00:36 <REP> C:\Program Files\quicktime alternative
2006-07-09 00:36 <REP> C:\Documents and Settings\Franco\Application Data\apple computer
2006-07-09 00:35 <REP> C:\Program Files\quicktime
2006-07-07 23:54 <REP> C:\Program Files\ubi soft
2006-07-07 16:54 252,928 C:\WINDOWS\wruninstall.dll
2006-07-07 16:53 8,704 C:\WINDOWS\system32\ssiefr.exe
2006-07-07 16:53 208,896 C:\WINDOWS\system32\wrlogonntf.dll
2006-07-07 16:53 20,992 C:\WINDOWS\system32\wrlzma.dll
2006-07-07 16:41 15,360 C:\WINDOWS\system32\drivers\sshrmd.sys
2006-07-07 16:41 14,848 C:\WINDOWS\system32\drivers\sskbfd.sys
2006-07-07 16:41 13,824 C:\WINDOWS\system32\drivers\ssfs041a.sys
2006-07-07 16:41 117,248 C:\WINDOWS\system32\drivers\ssidrv.sys
2006-07-07 13:03 951,946 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-06 20:01 <REP> C:\Program Files\diablo ii
2006-07-06 19:31 21,840 C:\WINDOWS\system32\sintfnt.dll
2006-07-06 19:31 17,212 C:\WINDOWS\system32\sintf32.dll
2006-07-06 19:31 12,067 C:\WINDOWS\system32\sintf16.dll
2006-07-06 17:18 <REP> C:\Program Files\gl excess
2006-07-06 16:10 <REP> C:\Program Files\realtek ac97
2006-07-06 13:59 <REP> C:\Program Files\difx
2006-07-04 13:17 <REP> C:\Program Files\uoam
2006-07-04 13:11 <REP> C:\Program Files\ultima online
2006-07-04 13:01 <REP> C:\Program Files\razor
2006-07-03 00:11 <REP> C:\Program Files\Fichiers communs\installshield
2006-07-02 23:25 <REP> C:\Program Files\limewire
2006-07-02 21:19 <REP> C:\Program Files\lucasarts
2006-07-02 14:42 <REP> C:\Program Files\ubisoft
2006-07-02 13:58 <REP> C:\Program Files\google
2006-07-02 13:33 <REP> C:\Program Files\java
2006-07-02 13:33 <REP> C:\Documents and Settings\Franco\Application Data\sun
2006-07-02 13:33 <REP> C:\Documents and Settings\Franco\Application Data\google
2006-07-01 18:29 <REP> C:\Program Files\stardock
2006-07-01 01:14 <REP> C:\Program Files\bethesda softworks
2006-06-30 20:46 <REP> C:\Program Files\lavasoft
2006-06-30 20:46 <REP> C:\Documents and Settings\Franco\Application Data\lavasoft
2006-06-30 18:35 <REP> C:\Program Files\Fichiers communs\java
2006-06-30 16:17 <REP> C:\Program Files\firaxis games
2006-06-30 16:15 <REP> C:\Program Files\poweriso
2006-06-30 16:14 34,308 C:\WINDOWS\system32\bassmod.dll
2006-06-30 15:16 359,040 C:\WINDOWS\system32\drivers\tcpip.sys
2006-06-28 03:06 <REP> C:\Documents and Settings\Franco\Application Data\real
2006-06-27 18:18 <REP> C:\Program Files\bandwidth monitor pro
2006-06-22 15:58 <REP> C:\Documents and Settings\Franco\Application Data\help
2006-06-22 14:30 <REP> C:\Program Files\Fichiers communs\adobe
2006-06-22 14:30 <REP> C:\Program Files\adobe
2006-06-22 14:30 <REP> C:\Documents and Settings\Franco\Application Data\intertrust
2006-06-22 14:30 <REP> C:\Documents and Settings\Franco\Application Data\adobe
2006-06-22 02:47 <REP> C:\Program Files\real alternative
2006-06-22 02:47 <REP> C:\Program Files\media player classic
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
2006-06-20 17:12 94,208 C:\WINDOWS\diiunin.exe
2006-06-19 16:50 <REP> C:\Program Files\duke3d atomic winxp
2006-06-18 23:40 43,520 C:\WINDOWS\system32\drivers\amdk8.sys
2006-06-18 22:26 <REP> C:\Program Files\thrixxx
2006-06-16 19:01 223,128 C:\WINDOWS\system32\drivers\dtscsi.sys
2006-06-16 19:01 <REP> C:\Program Files\daemon tools
2006-06-16 19:00 96,256 C:\WINDOWS\system32\drivers\sptd2397.sys
2006-06-16 19:00 642,560 C:\WINDOWS\system32\drivers\sptd.sys
2006-06-12 21:48 <REP> C:\Program Files\msn messenger
2006-06-10 23:57 <REP> C:\Program Files\voyage of columbus 3d screensaver
2006-06-10 23:57 <REP> C:\Program Files\3planesoft screensaver manager
2006-06-10 22:56 <REP> C:\Program Files\galleon 3d screensaver
2006-06-10 02:28 <REP> C:\Documents and Settings\Franco\Application Data\acd systems
2006-06-10 02:27 <REP> C:\Program Files\Fichiers communs\acd systems
2006-06-10 02:27 <REP> C:\Program Files\acd systems
2006-06-09 02:02 <REP> C:\Program Files\winamp
2006-06-08 15:05 <REP> C:\Program Files\black isle
2006-06-08 13:25 <REP> C:\Documents and Settings\Franco\Application Data\fltk.org
2006-06-08 11:41 626,688 C:\WINDOWS\system32\dfxg11.dll
2006-06-08 11:41 <REP> C:\Program Files\dfx
2006-06-07 23:36 <REP> C:\Documents and Settings\Franco\Application Data\media player classic
2006-06-07 22:56 <REP> C:\Documents and Settings\Franco\Application Data\cyberlink
2006-06-07 20:58 <REP> C:\Documents and Settings\Franco\Application Data\leadertech
2006-06-07 20:54 <REP> C:\Program Files\novalogic
2006-06-07 19:40 <REP> C:\Program Files\cyberlink
2006-06-07 19:38 <REP> C:\Program Files\uninstall information
2006-06-07 19:38 <REP> C:\Program Files\Fichiers communs\microsoft shared
2006-06-07 19:38 <REP> C:\Documents and Settings\Franco\Application Data\identities
2006-06-07 19:21 4,205 C:\WINDOWS\odbcinst.ini
2006-06-07 19:21 0 C:\WINDOWS\control.ini
2006-06-07 19:21 0 C:\msdos.sys
2006-06-07 19:21 <REP> C:\Program Files\xerox
2006-06-07 19:21 <REP> C:\Program Files\windows media player
2006-06-07 19:21 <REP> C:\Program Files\microsoft frontpage
2006-06-07 19:20 <REP> C:\Program Files\windowsupdate
2006-06-07 19:20 <REP> C:\Program Files\services en ligne
2006-06-07 19:19 <REP> C:\Program Files\outlook express
2006-06-07 19:19 <REP> C:\Program Files\netmeeting
2006-06-07 19:19 <REP> C:\Program Files\movie maker
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\system
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\services
2006-06-07 19:19 <REP> C:\Program Files\Fichiers communs\mssoap
2006-06-07 19:18 37 C:\WINDOWS\vbaddin.ini
2006-06-07 19:18 36 C:\WINDOWS\vb.ini
2006-06-07 19:18 <REP> C:\Program Files\windows nt
2006-06-07 19:18 <REP> C:\Program Files\online services
2006-06-07 19:18 <REP> C:\Program Files\msn gaming zone
2006-06-07 19:18 <REP> C:\Program Files\messenger
2006-06-07 19:18 <REP> C:\Program Files\complus applications
2006-06-07 19:17 <REP> C:\Program Files\msn
2006-06-07 15:15 231 C:\WINDOWS\system.ini
2006-06-07 15:10 62 C:\Documents and Settings\Franco\Application Data\desktop.ini
2006-06-07 15:10 <REP> C:\Program Files\Fichiers communs\speechengines
2006-06-07 15:10 <REP> C:\Program Files\Fichiers communs\odbc
2006-06-02 17:03 16,966,144 C:\WINDOWS\system32\voyage of columbus 3d screensaver.exe
2006-06-01 19:09 208,896 C:\WINDOWS\system32\nvuninst.exe
2006-06-01 17:22 888,832 C:\WINDOWS\system32\nvmobls.dll
2006-06-01 17:22 86,016 C:\WINDOWS\system32\nvmctray.dll
2006-06-01 17:22 81,920 C:\WINDOWS\system32\nvwddi.dll
2006-06-01 17:22 794,624 C:\WINDOWS\system32\nvcplui.exe
2006-06-01 17:22 7,618,560 C:\WINDOWS\system32\nvcpl.dll
2006-06-01 17:22 581,632 C:\WINDOWS\system32\nvhwvid.dll
2006-06-01 17:22 5,652,480 C:\WINDOWS\system32\nvdisps.dll
2006-06-01 17:22 5,632,000 C:\WINDOWS\system32\nvoglnt.dll
2006-06-01 17:22 5,246,976 C:\WINDOWS\system32\nvdispsr.dll
2006-06-01 17:22 466,944 C:\WINDOWS\system32\nvshell.dll
2006-06-01 17:22 462,848 C:\WINDOWS\system32\nvmccssr.dll
2006-06-01 17:22 45,056 C:\WINDOWS\system32\nvmccsrs.dll
2006-06-01 17:22 442,368 C:\WINDOWS\system32\nvappbar.exe
2006-06-01 17:22 425,984 C:\WINDOWS\system32\keystone.exe
2006-06-01 17:22 4,529,408 C:\WINDOWS\system32\nv4_disp.dll
2006-06-01 17:22 35,840 C:\WINDOWS\system32\nvcodins.dll
2006-06-01 17:22 35,840 C:\WINDOWS\system32\nvcod.dll
2006-06-01 17:22 311,296 C:\WINDOWS\system32\nvexpbar.dll
2006-06-01 17:22 3,925,920 C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-06-01 17:22 3,100,672 C:\WINDOWS\system32\nvgames.dll
2006-06-01 17:22 286,720 C:\WINDOWS\system32\nvnt4cpl.dll
2006-06-01 17:22 229,376 C:\WINDOWS\system32\nvmccs.dll
2006-06-01 17:22 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-06-01 17:22 2,977,792 C:\WINDOWS\system32\nvvitvsr.dll
2006-06-01 17:22 2,924,544 C:\WINDOWS\system32\nvvitvs.dll
2006-06-01 17:22 2,916,352 C:\WINDOWS\system32\nvgamesr.dll
2006-06-01 17:22 2,859,008 C:\WINDOWS\system32\nvmoblsr.dll
2006-06-01 17:22 196,608 C:\WINDOWS\system32\nvapi.dll
2006-06-01 17:22 188,416 C:\WINDOWS\system32\nvmccss.dll
2006-06-01 17:22 155,715 C:\WINDOWS\system32\nvsvc32.exe
2006-06-01 17:22 147,456 C:\WINDOWS\system32\nvcolor.exe
2006-06-01 17:22 1,740,800 C:\WINDOWS\system32\nvwssr.dll
2006-06-01 17:22 1,662,976 C:\WINDOWS\system32\nvwdmcpl.dll
2006-06-01 17:22 1,519,616 C:\WINDOWS\system32\nwiz.exe
2006-06-01 17:22 1,466,368 C:\WINDOWS\system32\nview.dll
2006-06-01 17:22 1,339,392 C:\WINDOWS\system32\nvdspsch.exe
2006-06-01 17:22 1,257,472 C:\WINDOWS\system32\nvwss.dll
2006-06-01 17:22 1,019,904 C:\WINDOWS\system32\nvwimg.dll
2006-06-01 17:22 1,011,712 C:\WINDOWS\system32\nvcpluir.dll
2006-06-01 16:09 1,013,760 C:\WINDOWS\system32\voyage_of_columbus_3d_screensaver.scr
2006-05-11 07:18 10,527,232 C:\WINDOWS\system32\rtlcpl.exe
2006-05-03 02:56 127,078 C:\WINDOWS\system32\javaws.exe
2006-05-03 01:19 53,346 C:\WINDOWS\system32\javaw.exe
2006-05-03 01:19 49,248 C:\WINDOWS\system32\java.exe
2006-04-30 09:45 36,864 C:\WINDOWS\system32\frapsvid.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-23 14:34 683 C:\Combo.bat
2006-07-20 23:21 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-20 23:10 8,704 C:\WINDOWS\system32\ssiefr.EXE
2006-07-20 23:10 684,032 C:\WINDOWS\libeay32.dll
2006-07-20 23:10 252,928 C:\WINDOWS\WRUninstall.dll
2006-07-20 23:10 208,896 C:\WINDOWS\system32\WRLogonNtf.dll
2006-07-20 23:10 20,992 C:\WINDOWS\system32\wrlzma.dll
2006-07-20 23:10 155,648 C:\WINDOWS\ssleay32.dll
2006-07-20 17:27 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-07-20 17:27 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-20 16:17 24,576 C:\WINDOWS\system32\msxml3a.dll
2006-07-20 16:14 142 C:\WINDOWS\aqnvw.dll
2006-07-19 22:04 170 C:\WINDOWS\wininit.ini
2006-07-17 17:28 287 C:\WINDOWS\game.ini
2006-07-07 16:49 36 C:\WINDOWS\iprel.bat
2006-07-07 16:49 34 C:\WINDOWS\ipren.bat
2006-07-07 16:49 29 C:\WINDOWS\ip.bat
2006-07-06 19:23 35,587 C:\WINDOWS\system32\rmlan.exe
2006-07-06 19:23 28,672 C:\WINDOWS\system32\UnLAN.exe
2006-07-06 16:14 60,416 C:\WINDOWS\ALCFDRTM.EXE
2006-07-06 16:10 577,536 C:\WINDOWS\soundman.exe
2006-07-06 16:10 40,960 C:\WINDOWS\system32\ChCfg.exe
2006-07-06 16:10 135,168 C:\WINDOWS\system32\RtlCPAPI.dll
2006-07-06 16:10 10,527,232 C:\WINDOWS\system32\RTLCPL.exe
2006-07-06 16:09 315,392 C:\WINDOWS\alcupd.exe
2006-07-06 16:09 217,088 C:\WINDOWS\alcrmv.exe
2006-07-04 12:36 179,712 C:\WINDOWS\UOUninst.exe
2006-07-02 21:19 299,520 C:\WINDOWS\uninst.exe
2006-07-02 14:45 98,304 C:\WINDOWS\system32\CmdLineExt.dll
2006-07-02 14:45 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-02 14:45 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-02 14:45 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-02 14:45 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-02 14:45 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-02 14:45 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-02 14:45 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-02 14:45 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-02 14:45 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-02 14:45 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-02 13:33 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-02 13:33 49,248 C:\WINDOWS\system32\java.exe
2006-07-02 13:33 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-01 14:09 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-07-01 14:09 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-07-01 01:26 23 C:\WINDOWS\BlendSettings.ini
2006-07-01 01:24 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-06-30 16:16 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-06-30 16:14 34,308 C:\WINDOWS\system32\BASSMOD.dll
2006-06-27 18:17 86,016 C:\WINDOWS\unvise32.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"SCDEmuApp.exe"="\"C:\\Program Files\\PowerISO\\SCDEmuApp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe\""
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Bandwidth Monitor Pro"="\"C:\\Program Files\\Bandwidth Monitor Pro\\Bandwidth Monitor Pro.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService


Contents of the 'Scheduled Tasks' folder

Completion time: Sun 07/23/2006 14:35:37.39
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:15 AM

Posted 23 July 2006 - 01:52 PM

Let's see what we can find out about them.

Download FindLop. Unzip the file. It will create a folder. From the extracted files, locate findlop.bat and double click on it. It will generate a log file - C:\findlop.txt

Find that file and copy the content into your next post along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Fhjull

Fhjull
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 23 July 2006 - 02:27 PM

that's all the log shows, they appear to be gone.

[TRACE] Enumerating jobs and queues


Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 3:27:16 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Franco\Mes documents\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SCDEmuApp.exe] "C:\Program Files\PowerISO\SCDEmuApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Franco\Local Settings\Temp\{A717E9CD-5EFB-4ECB-9F58-0BB93CD089DA}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Edited by Fhjull, 23 July 2006 - 02:28 PM.


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:15 AM

Posted 23 July 2006 - 02:49 PM

Your log looks pretty good right now.
How are things on your end? Any popups or other problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users