Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.win32.p2e.ai/gaming. Freepay.come/errorsafe.com


  • This topic is locked This topic is locked
28 replies to this topic

#1 deathjrd

deathjrd

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 22 March 2007 - 03:33 AM

Logfile of HijackThis v1.99.1
Scan saved at 08:25:02, on 22/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\1160147890\ee\AOLSoftware.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
c:\program files\common files\aol\1160147890\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
c:\program files\common files\aol\1160147890\ee\aolsoftware.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\660aaf67dd58be3f29feba28bd0506\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160147890\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc..._1071_em_XP.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://us2-scripts.dlv4.com/binaries/egacc..._1070_em_XP.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/sha...,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8716C71A-44D4-4DDF-A5C6-9633429DACDA}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 22 March 2007 - 04:18 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by Buckeye_Sam, 22 March 2007 - 04:19 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 22 March 2007 - 04:48 PM

"Owner" - 07-03-22 21:26:54 Service Pack 2
ComboFix 07-03-22 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\instant access\Center\VIDEOZAPPING.upd
C:\Program Files\instant access\Dialer\144758122\VIDEOZAPPING.lnk
C:\Program Files\instant access\Dialer\144758122\fp.gad-network.com\08a8a75e8738c71517c092d31647f313.html
C:\Program Files\instant access\Dialer\144758122\fp.gad-network.com\08a8a75e8738c71517c092d31647f313.html_0.loginvis
C:\Program Files\instant access\Dialer\144758122\fp.gad-network.com\50105\images\index_02.jpg
C:\Program Files\instant access\Dialer\144758122\fp.gad-network.com\50105\images\index_03.jpg
C:\Program Files\instant access\Dialer\144758122\fp.gad-network.com\50105\images\index_05.jpg
C:\Program Files\instant access\Dialer\144758122\fp.gad-network.com\50105\images\EN\index_01.jpg
C:\Program Files\instant access\Dialer\144758122\us2-external-api.dlv4.com\js\6276170a60ff189daaf2c48b360790de
C:\Program Files\instant access\Dialer\144758122\us2-www.0texkax7c6hzuidk.com\Common\67a8a6cb828f9b3389307be7c4cc00cc.html
C:\Program Files\instant access\Dialer\144758122\us2-www.0texkax7c6hzuidk.com\custom\4291\EN\button1.gif
C:\Program Files\instant access\Dialer\144758122\us2-www.0texkax7c6hzuidk.com\custom\4291\EN\button2.gif
C:\Program Files\instant access\Dialer\144758122\us2-www.0texkax7c6hzuidk.com\custom\4291\EN\button3.gif
C:\Program Files\instant access\Dialer\144758122\us2-www.0texkax7c6hzuidk.com\custom\4291\EN\button4.gif
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\vbzip11.dll
C:\WINDOWS\system32\linkprd.exe
C:\Program Files\instant access
C:\WINDOWS\system32\nzadirwct__navps.dat
C:\WINDOWS\system32\nzadirwct.exe
C:\WINDOWS\system32\nzadirwct.dat


((((((((((((((((((((((((((((((( Files Created from 2007-02-22 to 2007-03-22 ))))))))))))))))))))))))))))))))))


2007-03-22 17:08 <DIR> d-------- C:\!KillBox
2007-03-22 16:08 318,976 --a------ C:\WINDOWS\system32\evdtfywbos.exe
2007-03-22 07:45 313,344 --a------ C:\WINDOWS\system32\pilnhrqmf.exe
2007-03-21 17:21 1,144,839 --a------ C:\stng260.exe
2007-03-21 17:08 40,738,456 --a------ C:\zlsSetup_70_337_000_en.exe
2007-03-21 09:33 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-03-21 09:00 5,037,072 --a------ C:\spybotsd14.exe
2007-03-21 08:52 314,880 --a------ C:\WINDOWS\system32\htrszvfj.exe
2007-03-21 08:27 315,392 --a------ C:\WINDOWS\system32\jlbsyxkw.exe
2007-03-20 17:08 315,392 --a------ C:\WINDOWS\system32\vjcybnzgku.exe
2007-03-20 15:51 96,978 --a------ C:\VirtumundoBeGone.exe
2007-03-20 08:16 <DIR> d-------- C:\VundoFix Backups
2007-03-20 08:09 95,744 --a------ C:\VundoFix.exe
2007-03-19 15:49 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-03-19 15:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZILLAbar
2007-03-19 15:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-03-14 19:44 <DIR> d--hs---- C:\DOCUME~1\Owner\Phone Browser
2007-03-14 19:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nokia
2007-03-14 19:08 9,216 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-03-14 19:08 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2007-03-14 19:08 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-03-14 19:08 138,240 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-03-14 19:08 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-03-14 19:08 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-03-14 19:00 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia Multimedia Player
2007-03-14 13:29 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-03-14 13:29 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-03-14 13:26 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-03-14 13:17 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia
2007-03-14 13:16 <DIR> d-------- C:\Program Files\DIFX
2007-03-14 13:09 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-03-14 13:08 <DIR> d-------- C:\Program Files\Nokia
2007-03-14 13:08 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Suite
2007-03-14 13:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-03-14 13:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2007-03-14 12:30 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-03-14 12:27 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-03-14 12:26 <DIR> d-------- C:\hijackthis scan
2007-03-14 12:12 4,236 --a------ C:\WINDOWS\system32\nzadirwct_navps.dat
2007-03-14 12:12 240,097 --a------ C:\WINDOWS\system32\nzadirwct_nav.dat
2007-03-12 21:44 80,272 -ra------ C:\WINDOWS\system32\drivers\sscdbus.sys
2007-03-12 21:44 137,884 -ra------ C:\WINDOWS\system32\drivers\sscdmdm.sys
2007-03-12 21:44 11,877 -ra------ C:\WINDOWS\system32\drivers\sscdcmnt.sys
2007-03-12 21:44 11,877 -ra------ C:\WINDOWS\system32\drivers\sscdcm.sys
2007-03-12 21:44 11,188 -ra------ C:\WINDOWS\system32\drivers\sscdwhnt.sys
2007-03-12 21:44 11,188 -ra------ C:\WINDOWS\system32\drivers\sscdwh.sys
2007-03-12 21:44 10,864 -ra------ C:\WINDOWS\system32\drivers\sscdmdfl.sys
2007-03-12 21:25 44,304 --a------ C:\WINDOWS\system32\msrpfs35.dll
2007-03-12 21:25 415,504 --a------ C:\WINDOWS\system32\msrepl35.dll
2007-03-12 21:25 39,424 --a------ C:\WINDOWS\system32\JETCOMP.exe
2007-03-12 21:25 368,912 --a------ C:\WINDOWS\system32\VBAR332.DLL
2007-03-12 21:25 344,064 --a------ C:\WINDOWS\system32\msexch35.dll
2007-03-12 21:25 294,912 --a------ C:\WINDOWS\system32\msxbse35.dll
2007-03-12 21:25 262,144 --a------ C:\WINDOWS\system32\msrd2x35.dll
2007-03-12 21:25 252,688 --a------ C:\WINDOWS\system32\msexcl35.dll
2007-03-12 21:25 250,128 --a------ C:\WINDOWS\system32\mspdox35.dll
2007-03-12 21:25 24,848 --a------ C:\WINDOWS\system32\msjter35.dll
2007-03-12 21:25 168,720 --a------ C:\WINDOWS\system32\msltus35.dll
2007-03-12 21:25 166,672 --a------ C:\WINDOWS\system32\mstext35.dll
2007-03-12 21:25 123,664 --a------ C:\WINDOWS\system32\msjint35.dll
2007-03-12 21:25 1,238,288 --a------ C:\WINDOWS\system32\msjt4jlt.dll
2007-03-12 21:25 1,050,896 --a------ C:\WINDOWS\system32\msjet35.dll
2007-03-12 21:22 <DIR> d-------- C:\Program Files\Samsung
2007-03-12 21:22 <DIR> d-------- C:\Hermes
2007-03-12 21:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Samsung
2007-03-08 18:06 <DIR> d-------- C:\HP
2007-03-08 18:05 9,196,032 --------- C:\WINDOWS\system32\RTLCPL.exe
2007-03-08 18:05 69,632 --------- C:\WINDOWS\soundman.exe
2007-03-08 18:05 40,448 --------- C:\WINDOWS\system32\ChCfg.exe
2007-03-08 18:05 208,896 --------- C:\WINDOWS\alcupd.exe
2007-03-08 18:05 156,672 --------- C:\WINDOWS\system32\RtlCPAPI.dll
2007-03-08 18:05 139,264 --------- C:\WINDOWS\alcrmv.exe
2007-03-08 18:05 <DIR> d-------- C:\temp
2007-03-08 17:24 <DIR> d-------- C:\Program Files\Lavalys
2007-03-07 17:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-07 17:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-07 13:23 230,432 --a------ C:\StiImg.dat
2007-03-07 13:22 53,248 --a------ C:\WINDOWS\system32\PAStiSvc.exe
2007-03-07 13:21 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-03-07 13:08 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ArcSoft
2007-03-07 13:04 <DIR> d-------- C:\WINDOWS\PixArt
2007-03-07 13:04 <DIR> d-------- C:\Program Files\PC Camer@
2007-03-07 13:04 <DIR> d-------- C:\Program Files\Common Files\PCCamera
2007-03-07 12:53 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-03-07 12:52 21,248 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-03-07 12:51 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-03-07 12:51 <DIR> d-------- C:\Program Files\ArcSoft
2007-03-07 10:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-07 10:43 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-03-06 08:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-03-06 08:18 <DIR> d-------- C:\Program Files\Microsoft Visual Studio .NET 2003
2007-03-06 08:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-03-02 16:26 <DIR> d--hs---- C:\WA7P
2007-03-02 16:23 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-03-02 14:42 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-02 14:42 <DIR> d-------- C:\Program Files\Google
2007-03-02 12:16 173,184 --a------ C:\WINDOWS\system32\ygpss.scr
2007-03-02 12:16 <DIR> d-------- C:\Program Files\Learn2.com
2007-03-02 12:16 <DIR> d-------- C:\Program Files\AOL Companion
2007-03-02 12:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-03-02 12:14 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-03-02 12:14 153,088 --a------ C:\WINDOWS\system32\jgdwmie.dll
2007-03-02 12:13 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-03-02 12:13 <DIR> d-------- C:\Program Files\AOL 9.0
2007-03-01 23:16 <DIR> d-------- C:\Program Files\Viewpoint
2007-03-01 21:53 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Motive
2007-03-01 20:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Error Safe Free
2007-02-28 23:29 <DIR> d--h----- C:\DOCUME~1\Owner\APPLIC~1\GTek
2007-02-28 23:29 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
2007-02-28 23:11 <DIR> d-------- C:\WINDOWS\pss
2007-02-28 22:12 321,024 --a------ C:\WINDOWS\system32\ouwzdahvkf.exe
2007-02-22 20:10 323,584 --a------ C:\WINDOWS\system32\xlacyio.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-22 21:38 317 --a------ C:\WINDOWS\system32\jwcurstb_navps.dat
2007-03-22 21:38 240097 --a------ C:\WINDOWS\system32\jwcurstb_navup.dat
2007-03-22 21:37 4635 --a------ C:\WINDOWS\system32\jwcurstb.dat
2007-03-22 21:37 315904 --a------ C:\WINDOWS\system32\jwcurstb.exe
2007-03-22 20:39 12 --a------ C:\WINDOWS\bthservsdp.dat
2007-03-22 20:01 -------- d-------- C:\Program Files\pacificpoker
2007-03-19 17:35 -------- d-------- C:\Program Files\windows live toolbar
2007-03-19 16:19 -------- d-------- C:\Program Files\divx
2007-03-15 17:29 -------- d-------- C:\Program Files\pokerroom.com
2007-03-14 19:14 -------- d-------- C:\Program Files\ladbrokesmpp
2007-03-14 18:44 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\microgaming
2007-03-12 22:36 214779 --a------ C:\Program Files\dogfoot.3gp
2007-03-12 22:32 99562 --a------ C:\Program Files\photo0014.jpg
2007-03-12 22:32 83255 --a------ C:\Program Files\photo0016.jpg
2007-03-12 22:32 123355 --a------ C:\Program Files\photo0024.jpg
2007-03-12 22:31 44504 --a------ C:\Program Files\amob_valentines18-01.gif
2007-03-12 22:31 29516 --a------ C:\Program Files\justin1.jpg
2007-03-12 22:31 17599 --a------ C:\Program Files\im029-tinaobrien00051242.jpg
2007-03-12 22:30 9326 --a------ C:\Program Files\canyon.jpg
2007-03-12 22:30 77672 --a------ C:\Program Files\parrot.bmp
2007-03-12 22:30 19884 --a------ C:\Program Files\parachutting.jpg
2007-03-12 22:30 19509 --a------ C:\Program Files\door to blue-wall.jpg
2007-03-12 22:30 15277 --a------ C:\Program Files\green frog.jpg
2007-03-12 22:30 15269 --a------ C:\Program Files\carnival.jpg
2007-03-12 22:30 15068 --a------ C:\Program Files\beach huts.jpg
2007-03-12 22:30 15059 --a------ C:\Program Files\relax.jpg
2007-03-12 22:30 14926 --a------ C:\Program Files\cat surprised.jpg
2007-03-12 22:30 126732 --a------ C:\Program Files\flower.swf
2007-03-12 22:29 19902 --a------ C:\Program Files\sunset.jpg
2007-03-12 22:29 15405 --a------ C:\Program Files\sport.jpg
2007-03-12 22:29 14960 --a------ C:\Program Files\surfing.jpg
2007-03-12 22:29 10928 --a------ C:\Program Files\xtreme skiing.jpg
2007-03-12 21:25 -------- d--h----- C:\Program Files\installshield installation information
2007-03-01 23:29 -------- d-------- C:\Program Files\messengerskinner
2007-03-01 23:29 -------- d-------- C:\Program Files\hp pavilion pc help
2007-03-01 23:29 -------- d-------- C:\Program Files\hp
2007-03-01 21:37 -------- d-------- C:\Program Files\easy internet signup
2007-03-01 18:18 -------- d-------- C:\Program Files\yahoo!
2007-02-21 20:08 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\divx
2007-02-21 18:51 -------- d-------- C:\Program Files\msn messenger
2007-02-21 18:31 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\messengerskinner
2007-02-21 18:21 -------- d-------- C:\Program Files\macrogaming
2007-02-17 17:36 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\msn6
2007-02-12 21:32 -------- d-------- C:\Program Files\titan poker
2007-02-11 14:35 -------- d-------- C:\Program Files\java
2007-02-03 22:46 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\google
2007-01-31 16:57 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\mcafee.com personal firewall
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-10 11:06 103984 --a------ C:\WINDOWS\system32\aoldial.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="~\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"SweetIM"="C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe"
"messengerskinner"="C:\\Program Files\\MessengerSkinner\\MessengerSkinner.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"Acme.PCHButton"="C:\\PROGRA~1\\HPPAVI~1\\Pavilion\\XPHWWBP4\\plugin\\bin\\PCHButton.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1160147890\\ee\\AOLSoftware.exe"
"SweetIM"="C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"VTTimer"="VTTimer.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"AlcxMonitor"="ALCXMNTR.EXE"
"jwcurstb"="c:\\windows\\system32\\jwcurstb.exe jwcurstb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ndows_NTAUTOTBAR"
"hkey"="HKLM"
"command"="ndows_NTAUTOTBAR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nzadirwct]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nzadirwct"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\nzadirwct.exe nzadirwct"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LaunchApplication"
"hkey"="HKLM"
"command"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (MITZI-Owner).job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g

scanning hidden files ...

C:\WINDOWS\system32\jwcurstb.dat 8192 bytes
C:\WINDOWS\system32\jwcurstb.exe 319488 bytes
C:\WINDOWS\system32\jwcurstb_nav.dat 241664 bytes
C:\WINDOWS\system32\jwcurstb_navps.dat 320 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 4

********************************************************************

Completion time: 07-03-22 21:41:05

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 22 March 2007 - 07:00 PM

Combofix took care of some of it for us, but we need another tool in order clean it up completely.

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

Copy the part in bold below into notepad and save it as aftermath.bfu
Save it in the same folder you made earlier (c:\BFU) and set Filetype to "All files"

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\jwcurstb
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|jwcurstb
FileDelete %SYSDIR%\jwcurstb_navps.dat
FileDelete %SYSDIR%\jwcurstb_nav.dat
FileDelete %SYSDIR%\jwcurstb.dat
FileDelete %SYSDIR%\jwcurstb.exe
FileDelete %SYSDIR%\jwcurstb_m2s.xml
FileDelete %WINDIR%\jwcurstb.exe-*.pf


Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select EGDACCESS.bfu
  • Press Execute and let it do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Behind the scriptline to execute field click the folder icon Posted Image again and this time select aftermath.bfu
  • Press Execute and let it do itís job.
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot and post a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 22 March 2007 - 08:04 PM

hi i have just done what u said this is my new hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 01:01:28, on 23/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\1160147890\ee\AOLSoftware.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
c:\program files\common files\aol\1160147890\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1160147890\ee\aolsoftware.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160147890\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc..._1071_em_XP.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/sha...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/sha...,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8716C71A-44D4-4DDF-A5C6-9633429DACDA}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

#6 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 22 March 2007 - 08:35 PM

hi i am also concercned about my toolbar i have got 1172 processes blacklisted
in spybot s+d resident is this normall? plus my sound on my pc goes all distorted when online? :thumbsup: :flowers:

#7 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 22 March 2007 - 08:46 PM

:thumbsup: also i can comfirm that i am no longer getting no popups or or trojan32 that has seemened to fix the
problem and i am much appreciated for that pc and sound still a bit slow is there anything i could do
about that? :flowers:

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 23 March 2007 - 09:26 AM

I'm not sure that we're completely done yet. There was a lot of malware in your combofix log so we may have some more work to do.



Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

  • Clean out your Temporary Internet files.
    • Internet Explorer
      • Close Internet Explorer and close any instances of Windows Explorer.
      • Click Start -> Control Panel and then double-click Internet Options.
      • On the General tab, click Delete Files under Temporary Internet Files.
      • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
      • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
      • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
      • Click OK.
    • Firefox (In case you also have Firefox installed)
      • Open Firefox and go to Tools -> Options.
      • Click Privacy in the menu on the left side of the Options window.
      • Click the Clear button located to the right of each option (History, Cookies, Cache).
      • Click OK to close the Options window.
        Alternatively, you can clear all information stored while browsing by clicking Clear All.
        A confirmation dialog box will be shown before clearing the information.
    IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Please post the results of the AVG Anti-Spyware scan report in your next reply.


===============


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.
==============



I would also like to see a new log from Combofix once you've completed both scans.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 23 March 2007 - 11:08 AM

hi wot is ewido dont have that on my pc?

#10 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 23 March 2007 - 01:01 PM

hi here is my avg report


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:41:47 23/03/2007

+ Scan result:



C:\WINDOWS\Titan Poker setup.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Program Files\PokerRoom.com\Uninstall.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{64D353BC-F70D-499F-9163-3CEC028719CD}\RP289\A0029495.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).


::Report end

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 23 March 2007 - 04:09 PM

Ewido is the older version of AVG Antispyware. Have you been able to run the other virus scan yet?

I also need to see a new log from Combofix and a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 24 March 2007 - 09:02 AM

hi
does the panda active scan show the scan in progress?
because i am clicking on my computer and nothing is showing?

#13 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 24 March 2007 - 11:37 AM

hi
keep getting a message error on page.once i click on my computer on the panda active scan.will not scan for some reason.i have allowed activex to run has soon has it has done that it wont let me do anything else

#14 deathjrd

deathjrd
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 24 March 2007 - 11:49 AM

hi
this is the web page i keep getting error on
http://www.pandasoftware.com/activescan/ac...can/ascan_2.asp
as soon as i go on that page it is saying there is a error?

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:42 AM

Posted 24 March 2007 - 08:06 PM

There's a couple other online scans that you can try.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Or this one...


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Hopefully one of these will work. But if not, we'll work around it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users