Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 Solourus

Solourus

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 29 November 2006 - 01:32 AM

Ok it appears my computer has a malware infection, i have already run both Ad-aware and SB Search and destroy in safe mode along with SmitfraudFix. However this hasent seemed to fix the problem. In other words please help me :thumbsup: HJT and Smit fruad logs included (scaned just as im writing this post)

Thanks


-------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:56:51 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{320D180E-07CA-1033-0727-05071105003d}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\DOCUME~1\Sol\MYDOCU~1\FNTS~1\rundll32.exe
C:\Program Files\Common Files\F?nts\??chost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\sxserv101.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sol\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A7CB04BB-9009-94FD-780D-BD891D5C63BB} - C:\WINDOWS\system32\ucpqq.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzam.dll,startup
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Bwer] "C:\DOCUME~1\Sol\MYDOCU~1\FNTS~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Pnuxahp] C:\Program Files\Common Files\F?nts\??chost.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - C:\WINDOWS\system32\tpedvf.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe

-----------------------------------------------------------------------------------------------------------------------------

SmitFraudFix v2.124

Scan done at 16:57:39.93, Wed 29/11/2006
Run from C:\Documents and Settings\Sol\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\drvzam.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Sol


C:\Documents and Settings\Sol\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\SOL\FAVORI~1

C:\DOCUME~1\SOL\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files

C:\Program Files\Virus-Bursters\ FOUND !

Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates"

[HKEY_CLASSES_ROOT\CLSID\{1a01a98c-4f25-42e1-971a-185cf63569b2}\InProcServer32]
@="C:\WINDOWS\system32\tpedvf.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1a01a98c-4f25-42e1-971a-185cf63569b2}\InProcServer32]
@="C:\WINDOWS\system32\tpedvf.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}"="z"

[HKEY_CLASSES_ROOT\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}\InProcServer32]
@="C:\WINDOWS\system32\fontextd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}\InProcServer32]
@="C:\WINDOWS\system32\fontextd.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:39 AM

Posted 29 November 2006 - 02:16 AM

Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 Solourus

Solourus
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 29 November 2006 - 02:45 AM

Here is the Log


---------------------------------------------------------------------------------------------------------------------------------


"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{320D180E-07CA-1033-0727-05071105003d}" = ""C:\Program Files\Common Files\{320D180E-07CA-1033-0727-05071105003d}\Update.exe" mc-110-12-0000272" [null data]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Bwer" = ""C:\DOCUME~1\Sol\MYDOCU~1\FNTS~1\rundll32.exe" -vt yazb" [null data]
"Pnuxahp" = "C:\Program Files\Common Files\F*nts\**chost.exe" (unwritable string) [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"issearch.exe" = "issearch.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"LaunchApp" = "Alaunch" ["Acer Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"PCMService" = ""C:\Program Files\Arcade\PCMService.exe"" ["CyberLink Corp."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"EPM-DM" = "c:\acer\epm\epm-dm.exe" ["Acer Inc"]
"ePowerManagement" = "C:\Acer\ePM\ePM.exe boot" ["Acer Value Labs, Taiwan"]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"LManager" = "C:\Program Files\Launch Manager\QtZgAcer.EXE" ["Dritek System Inc."]
"eRecoveryService" = "C:\Program Files\Acer\eRecovery\Monitor.exe" ["acer Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"(Default)" = "(empty string)" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"CTDrive" = "rundll32.exe C:\WINDOWS\system32\drvzam.dll,startup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"SpybotSnD" = ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{11F0EE13-5947-2942-F631-09BEB2706006}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\wirvufc.dll" [null data]
{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\gndwfcwj.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5EA3021D-8F86-4199-A2E4-B47FE00D5EBD}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\pmkhh.dll" [null data]
{755bbd1a-aa59-456c-afeb-b4c42c4dcb6f}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ixt0.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{9B0C7A02-A17A-4C81-BD7D-30A622701C36}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\qomliih.dll" [null data]
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fontextd.dll" [null data]
{A7CB04BB-9009-94FD-780D-BD891D5C63BB}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ucpqq.dll" [file not found]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
\InProcServer32\(Default) = "epm-po.dll" ["Acer Labs USA"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0792.00.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" [null data]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" [null data]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a-squared Context Menu Shell Extension"
-> {HKLM...CLSID} = "a-squared context menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" ["Emsi Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{1a01a98c-4f25-42e1-971a-185cf63569b2}" = "expatriates"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\tpedvf.dll" [null data]
<<!>> "{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}" = "z"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fontextd.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{9B0C7A02-A17A-4C81-BD7D-30A622701C36}" = "*i" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\qomliih.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"expatriates" = "{1a01a98c-4f25-42e1-971a-185cf63569b2}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\tpedvf.dll" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"pfdnnt C:\WINDOWS\system32\pfdnnt_actions.sys" ["Panda Software International"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> pmkhh\DLLName = "C:\WINDOWS\system32\pmkhh.dll" [null data]
<<!>> qomliih\DLLName = "qomliih.dll" [null data]
<<!>> wineil32\DLLName = "wineil32.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a-squared context menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" ["Emsi Software GmbH"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a-squared context menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" ["Emsi Software GmbH"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserOptions" = (REG_DWORD) hex:0x00000000
{Tools menu: Disable Internet Options... menu option}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Acer.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Acer.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\ACER.SCR" [null data]


Startup items in "Sol" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Bluetooth" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Sol" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 28
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{74DD705D-6834-439C-A735-A6DBE2677452}"
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{74DD705D-6834-439C-A735-A6DBE2677452}" = (no title provided)
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]
"{052B12F7-86FA-4921-8482-26C42316B522}" = (no title provided)
-> {HKLM...CLSID} = "Safety Bar"
\InProcServer32\(Default) = "C:\Program Files\Safety Bar\SafetyBar.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{052B12F7-86FA-4921-8482-26C42316B522}\(Default) = "Safety Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Safety Bar\SafetyBar.dll" [file not found]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{A7CB04BB-9009-94FD-780D-BD891D5C63BB}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ucpqq.dll" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Bluetooth Service, btwdins, "c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Notebook Manager Service, anbmService, "C:\Acer\eManager\anbmServ.exe" ["OSA Technologies Inc."]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
SX Service, SXServ, "C:\WINDOWS\system32\sxserv101.exe" [null data]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 56 seconds, including 20 seconds for message boxes)

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:39 AM

Posted 29 November 2006 - 02:53 AM

Please download
VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 Solourus

Solourus
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 29 November 2006 - 03:19 AM

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.9

Scan started at 6:23:03 PM 29/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\wineil32.dll
C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\hhkmp.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\wineil32.dll
C:\WINDOWS\system32\wineil32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhh.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\hhkmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.tmp
C:\WINDOWS\system32\hhkmp.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\wineil32.dll
C:\WINDOWS\system32\wineil32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhh.dll Has been deleted!

Performing Repairs to the registry.
Done!

-----------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:45:43 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\sxserv101.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\{320D180E-07CA-1033-0727-05071105003d}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\DOCUME~1\Sol\MYDOCU~1\FNTS~1\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Sol\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A7CB04BB-9009-94FD-780D-BD891D5C63BB} - C:\WINDOWS\system32\ucpqq.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\gndwfcwj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5EA3021D-8F86-4199-A2E4-B47FE00D5EBD} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\qomliih.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00404} - C:\WINDOWS\system32\fontextd.dll
O2 - BHO: (no name) - {A7CB04BB-9009-94FD-780D-BD891D5C63BB} - C:\WINDOWS\system32\ucpqq.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzam.dll,startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Bwer] "C:\DOCUME~1\Sol\MYDOCU~1\FNTS~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Pnuxahp] C:\Program Files\Common Files\F?nts\??chost.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: qomliih - C:\WINDOWS\SYSTEM32\qomliih.dll
O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - C:\WINDOWS\system32\tpedvf.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:39 AM

Posted 29 November 2006 - 03:38 AM

Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:39 AM

Posted 29 November 2006 - 03:43 AM

Oops - posted twice :thumbsup:

Edited by Daemon, 29 November 2006 - 03:45 AM.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 Solourus

Solourus
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 29 November 2006 - 04:40 AM

Whow, that did take a long time.

ok here are the logs

--------------------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
Generated 11/29/2006 at 07:57 PM

Application Version : 3.3.1020

Core Rules Database Version : 3138
Trace Rules Database Version: 1155

Scan type : Complete Scan
Total Scan Time : 00:42:06

Memory items scanned : 458
Memory threats detected : 7
Registry items scanned : 4712
Registry threats detected : 56
File items scanned : 61478
File threats detected : 121

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\VTURP.DLL
C:\WINDOWS\SYSTEM32\VTURP.DLL
HKLM\Software\Classes\CLSID\{CA2D8379-B6DA-4992-A79F-650047D8CE7F}
HKCR\CLSID\{CA2D8379-B6DA-4992-A79F-650047D8CE7F}
HKCR\CLSID\{CA2D8379-B6DA-4992-A79F-650047D8CE7F}\InprocServer32
HKCR\CLSID\{CA2D8379-B6DA-4992-A79F-650047D8CE7F}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA2D8379-B6DA-4992-A79F-650047D8CE7F}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vturp

Trojan.Downloader-DRVSAM
C:\WINDOWS\SYSTEM32\DRVZAM.DLL
C:\WINDOWS\SYSTEM32\DRVZAM.DLL
C:\WINDOWS\TEMP\MST91E.TMP
C:\WINDOWS\TEMP\MST8A6.TMP
C:\WINDOWS\TEMP\MST9B3.TMP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP135\A0017607.DLL

Trojan.Downloader-DoneDU
C:\WINDOWS\SYSTEM32\WIRVUFC.DLL
C:\WINDOWS\SYSTEM32\WIRVUFC.DLL
C:\WINDOWS\SYSTEM32\JEZMESH.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP134\A0017369.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP134\A0017370.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP135\A0017622.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP135\A0017623.DLL

Malware.Notifier
C:\WINDOWS\SYSTEM32\ISSEARCH.EXE
C:\WINDOWS\SYSTEM32\ISSEARCH.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#issearch.exe [ issearch.exe ]

Trojan.Update-Mcboo
C:\PROGRAM FILES\COMMON FILES\{320D180E-07CA-1033-0727-05071105003D}\UPDATE.EXE
C:\PROGRAM FILES\COMMON FILES\{320D180E-07CA-1033-0727-05071105003D}\UPDATE.EXE
[{320D180E-07CA-1033-0727-05071105003d}] C:\PROGRAM FILES\COMMON FILES\{320D180E-07CA-1033-0727-05071105003D}\UPDATE.EXE

Trojan.Hacktool
C:\PROGRAM FILES\COMMON FILES\{320D180E-07CA-1033-0727-05071105003D}\SYSTEM.DLL
C:\PROGRAM FILES\COMMON FILES\{320D180E-07CA-1033-0727-05071105003D}\SYSTEM.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP133\A0017307.DLL

Adware.ClickSpring-Variant
C:\DOCUME~1\SOL\MYDOCU~1\FNTS~1\RUNDLL32.EXE
C:\DOCUME~1\SOL\MYDOCU~1\FNTS~1\RUNDLL32.EXE

Adware.ClickSpring
[Bwer] C:\DOCUME~1\SOL\MYDOCU~1\FNTS~1\RUNDLL32.EXE
C:\DOCUMENTS AND SETTINGS\SOL\MY DOCUMENTS\FNTS~1\RUNDLL32.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP135\A0017593.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP135\A0017594.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP135\A0017647.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP138\A0017692.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP138\A0017740.EXE

Trojan.Downloader-WNA
HKLM\Software\Classes\CLSID\{013A653B-49A6-4f76-8B68-E4875EA6BA54}
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}\InprocServer32
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GACWTUEO.DLL

Browser Hijacker.BestSafetyGuide
HKLM\Software\Classes\CLSID\{755bbd1a-aa59-456c-afeb-b4c42c4dcb6f}
HKCR\CLSID\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F}
HKCR\CLSID\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F}
HKCR\CLSID\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F}\InprocServer32
HKCR\CLSID\{755BBD1A-AA59-456C-AFEB-B4C42C4DCB6F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IXT0.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{755bbd1a-aa59-456c-afeb-b4c42c4dcb6f}

Adware.Tracking Cookie
C:\Documents and Settings\Sol\Cookies\sol@smileycentral[1].txt
C:\Documents and Settings\Sol\Cookies\sol@www.winantiviruspro[1].txt
C:\Documents and Settings\Sol\Cookies\sol@msnportal.112.2o7[1].txt
C:\Documents and Settings\Sol\Cookies\sol@ad.zanox[1].txt
C:\Documents and Settings\Sol\Cookies\sol@yadro[2].txt
C:\Documents and Settings\Sol\Cookies\sol@adbrite[3].txt
C:\Documents and Settings\Sol\Cookies\sol@serving.rpowermedia[1].txt
C:\Documents and Settings\Sol\Cookies\sol@cpvfeed[2].txt
C:\Documents and Settings\Sol\Cookies\sol@mb[4].txt
C:\Documents and Settings\Sol\Cookies\sol@drivecleaner[2].txt
C:\Documents and Settings\Sol\Cookies\sol@adultfriendfinder[2].txt
C:\Documents and Settings\Sol\Cookies\sol@rotator.adjuggler[2].txt
C:\Documents and Settings\Sol\Cookies\sol@90218378[1].txt
C:\Documents and Settings\Sol\Cookies\sol@html[1].txt
C:\Documents and Settings\Sol\Cookies\sol@cartoonnetwork.122.2o7[1].txt
C:\Documents and Settings\Sol\Cookies\sol@admarketplace[1].txt
C:\Documents and Settings\Sol\Cookies\sol@burstnet[2].txt
C:\Documents and Settings\Sol\Cookies\sol@www.incentaclick[1].txt
C:\Documents and Settings\Sol\Cookies\sol@serialdevil[2].txt
C:\Documents and Settings\Sol\Cookies\sol@partygaming.122.2o7[1].txt
C:\Documents and Settings\Sol\Cookies\sol@malwarewipe[1].txt
C:\Documents and Settings\Sol\Cookies\sol@1070548007[1].txt
C:\Documents and Settings\Sol\Cookies\sol@ads.12titans[1].txt
C:\Documents and Settings\Sol\Cookies\sol@mediaplex[1].txt
C:\Documents and Settings\Sol\Cookies\sol@warlog[1].txt
C:\Documents and Settings\Sol\Cookies\sol@stats.drivecleaner[2].txt
C:\Documents and Settings\Sol\Cookies\sol@clicktorrent[1].txt
C:\Documents and Settings\Sol\Cookies\sol@data3.perf.overture[1].txt
C:\Documents and Settings\Sol\Cookies\sol@tcompany.122.2o7[1].txt
C:\Documents and Settings\Sol\Cookies\sol@kanoodle[1].txt
C:\Documents and Settings\Sol\Cookies\sol@login.tracking101[2].txt
C:\Documents and Settings\Sol\Cookies\sol@mediaonenetwork[3].txt
C:\Documents and Settings\Sol\Cookies\sol@mb[3].txt
C:\Documents and Settings\Sol\Cookies\sol@server.cpmstar[2].txt
C:\Documents and Settings\Sol\Cookies\sol@ads.adultswim[2].txt
C:\Documents and Settings\Sol\Cookies\sol@clicksor[1].txt
C:\Documents and Settings\Sol\Cookies\sol@worldlingomedia[1].txt
C:\Documents and Settings\Sol\Cookies\sol@revsci[2].txt
C:\Documents and Settings\Sol\Cookies\sol@as-eu.falkag[1].txt
C:\Documents and Settings\Sol\Cookies\sol@ad[2].txt
C:\Documents and Settings\Sol\Cookies\sol@www.drivecleaner[1].txt
C:\Documents and Settings\Sol\Cookies\sol@cgi-bin[2].txt
C:\Documents and Settings\Sol\Cookies\sol@34368978[1].txt
C:\Documents and Settings\Sol\Cookies\sol@adultswim[1].txt
C:\Documents and Settings\Sol\Cookies\sol@adsrevenue[3].txt
C:\Documents and Settings\Sol\Cookies\sol@1071428033[1].txt
C:\Documents and Settings\Sol\Cookies\sol@www.burstnet[2].txt
C:\Documents and Settings\Sol\Cookies\sol@mb[6].txt
C:\Documents and Settings\Sol\Cookies\sol@stats1.reliablestats[1].txt
C:\Documents and Settings\Sol\Cookies\sol@ads.mininova[2].txt
C:\Documents and Settings\Sol\Cookies\sol@62952254[1].txt
C:\Documents and Settings\Sol\Cookies\sol@tacoda[2].txt
C:\Documents and Settings\Sol\Cookies\sol@cnetaustralia.122.2o7[1].txt
C:\Documents and Settings\Sol\Cookies\sol@interclick[2].txt
C:\Documents and Settings\Sol\Cookies\sol@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\Sol\Cookies\sol@partypoker[3].txt
C:\Documents and Settings\Sol\Cookies\sol@microsoftgamestudio.112.2o7[1].txt
C:\Documents and Settings\Sol\Cookies\sol@jamster.com[1].txt
C:\Documents and Settings\Sol\Cookies\sol@1066913881[1].txt
C:\Documents and Settings\Sol\Cookies\sol@cad-media[1].txt
C:\Documents and Settings\Sol\Cookies\sol@ads.ytmnd[2].txt
C:\Documents and Settings\Sol\Cookies\sol@usenext[2].txt
C:\Documents and Settings\Sol\Cookies\sol@adopt.euroclick[2].txt
C:\Documents and Settings\Sol\Cookies\sol@indexstats[1].txt
C:\Documents and Settings\Sol\Cookies\sol@www.serialsite[1].txt
C:\Documents and Settings\Sol\Cookies\sol@nbads[2].txt
C:\Documents and Settings\Sol\Cookies\sol@adbrite[1].txt
C:\Documents and Settings\Sol\Cookies\sol@tacoda[1].txt
C:\Documents and Settings\Sol\Cookies\sol@adsrevenue[1].txt
C:\Documents and Settings\Sol\Cookies\sol@mediaonenetwork[1].txt
C:\Documents and Settings\Sol\Cookies\sol@acvs.mediaonenetwork[2].txt
C:\Documents and Settings\Sol\Cookies\sol@partypoker[2].txt
C:\Documents and Settings\Sol\Cookies\sol@ad.yieldmanager[1].txt
C:\Documents and Settings\Sol\Cookies\sol@banners[2].txt

Unclassified.Unknown Origin
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}
HKCR\CLSID\{11F0EE13-5947-2942-F631-09BEB2706006}
HKCR\CLSID\{11F0EE13-5947-2942-F631-09BEB2706006}\InprocServer32
HKCR\CLSID\{11F0EE13-5947-2942-F631-09BEB2706006}\InprocServer32#ThreadingModel
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\InprocServer32
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\InprocServer32#ThreadingModel

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
C:\WINDOWS\SYSTEM32\OT.ICO
C:\WINDOWS\TEMP\WIN8A7.TMP.EXE
C:\WINDOWS\TEMP\WIN9B4.TMP.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP135\A0017595.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP138\A0017690.ICO

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
C:\Documents and Settings\Sol\Favorites\Antivirus Test Online.url

Malware.Safety Bar
HKCR\CLSID\{052b12f7-86fa-4921-8482-26c42316b522}
HKCR\CLSID\{052b12f7-86fa-4921-8482-26c42316b522}\Implemented Categories
HKCR\CLSID\{052b12f7-86fa-4921-8482-26c42316b522}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{052b12f7-86fa-4921-8482-26c42316b522}\InprocServer32
HKCR\CLSID\{052b12f7-86fa-4921-8482-26c42316b522}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{052b12f7-86fa-4921-8482-26c42316b522}

Malware.VirusBurst
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Alerter 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Alerter 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Alerter 2006#UninstallString
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\fibbjmbOEw
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\hCjeymserfd
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\InProcServer32
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\InProcServer32#ThreadingModel
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\JsPHkioyhjry
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\KxkWkjvPgMf
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\nknfsdjpdiecg
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\NsAtyEko
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\syEhbajcSloh
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\uZCtafyqVA
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\wcfYliPe
C:\Program Files\Virus-Bursters\virusburster.ini
C:\Program Files\Virus-Bursters

Trojan.Downloader-RNFSave
C:\WINDOWS\SYSTEM32\VTUTQQP.DLL

Trojan.Downloader-VSAddIn
C:\WINDOWS\SYSTEM32\SALQRODC.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP135\A0017609.DLL

Trojan.Downloader-SpyTool
C:\WINDOWS\SYSTEM32\XRCQPOUH.DLL

Adware.ClickSpring/PuritySCAN
C:\WINDOWS\SYSTEM32\WNSAPISV.EXE

Worm.Rbot Variant
C:\WINDOWS\SYSTEM32\ISMINI.EXE

Trojan.Flx/Conhook
C:\WINDOWS\SYSTEM32\COMPONENTS\FLX6.DLL

Adware.ClickSpring/Resident
C:\WINDOWS\TEMP\ASHEURISTIC\100C_TMP.VIR
C:\Program Files\Common Files\FNTS~1\CHOST_~1.VIR

Adware.ClickSpring/Yazzle
C:\WINDOWS\PREFETCH\YAZZLE1162OINADMIN.EXE-2F553437.PF

Adware.TrustInCash
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP128\A0016192.EXE

Adware.ToolBar888
C:\SYSTEM VOLUME INFORMATION\_RESTORE{203A9C89-7A2C-419F-A40E-8C82E0800C2E}\RP133\A0017309.DLL

----------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 8:06:14 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\sxserv101.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sol\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A7CB04BB-9009-94FD-780D-BD891D5C63BB} - C:\WINDOWS\system32\ucpqq.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pnuxahp] C:\Program Files\Common Files\F?nts\??chost.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - C:\WINDOWS\system32\tpedvf.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:39 AM

Posted 29 November 2006 - 05:04 AM

OK, we are getting there. One more scan.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 Solourus

Solourus
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 29 November 2006 - 05:10 AM

Sol - 06-11-29 20:34:37.56 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Sol\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\system32\YSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Documents and Settings\Sol\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\Sol\My Documents\FNTS~1\F?nts


((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))


2006-11-29 19:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2006-11-29 19:12 <DIR> d-------- C:\Documents and Settings\Sol\Application Data\SUPERAntiSpyware.com
2006-11-29 18:46 593,944 ---hs---- C:\WINDOWS\system32\prutv.bak1
2006-11-29 18:23 <DIR> d-------- C:\VundoFix Backups
2006-11-29 16:34 87,594 --a------ C:\WINDOWS\g13549843.dll
2006-11-29 16:10 87,594 --a------ C:\WINDOWS\g12081343.dll
2006-11-29 15:40 87,594 --a------ C:\WINDOWS\g10277796.dll
2006-11-29 15:14 87,594 --a------ C:\WINDOWS\g8714359.dll
2006-11-29 13:41 87,594 --a------ C:\WINDOWS\g3170500.dll
2006-11-29 13:15 87,594 --a------ C:\WINDOWS\g1608171.dll
2006-11-29 13:15 70,144 --a------ C:\WINDOWS\system32\fontextd.dll
2006-11-29 13:15 46,122 --a------ C:\WINDOWS\system32\sxserv101.exe
2006-11-29 12:56 77,824 --a------ C:\WINDOWS\system32\tpedvf.dll
2006-11-29 05:58 40,973 ---hs---- C:\WINDOWS\system32\tuvusts.dll
2006-11-28 18:52 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-28 17:00 88,340 --a------ C:\WINDOWS\system32\rmqmbrqg.exe
2006-11-28 17:00 42,516 --a------ C:\WINDOWS\system32\gndwfcwj.dll
2006-11-28 15:58 40,973 ---hs---- C:\WINDOWS\system32\cbxxwus.dll
2006-11-27 22:12 40,973 ---hs---- C:\WINDOWS\system32\qomliih.dll
2006-11-27 16:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-27 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-26 12:42 <DIR> d--hs---- C:\FOUND.001
2006-11-25 16:15 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-11-24 11:58 119,568 --a------ C:\WINDOWS\system32\vb6fr.dll
2006-11-24 11:58 <DIR> d-------- C:\Program Files\PC Wizard 2006
2006-11-24 00:00 <DIR> d-------- C:\WINDOWS\FG
2006-11-18 13:52 <DIR> d-------- C:\Documents and Settings\Sol\Application Data\InstallShield
2006-11-13 14:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-11-11 10:31 <DIR> d-------- C:\Program Files\StarportGE
2006-11-05 20:29 35,036,803 --a------ C:\SEP-3T.exe
2006-11-04 21:48 <DIR> d-------- C:\Savage
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 14:10 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2006-11-04 11:29 <DIR> d-------- C:\Documents and Settings\Sol\Application Data\Apple Computer
2006-11-03 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-11-03 15:14 <DIR> d-------- C:\Program Files\QuickTime
2006-11-01 13:19 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2006-11-01 13:19 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2006-11-01 13:19 <DIR> d-------- C:\Program Files\DIFX
2006-11-01 12:51 <DIR> d-------- C:\Intel
2006-10-30 12:07 <DIR> d-------- C:\Documents and Settings\Sol\Application Data\Logitech
2006-10-29 16:04 13,568 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2006-10-29 16:03 69,760 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2006-10-29 16:03 55,808 --a------ C:\WINDOWS\system32\drivers\L8042MOU.SYS
2006-10-29 16:03 53,248 --a------ C:\WINDOWS\system32\KemXML.dll
2006-10-29 16:03 36,736 --a------ C:\WINDOWS\system32\drivers\LHidUsbK.sys
2006-10-29 16:03 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2006-10-29 16:03 126,976 --a------ C:\WINDOWS\system32\KemUtil.dll
2006-10-29 16:03 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2006-10-29 16:02 94,208 --a------ C:\WINDOWS\KHALMNPR.Exe
2006-10-29 16:02 27,008 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
2006-10-29 16:02 <DIR> d-------- C:\Program Files\Logitech
2006-10-29 16:02 <DIR> d-------- C:\Program Files\Common Files\Logitech
2006-10-29 16:01 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-10-29 15:48 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-27 14:23 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-27 14:23 94208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-13 23:05 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 00:59 -------- d-------- C:\Program Files\Azureus
2006-10-11 00:59 -------- d-------- C:\Documents and Settings\Sol\Application Data\Azureus
2006-10-10 23:40 -------- d-------- C:\Program Files\VideoLAN
2006-09-15 22:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-13 15:31 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-09 02:59 38272 --a------ C:\Documents and Settings\Sol\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Pnuxahp"="C:\\Program Files\\Common Files\\F?nts\\??chost.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LaunchApp"="Alaunch"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"EPM-DM"="c:\\acer\\epm\\epm-dm.exe"
"ePowerManagement"="C:\\Acer\\ePM\\ePM.exe boot"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"LManager"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"
"eRecoveryService"="C:\\Program Files\\Acer\\eRecovery\\Monitor.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}"="z"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"expatriates"="{1a01a98c-4f25-42e1-971a-185cf63569b2}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Sol.job

Completion time: 06-11-29 20:35:00.57
C:\ComboFix2.txt ... 06-11-29 20:34
C:\ComboFix.txt ... 06-11-29 20:35

------------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 8:36:44 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\sxserv101.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sol\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A7CB04BB-9009-94FD-780D-BD891D5C63BB} - C:\WINDOWS\system32\ucpqq.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pnuxahp] C:\Program Files\Common Files\F?nts\??chost.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - C:\WINDOWS\system32\tpedvf.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:39 AM

Posted 29 November 2006 - 05:30 AM

Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after:

C:\WINDOWS\system32\sxserv101.exe

Click 'Exit' when done.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R3 - URLSearchHook: (no name) - {A7CB04BB-9009-94FD-780D-BD891D5C63BB} - C:\WINDOWS\system32\ucpqq.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKCU\..\Run: [Pnuxahp] C:\Program Files\Common Files\F?nts\??chost.exe
O21 - SSODL: expatriates - {1a01a98c-4f25-42e1-971a-185cf63569b2} - C:\WINDOWS\system32\tpedvf.dll
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe


Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.

We can check some of those files later after we have stopped all the bad stuff running.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#12 Solourus

Solourus
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 29 November 2006 - 05:44 AM

Ok I It dose seem to be gone now, to be honest im suprised at the extent of this infection :thumbsup:

Any way here is the log and Thanks alot :flowers:

--------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:09:14 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sol\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe (file missing)

#13 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:39 AM

Posted 29 November 2006 - 09:48 AM

You did have quite a lot in there. Go to Start->Run and type Services.msc then hit Ok. Scroll down and find the service called "SX Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Let's check out some of the files flagged by combofix (sme of these may have already been removed by the steps we have taken already. Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\WINDOWS\g13549843.dll

Click on the submit button. Please post the results in your next reply. Then repeat for all these:

C:\WINDOWS\g13549843.dll
C:\WINDOWS\g12081343.dll
C:\WINDOWS\g10277796.dll
C:\WINDOWS\g8714359.dll
C:\WINDOWS\g3170500.dll
C:\WINDOWS\g1608171.dll
C:\WINDOWS\system32\fontextd.dll
C:\WINDOWS\system32\tpedvf.dll
C:\WINDOWS\system32\tuvusts.dll
C:\WINDOWS\system32\rmqmbrqg.exe
C:\WINDOWS\system32\gndwfcwj.dll
C:\WINDOWS\system32\cbxxwus.dll
C:\WINDOWS\system32\qomliih.dll


Probably better to paste them into a notepad txt file whilst you work through them then paste the contents of that file in one message. Post a final HJT log also.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#14 Solourus

Solourus
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 29 November 2006 - 10:53 AM

Ok when i tryed to go to the malware scaner I got this

error: unable to connect to database. The administrator has already been notified, it is not necessary to contact us.

Since it is now 2am for me ill try again in the morning :thumbsup:

#15 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:39 AM

Posted 29 November 2006 - 12:24 PM

Must have been a temporary glitch - it's working now.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users