Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Clicked On Something, And Now I'm Infected


  • Please log in to reply
9 replies to this topic

#1 JustinBarnett

JustinBarnett

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 07 November 2006 - 06:31 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:25:34 PM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\JB\Application Data\??crosoft\t?skmgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {B10E7AE8-BB76-9389-2A92-BD9E8C3A549C} - C:\WINDOWS\system32\fqtybex.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnah.dll,startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Okncemr] C:\Documents and Settings\JB\Application Data\??crosoft\t?skmgr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155185986296
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:37 PM

Posted 07 November 2006 - 10:33 PM

Please download SilentRunners:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the Desktop and double-click on SilentRunners.vbs

SilentRunners searches a few Registry keys that HijackThis does not.

If an alert about scripting appears from your anti-virus, choose to allow the script to run.
When the scan is done, Notepad opens with a log which is saved in the SilentRunners folder.

Provide the content of the SilentRunners log in your reply.

Old duck...


#3 JustinBarnett

JustinBarnett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 08 November 2006 - 03:23 PM

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{74D88121-09B9-1033-0804-040615040001}" = ""C:\Program Files\Common Files\{74D88121-09B9-1033-0804-040615040001}\Update.exe" mc-110-12-0000272" [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Steam" = "(empty string)" [file not found]
"Aim6" = "*b" (unwritable string) [file not found]
"BitTorrent" = ""C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [null data]
"WebCamRT.exe" = "(empty string)" [file not found]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"Okncemr" = "C:\Documents and Settings\JB\Application Data\**crosoft\t*skmgr.exe" (unwritable string) [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"pccguide.exe" = ""C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"" ["Trend Micro Inc."]
"PCCClient.exe" = ""C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"" ["Trend Micro Inc."]
"Pop3trap.exe" = ""C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"" ["Trend Micro Inc."]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"(Default)" = "(empty string)" [file not found]
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"HostManager" = "C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe" ["America Online, Inc."]
"IPHSend" = "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" ["America Online, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" ["Logitech Inc."]
"LogitechGalleryRepair" = "C:\Program Files\Logitech\ImageStudio\ISStart.exe" ["Logitech Inc."]
"LogitechImageStudioTray" = "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" ["Logitech Inc."]
"CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data]
"CTDrive" = "rundll32.exe C:\WINDOWS\system32\drvnah.dll,startup" [MS]
"IpWins" = "C:\Program Files\ipwins\ipwins.exe" [file not found]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{25CD2B90-9BA7-4875-B6F7-781C39432879}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\pmkjj.dll" [null data]
{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{B10E7AE8-BB76-9389-2A92-BD9E8C3A549C}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fqtybex.dll" [null data]
{F18F04B0-9CF1-4b93-B004-77A288BEE28B}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\rpykviub.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {HKLM...CLSID} = "TMD Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll" ["Trend Micro Inc."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {HKLM...CLSID} = "VBPropSheet"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\PC-cillin 2002\VBProp.dll" ["Trend Micro Inc."]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"
-> {HKLM...CLSID} = "Logitech Gallery"
\InProcServer32\(Default) = "C:\Program Files\Logitech\ImageStudio\NameSpc.dll" ["Logitech Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> pmkjj\DLLName = "C:\WINDOWS\system32\pmkjj.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\JB\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "JB" & "All Users" startup folders:
----------------------------------------------------

C:\Documents and Settings\JB\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{74DD705D-6834-439C-A735-A6DBE2677452}"
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{74DD705D-6834-439C-A735-A6DBE2677452}" = (no title provided)
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{B10E7AE8-BB76-9389-2A92-BD9E8C3A549C}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fqtybex.dll" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PC-cillin PersonalFirewall, PCCPFW, "C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe" ["Trend Micro Inc."]
Trend NT Realtime Service, Tmntsrv, ""C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe"" ["Trend Micro Inc."]
Windows Media Player Network Sharing Service, WMPNetworkSvc, "C:\Program Files\Windows Media Player\WMPNetwk.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 95 seconds.
---------- (total run time: 139 seconds)

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:37 PM

Posted 08 November 2006 - 11:19 PM

There are signs of the Vundo malware on the SilentRunners log!

Please download the following to the Desktop:
VundoFix.exe
* Double-click VundoFix.exe to run it
* Click: Scan for Vundo
* Once done scanning, click: Remove Vundo
* A prompt asking if you want to remove the files appears, click: Yes
* The Desktop goes blank as it starts removing Vundo.
* When completed, a prompt to shutdown the computer appears, click OK
* Turn the computer back on.

A log is created and found in C:\vundofix.txt

Please post the C:\vundofix.txt, and a new HijackThis log.

We'll have more work to do.

Old duck...


#5 JustinBarnett

JustinBarnett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 09 November 2006 - 03:02 AM

VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 1:47:50 AM 11/9/2006

Listing files found while scanning....

C:\WINDOWS\system32\winmyy32.dll
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winmyy32.dll
C:\WINDOWS\system32\winmyy32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkmp.bak2
C:\WINDOWS\system32\jjkmp.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.dll Has been deleted!

Performing Repairs to the registry.
Done!


--------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:57:40 AM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\JB\Application Data\??crosoft\t?skmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {B10E7AE8-BB76-9389-2A92-BD9E8C3A549C} - C:\WINDOWS\system32\fqtybex.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B10E7AE8-BB76-9389-2A92-BD9E8C3A549C} - C:\WINDOWS\system32\fqtybex.dll
O2 - BHO: (no name) - {B68405DD-BC36-4EB2-B5A0-AD0711F0E953} - C:\WINDOWS\system32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rpykviub.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnah.dll,startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Okncemr] C:\Documents and Settings\JB\Application Data\??crosoft\t?skmgr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155185986296
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:37 PM

Posted 09 November 2006 - 10:11 PM

Please go to: Start > Run, type: control
Press OK
Double-click on: Add/Remove Programs

On the list of Currently Installed Programs, look for and, if found, uninstall the following by selecting the entry and clicking on Remove:
VSAdd-in

Next, search for and delete the following folder (bold):
C:\Program Files\VSAdd-in

Restart the computer.

~~~~
Next, download AVG Anti-Spyare:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

~~~~
Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Run, type in: notepad):

C:\WINDOWS\system32\fqtybex.dll
C:\WINDOWS\system32\fqtybex.dll
C:\WINDOWS\system32\rpykviub.dll
C:\WINDOWS\system32\drvnah.dll


Next, download Killbox:
http://www.downloads.subratam.org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Double-click on the red circle with white X to run it.

At the main screen of KillBox, select the option: Delete on Reboot
Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl+A) and Copy (Ctrl + C).

In Killbox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)
Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

Also, if the computer does not restart automatically, please restart it manually.

~~~~
Next, run HijackThis, Scan
Check box for:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {B10E7AE8-BB76-9389-2A92-BD9E8C3A549C} - C:\WINDOWS\system32\fqtybex.dll

O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {B10E7AE8-BB76-9389-2A92-BD9E8C3A549C} - C:\WINDOWS\system32\fqtybex.dll
O2 - BHO: (no name) - {B68405DD-BC36-4EB2-B5A0-AD0711F0E953} - C:\WINDOWS\system32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rpykviub.dll

O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnah.dll,startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [Okncemr] C:\Documents and Settings\JB\Application Data\??crosoft\t?skmgr.exe

Select: Fix checked

~~~~
Reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click: Delete Files
When prompted, check: Delete all offline content
You can also check: Delete Cookies
(You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...

~~~
Still in Safe Mode, launch AVG Anti-Spyware once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Next, download ComboFix to the Desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

A log, combofix.txt is produced.

~~~~
Please provide the following:
The AVG AS report
The ComboFix.txt
A new HijackThis log

Old duck...


#7 JustinBarnett

JustinBarnett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 10 November 2006 - 09:05 PM

I did the AVG Scan before the Internet Options clear out and Disk Cleanup by accident, but nothing came up when I ran it afterward again.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:34:25 PM 11/10/2006

+ Scan result:



C:\RECYCLER\S-1-5-21-1645522239-725345543-2120971413-1003\Dc3\VSAdd-in.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\!KillBox\fqtybex.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E09E8E90-CA11-4CA6-AA67-59D82E48449A}\RP162\A0058453.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E09E8E90-CA11-4CA6-AA67-59D82E48449A}\RP162\A0058466.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\JB\Local Settings\Temporary Internet Files\Content.IE5\X2ZOKRCC\!update-4295[1].0000 -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\Program Files\Common Files\kzzi\kzzid\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E09E8E90-CA11-4CA6-AA67-59D82E48449A}\RP159\A0055285.exe -> Downloader.Zlob.avb : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\JB\Cookies\jb@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@divx.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@msnaccountservices.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@msninvite.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.90:C:\Documents and Settings\JB\Application Data\Mozilla\Firefox\Profiles\oakcrg3g.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.164:C:\Documents and Settings\JB\Application Data\Mozilla\Firefox\Profiles\oakcrg3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.172:C:\Documents and Settings\JB\Application Data\Mozilla\Firefox\Profiles\oakcrg3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.174:C:\Documents and Settings\JB\Application Data\Mozilla\Firefox\Profiles\oakcrg3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.223:C:\Documents and Settings\JB\Application Data\Mozilla\Firefox\Profiles\oakcrg3g.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.382:C:\Documents and Settings\JB\Application Data\Mozilla\Firefox\Profiles\oakcrg3g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.383:C:\Documents and Settings\JB\Application Data\Mozilla\Firefox\Profiles\oakcrg3g.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.360:C:\Documents and Settings\JB\Application Data\Mozilla\Firefox\Profiles\oakcrg3g.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\JB\Cookies\jb@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\JB\Local Settings\Temp\mst19.tmp -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E09E8E90-CA11-4CA6-AA67-59D82E48449A}\RP161\A0057389.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\VundoFix Backups\winmyy32.dll.bad -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E09E8E90-CA11-4CA6-AA67-59D82E48449A}\RP162\A0058451.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).


::Report end



JB - 06-11-10 19:55:14.51 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{34D88121-09B9-1033-0804-040615040001}
C:\Program Files\Common Files\{74D88121-09B9-1033-0804-040615040001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\JB\Application Data\CROSOF~1
C:\QooBox\Purity\Program Files\SSTEM3~1
C:\QooBox\Purity\Program Files\SSTEM3~1\s?stem32


((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))


2006-11-10 18:25 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-07 15:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-07 13:45 110,612 --a------ C:\WINDOWS\system32\alsyrlng.exe
2006-11-07 13:40 2 --a------ C:\WINDOWS\system32\wcpit.exe
2006-11-07 13:39 40,973 ---hs---- C:\WINDOWS\system32\xxyawvt.dll
2006-11-03 00:05 90,112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll
2006-11-03 00:05 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll
2006-11-03 00:05 780,288 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll
2006-11-03 00:05 778,240 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll
2006-11-03 00:05 764,416 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2006-11-03 00:05 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll
2006-11-03 00:05 495,104 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2006-11-03 00:05 382,464 --a------ C:\WINDOWS\system32\NCTAVIFile.dll
2006-11-03 00:05 312,320 --a------ C:\WINDOWS\system32\NCTVideoView.dll
2006-11-03 00:05 249,856 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll
2006-11-03 00:05 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2006-11-03 00:05 215,552 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2006-11-03 00:05 2,846,720 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll
2006-11-03 00:05 188,416 --a------ C:\WINDOWS\system32\NCTVideoFile.dll
2006-11-03 00:05 147,456 --a------ C:\WINDOWS\system32\viscomqtenc.dll
2006-11-03 00:05 139,264 --a------ C:\WINDOWS\system32\viscomqtde.dll
2006-11-03 00:05 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2006-11-02 18:55 52,338 --a------ C:\WINDOWS\system32\RadLightOggUninstall.exe
2006-11-01 21:47 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2006-10-23 11:51 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-10-23 11:51 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-23 11:51 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-10-23 11:51 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-10-23 11:51 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-10-23 11:51 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-10-23 11:51 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-10-23 11:51 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-10-23 11:48 73,728 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2006-10-23 11:48 69,632 --a------ C:\WINDOWS\system32\lvcoinst.dll
2006-10-23 11:48 57,344 --a------ C:\WINDOWS\system32\LVComC.dll
2006-10-23 11:48 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-10-23 11:48 294,912 --a------ C:\WINDOWS\system32\liplW7.dll
2006-10-23 11:48 290,816 --a------ C:\WINDOWS\system32\liplA6.dll
2006-10-23 11:48 278,528 --a------ C:\WINDOWS\system32\liplPX.dll
2006-10-23 11:48 278,528 --a------ C:\WINDOWS\system32\liplP6.dll
2006-10-23 11:48 278,528 --a------ C:\WINDOWS\system32\liplM6.dll
2006-10-23 11:48 220,079 --a------ C:\WINDOWS\system32\drivers\LV551AV.sys
2006-10-23 11:48 20,480 --a------ C:\WINDOWS\system32\lipl.dll
2006-10-23 11:48 167,936 --a------ C:\WINDOWS\system32\lvcodec2.dll
2006-10-23 11:48 131,072 --a------ C:\WINDOWS\system32\SP5X_32.DLL
2006-10-23 11:48 12,112 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2006-10-23 11:48 110,592 --a------ C:\WINDOWS\system32\LVUI2.dll
2006-10-23 11:48 102,400 --a------ C:\WINDOWS\system32\LVComS.exe
2006-10-23 11:48 10,254 --a------ C:\WINDOWS\system32\drivers\LVBULK.sys
2006-10-19 23:15 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2006-10-19 23:15 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-19 23:15 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2006-10-19 23:15 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2006-10-19 23:15 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2006-10-17 12:33 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 12:05 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 11:58 61,952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 266,752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:27 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-10 19:55 -------- d-------- C:\Program Files\Common Files
2006-11-10 19:54 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-10 19:54 -------- d-------- C:\Program Files\HijackThis
2006-11-10 18:25 -------- d-------- C:\Program Files\Grisoft
2006-11-10 10:30 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-11-07 15:43 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 15:41 -------- d-------- C:\Documents and Settings\JB\Application Data\Sun
2006-11-07 15:40 -------- d-------- C:\Program Files\Java
2006-11-07 15:34 -------- d-------- C:\Documents and Settings\JB\Application Data\SearchToolbarCorp
2006-11-07 14:46 -------- d-------- C:\Program Files\Common Files\kzzi
2006-11-07 01:32 -------- d-------- C:\Documents and Settings\JB\Application Data\foobar2000
2006-11-07 00:53 -------- d-------- C:\Program Files\Common Files\Java
2006-11-06 23:10 -------- d-------- C:\Program Files\mIRC
2006-11-06 15:22 -------- d-------- C:\Program Files\Mozilla Sunbird
2006-11-05 20:03 -------- d-------- C:\Program Files\Steam
2006-11-03 17:59 -------- d-------- C:\Program Files\DC++
2006-11-03 02:27 -------- d-------- C:\Program Files\AIM
2006-11-03 01:56 -------- d-------- C:\Documents and Settings\JB\Application Data\dvdcss
2006-11-03 00:55 -------- d-------- C:\Program Files\Common Files\Real
2006-11-03 00:55 -------- d-------- C:\Documents and Settings\JB\Application Data\Real
2006-11-03 00:19 -------- d-------- C:\Program Files\Real
2006-11-03 00:14 -------- d-------- C:\Documents and Settings\JB\Application Data\DivX
2006-11-03 00:05 -------- d-------- C:\Program Files\Apex
2006-11-02 21:36 -------- d-------- C:\Program Files\AOD
2006-11-02 21:36 -------- d-------- C:\Documents and Settings\JB\Application Data\Aim
2006-11-02 16:04 -------- d-------- C:\Program Files\foobar2000
2006-11-02 02:23 -------- d-------- C:\Program Files\Album Art Aggregator
2006-11-02 00:04 -------- d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2006-10-25 21:26 -------- d-------- C:\Documents and Settings\JB\Application Data\BitTorrent
2006-10-25 21:24 -------- d-------- C:\Program Files\BitTorrent
2006-10-25 11:28 -------- d-------- C:\Documents and Settings\JB\Application Data\Apple Computer
2006-10-23 13:43 -------- d-------- C:\Program Files\Apple Software Update
2006-10-23 11:49 -------- d-------- C:\Program Files\Common Files\Logitech
2006-10-23 11:48 -------- d-------- C:\Program Files\Windows Media Components
2006-10-23 11:47 -------- d-------- C:\Program Files\Logitech
2006-10-23 11:41 -------- d-------- C:\Program Files\iTunes
2006-10-19 16:28 -------- d-------- C:\Program Files\QuickTime
2006-10-19 16:28 -------- d-------- C:\Program Files\iPod
2006-10-19 14:21 -------- d-------- C:\Documents and Settings\JB\Application Data\Media Player Classic
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-16 11:58 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-16 11:58 -------- d-------- C:\Program Files\Ubisoft
2006-10-16 10:17 -------- d-------- C:\Program Files\DivX
2006-10-11 11:18 -------- d-------- C:\Program Files\Windows Media Player
2006-10-11 11:18 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-10-11 10:24 58880 --a------ C:\WINDOWS\system32\pnrpnsp.dll
2006-10-11 10:24 553984 --a------ C:\WINDOWS\system32\p2psvc.dll
2006-10-11 10:24 313344 --a------ C:\WINDOWS\system32\p2pgraph.dll
2006-10-11 10:24 153088 --a------ C:\WINDOWS\system32\p2p.dll
2006-10-11 10:24 116224 --a------ C:\WINDOWS\system32\p2pnetsh.dll
2006-10-11 10:24 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll
2006-10-05 11:18 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-05 11:18 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-05 11:18 -------- d-------- C:\Program Files\AOL
2006-10-02 13:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 13:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 13:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 13:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-27 23:03 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-09-27 23:03 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-09-27 23:03 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-09-17 23:05 -------- d-------- C:\Program Files\Jed's Half-Life Model Viewer 1.1
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 16:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-01 12:08 1334032 --a------ C:\WINDOWS\system32\msxml6.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 21:42 8704 --------- C:\WINDOWS\system32\wdfmgr.exe
2006-08-24 21:42 8704 --------- C:\WINDOWS\system32\uwdf.exe
2006-08-24 21:30 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-08-24 21:30 990208 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-08-24 21:30 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-08-24 21:30 8337920 --a------ C:\WINDOWS\system32\wmploc.dll
2006-08-24 21:30 790016 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-08-24 21:30 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-08-24 21:30 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-08-24 21:30 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-08-24 21:30 63488 --------- C:\WINDOWS\system32\wpdmtpus.dll
2006-08-24 21:30 629760 --------- C:\WINDOWS\system32\wpd_ci.dll
2006-08-24 21:30 611840 --------- C:\WINDOWS\system32\wmpmde.dll
2006-08-24 21:30 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-08-24 21:30 537600 --a------ C:\WINDOWS\system32\blackbox.dll
2006-08-24 21:30 532992 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-08-24 21:30 428032 --------- C:\WINDOWS\system32\wmdrmdev.dll
2006-08-24 21:30 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-08-24 21:30 4096 --------- C:\WINDOWS\system32\WMVADVE.DLL
2006-08-24 21:30 4096 --------- C:\WINDOWS\system32\WMVADVD.dll
2006-08-24 21:30 4096 --------- C:\WINDOWS\system32\wdfapi.dll
2006-08-24 21:30 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-08-24 21:30 35840 --------- C:\WINDOWS\system32\wpdconns.dll
2006-08-24 21:30 349184 --------- C:\WINDOWS\system32\wpdsp.dll
2006-08-24 21:30 347648 --------- C:\WINDOWS\system32\wmdrmnet.dll
2006-08-24 21:30 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-08-24 21:30 320512 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-08-24 21:30 316928 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-08-24 21:30 314368 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-08-24 21:30 305152 --------- C:\WINDOWS\system32\MSDelta.dll
2006-08-24 21:30 295424 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-08-24 21:30 284160 --a------ C:\WINDOWS\system32\portabledeviceapi.dll
2006-08-24 21:30 276480 --a------ C:\WINDOWS\system32\audiodev.dll
2006-08-24 21:30 27648 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-08-24 21:30 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-08-24 21:30 2589184 --------- C:\WINDOWS\system32\WpdShext.dll
2006-08-24 21:30 258560 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-08-24 21:30 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-08-24 21:30 242176 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-08-24 21:30 228352 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-08-24 21:30 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-08-24 21:30 222208 --a------ C:\WINDOWS\system32\WMASF.dll
2006-08-24 21:30 211968 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-08-24 21:30 210432 --a------ C:\WINDOWS\system32\qasf.dll
2006-08-24 21:30 204800 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-08-24 21:30 198144 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-08-24 21:30 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-08-24 21:30 175104 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-08-24 21:30 166912 --a------ C:\WINDOWS\system32\portabledevicetypes.dll
2006-08-24 21:30 1660416 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-08-24 21:30 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-08-24 21:30 154624 --------- C:\WINDOWS\system32\wpdmtp.dll
2006-08-24 21:30 1539584 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-08-24 21:30 1532416 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-08-24 21:30 1392128 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-08-24 21:30 133120 --a------ C:\WINDOWS\system32\wpdshserviceobj.dll
2006-08-24 21:30 1327616 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-08-24 21:30 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-08-24 21:30 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-08-24 21:30 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-08-24 21:30 1118208 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-08-24 21:30 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-08-24 19:31 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-08-24 19:27 249344 --------- C:\WINDOWS\system32\drmupgds.exe
2006-08-24 19:26 95288 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-08-24 19:26 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-08-24 18:19 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-08-24 18:19 145920 --------- C:\WINDOWS\system32\WudfHost.exe
2006-08-24 18:18 56320 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-08-24 18:18 168448 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 16:55 208896 --a--c--- C:\WINDOWS\system32\nvusmb.exe
2006-08-16 16:55 208896 --a--c--- C:\WINDOWS\system32\NVUNINST.EXE
2006-08-16 16:55 208896 --a--c--- C:\WINDOWS\system32\nvumctl.exe
2006-08-16 16:55 208896 --a--c--- C:\WINDOWS\system32\nvuide.exe
2006-08-16 16:55 208896 --a--c--- C:\WINDOWS\system32\nvugart.exe
2006-08-16 16:55 208896 --a--c--- C:\WINDOWS\system32\nvuenet.exe
2006-08-16 16:55 208896 --a--c--- C:\WINDOWS\system32\nvudisp.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-11 20:45 888832 --a--c--- C:\WINDOWS\system32\nvmobls.dll
2006-08-11 20:45 581632 --a--c--- C:\WINDOWS\system32\nvhwvid.dll
2006-08-11 20:45 5611520 --a--c--- C:\WINDOWS\system32\nvdisps.dll
2006-08-11 20:45 5251072 --a--c--- C:\WINDOWS\system32\nvdispsr.dll
2006-08-11 20:45 458752 --a--c--- C:\WINDOWS\system32\nvmccssr.dll
2006-08-11 20:45 45056 --a--c--- C:\WINDOWS\system32\nvmccsrs.dll
2006-08-11 20:45 3039232 --a--c--- C:\WINDOWS\system32\nvgames.dll
2006-08-11 20:45 2953216 --a--c--- C:\WINDOWS\system32\nvvitvsr.dll
2006-08-11 20:45 2928640 --a--c--- C:\WINDOWS\system32\nvgamesr.dll
2006-08-11 20:45 2904064 --a--c--- C:\WINDOWS\system32\nvvitvs.dll
2006-08-11 20:45 2859008 --a--c--- C:\WINDOWS\system32\nvmoblsr.dll
2006-08-11 20:45 229376 --a--c--- C:\WINDOWS\system32\nvmccs.dll
2006-08-11 20:45 188416 --a--c--- C:\WINDOWS\system32\nvmccss.dll
2006-08-11 20:45 1732608 --a--c--- C:\WINDOWS\system32\nvwssr.dll
2006-08-11 20:45 1236992 --a--c--- C:\WINDOWS\system32\nvwss.dll
2006-08-11 20:44 147456 --a--c--- C:\WINDOWS\system32\nvcolor.exe
2006-08-11 20:43 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-08-11 20:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-08-11 20:43 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-08-11 20:43 7630848 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-08-11 20:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-08-11 20:43 442368 --a--c--- C:\WINDOWS\system32\nvappbar.exe
2006-08-11 20:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-08-11 20:43 311296 --a--c--- C:\WINDOWS\system32\nvexpbar.dll
2006-08-11 20:43 286720 --a--c--- C:\WINDOWS\system32\nvnt4cpl.dll
2006-08-11 20:43 196608 --a------ C:\WINDOWS\system32\nvapi.dll
2006-08-11 20:43 1662976 --a--c--- C:\WINDOWS\system32\nvwdmcpl.dll
2006-08-11 20:43 1519616 --a------ C:\WINDOWS\system32\nwiz.exe
2006-08-11 20:43 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-08-11 20:43 1339392 --a--c--- C:\WINDOWS\system32\nvdspsch.exe
2006-08-11 20:43 1019904 --a--c--- C:\WINDOWS\system32\nvwimg.dll
2006-08-11 20:43 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-08-11 20:42 5636096 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-08-11 20:42 4496128 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-08-11 20:42 35840 --a--c--- C:\WINDOWS\system32\nvcodins.dll
2006-08-11 20:42 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-08-11 20:42 155715 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-08-11 01:34 218624 --a------ C:\WINDOWS\system32\uxtheme.dll
2006-08-10 17:03 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-10 17:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-10 00:10 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-08-07 09:08 871 --a--c--- C:\Documents and Settings\JB\Application Data\AdobeDLM.log
2006-08-07 09:08 0 --a--c--- C:\Documents and Settings\JB\Application Data\dm.ini
2006-08-06 10:10 62 --ahs---- C:\Documents and Settings\JB\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"Aim6"=""
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"WebCamRT.exe"=""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\""
"PCCClient.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\""
"Pop3trap.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1160068701\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"LogitechImageStudioTray"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvnah.dll,startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000b5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-11-10 19:56:38.29
C:\ComboFix.txt ... 06-11-10 19:56



Logfile of HijackThis v1.99.1
Scan saved at 7:59:00 PM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnah.dll,startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155185986296
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:37 PM

Posted 10 November 2006 - 10:52 PM

You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes

~~~~
Next, letís do the KillBox routine once again:

Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Run, type in: notepad):

C:\WINDOWS\system32\alsyrlng.exe
C:\WINDOWS\system32\wcpit.exe
C:\WINDOWS\system32\xxyawvt.dll
C:\WINDOWS\system32\drvnah.dll


Run KillBox
At the main screen of KillBox, select the option: Delete on Reboot
Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl+A) and Copy (Ctrl + C).

In Killbox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)
Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

Also, if the computer does not restart automatically, please restart it manually.

~~~~
Next, run HijackThis, Scan
Check box for:

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvnah.dll,startup

O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab

Select: Fix checked


Run HijackThis once again, and post a new log.

Old duck...


#9 JustinBarnett

JustinBarnett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 11 November 2006 - 02:48 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:44:54 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160068701\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155185986296
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:37 PM

Posted 11 November 2006 - 11:10 PM

A ViewPoint program entry is showing on the HijackThis log. ViewPoint has some useful features, but it is installed without users approval, and there are questions as to whether it hijacks search queries or transmits non personally identifiable information back to its servers.

Its removal is recommended, but it is your decision.

If you opt to do so, do the following:
Go to Start > Settings > Control Panel > Add or Remove Programs
Check the list of Currently Installed Programs for any of the following:
Viewpoint
Viewpoint Manager
Viewpoint Media Player


Next, search for and delete the following folder (bold):
C:\Program Files\Viewpoint

Restart the computer.

Run HijackThis, Scan
Check box for:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Select: Fix Checked


Are you still having malware problems?

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users