Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying Ad Popups


  • This topic is locked This topic is locked
15 replies to this topic

#1 binx1310

binx1310

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 18 May 2007 - 10:52 AM

Reecently avg antivirus popped up tot ell me there was a trojan and as normal i clicked heal and went on my way. But now i keep getting pop ups in internet explorer, even when im not using it. I always use firefox but the ads always open in internet explorer.

I have also noticed in one of my folders a bitmap of a line of smileys called userimages keeps appearing even though i delete it.
I havent really noticed any major slowdown.

System is as follows:

AMD athlon 64 3500+ 2.20 GHZ
Maxtor 250GB 7200rmp hard drive
Nvidia Geforce 6600GT 256mb graphics
Realtek Sound card
ASRock Motherboard
1 GB RAM
Windows XP Professional SP2
AVG anti-virus, AVG anti-spyware, spybot s&d, spyware blaster, adaware personal SE
Sygate personal firewall

I am currently doing a kaspersky online scan and will post the log in this topic when it is done.

HiJack this log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 16:48:00, on 18/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://tv.student.ask4.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} -

C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"

/background
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WindowsUpdate] rundll32.exe

"C:\WINDOWS\system32\mjdgwsdd.dll",realset
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk.disabled
O4 - Global Startup: usb phone.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) -

http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -

http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader

Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...ient/muweb_site

.cab?1162422153265
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) -

http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour

Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program

Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. -

C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program

Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program

Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

BC AdBot (Login to Remove)

 


#2 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 18 May 2007 - 10:56 AM

avg just popped up again with the trojan hjrmydki.dll

was succesfully healed

will

Edited by binx1310, 18 May 2007 - 10:57 AM.


#3 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 18 May 2007 - 12:43 PM

kaspersky scan results

2 viruses and 11 files infected

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 18, 2007 6:37:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/05/2007
Kaspersky Anti-Virus database records: 304100
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 129328
Number of viruses found: 2
Number of infected objects: 11 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:58:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\William Durrant\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\cert8.db Object is locked skipped
C:\Documents and Settings\William Durrant\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\history.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\key3.db Object is locked skipped
C:\Documents and Settings\William Durrant\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\search.sqlite Object is locked skipped
C:\Documents and Settings\William Durrant\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\William Durrant\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Messenger\williamdurrant335@hotmail.com\SharingMetadata\activitylog.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Messenger\williamdurrant335@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Messenger\williamdurrant335@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Messenger\williamdurrant335@hotmail.com\SharingMetadata\Working\database_1A24_3734_2437_126D\dfsr.db Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Messenger\williamdurrant335@hotmail.com\SharingMetadata\Working\database_1A24_3734_2437_126D\fsr.log Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Messenger\williamdurrant335@hotmail.com\SharingMetadata\Working\database_1A24_3734_2437_126D\fsrtmp.log Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Messenger\williamdurrant335@hotmail.com\SharingMetadata\Working\database_1A24_3734_2437_126D\tmp.edb Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Windows Live Contacts\williamdurrant335@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Microsoft\Windows Live Contacts\williamdurrant335@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Application Data\Mozilla\Firefox\Profiles\s8jfbfj3.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\History\History.IE5\MSHist012007051820070519\index.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temp\hjrmydki.dll Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temp\Perflib_Perfdata_338.dat Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temp\~DF157E.tmp Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temp\~DF1802.tmp Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temp\~DF199A.tmp Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temp\~DF9877.tmp Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temp\~DF9890.tmp Object is locked skipped
C:\Documents and Settings\William Durrant\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\William Durrant\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\William Durrant\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\William Durrant\UserData\index.dat Object is locked skipped
C:\NVIDIA\Win2KXP\93.71\nvappbar.ex_/ Infected: Email-Worm.Win32.Small.f skipped
C:\NVIDIA\Win2KXP\93.71\nvappbar.ex_ MS Expand: infected - 1 skipped
C:\Program Files\HijackThis\backups\backup-20061205-200412-137.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\HijackThis\backups\backup-20061205-200412-210.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\HijackThis\backups\backup-20061205-200412-490.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\HijackThis\backups\backup-20061205-200412-521.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\HijackThis\backups\backup-20061205-200412-530.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\HijackThis\backups\backup-20061205-200412-662.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\HijackThis\backups\backup-20061205-200412-886.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\HijackThis\backups\backup-20061205-200412-916.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{43607CCC-6AF0-4C8B-AD89-C3950BC1D43D}\RP16\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{87FE6A8E-2FF1-44FC-AD96-9223C0384527}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C3E04C29-6120-4EF8-880D-683F03130F17}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nvappbar.exe Infected: Email-Worm.Win32.Small.f skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_7b8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{43607CCC-6AF0-4C8B-AD89-C3950BC1D43D}\RP16\change.log Object is locked skipped

Scan process completed.

#4 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 19 May 2007 - 07:27 AM

Combo fix performed, log as follows:

"William Durrant" - 2007-05-19 13:13:53 Service Pack 2
ComboFix 07-05.19.5.V - Running from: "C:\Documents and Settings\William Durrant\Desktop\"



((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-19 ))))))))))))))))))))))))))))))))))


2007-05-19 12:46 <DIR> d-------- C:\VundoFix Backups
2007-05-19 10:37 <DIR> d-------- C:\Program Files\VideoReDoPlus
2007-05-19 10:37 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\VideoReDoPlus
2007-05-19 10:31 53,248 --a------ C:\WINDOWS\system32\GenSvcInst.exe
2007-05-19 10:31 33,408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2007-05-19 10:31 118,784 --a------ C:\WINDOWS\system32\bgsvcgen.exe
2007-05-19 10:31 <DIR> d-------- C:\Program Files\Pegasys Inc
2007-05-19 10:12 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Pegasys Inc
2007-05-18 17:51 <DIR> d-------- C:\KAV
2007-05-18 16:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-18 16:01 1,006,685 ---hs---- C:\WINDOWS\system32\opqss.bak1
2007-05-18 01:11 <DIR> d-------- C:\DOCUME~1\WILLIA~1\.DownloadManager
2007-05-17 23:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-05-17 23:25 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-05-17 23:25 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-05-17 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-05-17 21:07 <DIR> d-------- C:\Program Files\Bonjour
2007-05-17 20:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-05-16 19:07 1,684,040 --a------ C:\AnyDVD HD 6.1.4.3.exe
2007-05-16 19:06 1,684,040 --a------ C:\SetupAnyDVD6143.exe
2007-05-16 19:04 <DIR> d-------- C:\Program Files\UseNeXT
2007-05-16 19:04 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\UseNeXT
2007-05-16 18:29 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\SlySoft
2007-05-16 18:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-05-16 18:26 <DIR> d-------- C:\Program Files\SlySoft
2007-05-15 18:00 <DIR> d-------- C:\Program Files\3DLivePool_at
2007-05-13 13:56 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\DivX
2007-05-13 13:36 <DIR> d-------- C:\divx
2007-05-13 13:35 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-13 13:35 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-13 13:35 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-12 16:28 <DIR> d-------- C:\Program Files\QuickTime
2007-05-12 11:20 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-05-11 18:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 05:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 05:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 05:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 05:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-08 11:35 73,928 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-05-06 17:23 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\vlc
2007-05-06 14:06 <DIR> d-------- C:\Program Files\VideoLAN
2007-05-06 05:10 <DIR> d-------- C:\Program Files\Uniblue
2007-05-06 04:58 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Uniblue
2007-05-05 13:06 <DIR> d-------- C:\Program Files\EA GAMES
2007-05-05 11:47 <DIR> d-------- C:\Program Files\Kontiki
2007-05-05 11:47 <DIR> d-------- C:\Program Files\Channel4
2007-05-04 22:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll
2007-05-04 22:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll
2007-05-04 22:31 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-04 22:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll
2007-05-04 22:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll
2007-05-04 22:31 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-05-04 22:31 152,064 --a------ C:\WINDOWS\system32\unrar.dll
2007-05-04 22:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll
2007-05-04 22:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll
2007-05-04 22:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll
2007-05-04 22:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll
2007-05-04 22:31 <DIR> d-------- C:\Program Files\ACE Mega CoDecS Pack
2007-04-29 10:25 4 --a------ C:\WINDOWS\jknradee.sys
2007-04-27 00:42 <DIR> d-------- C:\Kontiki
2007-04-26 12:30 73,728 --a------ C:\WINDOWS\system32\GkSui18.EXE
2007-04-26 12:30 69,632 --a------ C:\WINDOWS\system32\Copy of GkSui18.EXE
2007-04-26 12:30 <DIR> d-------- C:\Program Files\Folding@Home
2007-04-24 19:54 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\CoreFTP
2007-04-24 17:42 247,608 --a------ C:\jre-1_5_0_07-windows-i586-p-iftw.exe
2007-04-23 23:45 <DIR> d-------- C:\Program Files\MagicISO
2007-04-23 01:15 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 01:15 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-04-23 01:15 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-04-23 01:02 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-04-23 01:02 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 01:02 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-04-23 01:02 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 01:02 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-04-23 01:02 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-04-23 01:02 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-04-23 01:02 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-04-23 01:01 124,472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-23 01:01 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-21 20:38 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\dvdcss
2007-04-21 17:39 <DIR> d-------- C:\Program Files\DVD Audio Extractor
2007-04-20 16:37 <DIR> d-------- C:\Program Files\Selectsoft
2007-04-19 09:06 <DIR> d-------- C:\Program Files\Mp3 My Mp3 2.0


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-19 12:17:26 -------- d-----w C:\Program Files\SpeedFan
2007-05-18 17:15:45 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Skype
2007-05-18 01:16:09 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\HP
2007-05-18 01:15:54 112,357 ----a-w C:\WINDOWS\hpoins07.dat
2007-05-17 23:58:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-14 23:36:52 -------- d-----w C:\Program Files\SpywareBlaster
2007-05-13 12:35:33 -------- d-----w C:\Program Files\DivX
2007-05-12 11:43:45 -------- d-----w C:\Program Files\Apple Software Update
2007-05-06 13:53:48 4,338 ----a-w C:\WINDOWS\mozver.dat
2007-05-05 17:26:55 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-05 12:31:06 29,392 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-04 21:32:51 98,304 ----a-w C:\WINDOWS\system32\qttask.exe
2007-04-25 08:30:52 -------- d-----w C:\Program Files\iTunes
2007-04-23 00:15:25 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-17 21:33:30 -------- d-----w C:\Program Files\MixVibesPro6DEMO
2007-04-15 21:36:51 -------- d-----w C:\Program Files\HP
2007-04-01 12:34:21 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-03-21 19:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-21 19:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-21 19:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-19 22:42:53 91,792 ----a-w C:\DOCUME~1\WILLIA~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-19 08:25:50 -------- d-----w C:\Program Files\iPod
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 12:23:46 -------- d-----w C:\Program Files\Yahoo!
2007-03-15 12:10:34 -------- d-----w C:\Program Files\Tidy
2007-03-12 13:02:26 947,472 ----a-w C:\WINDOWS\system32\msjava.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 20:30:25 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Ahead
2007-03-05 13:23:35 -------- d-----w C:\Program Files\DVD Shrink
2007-03-05 13:23:11 -------- d-----w C:\Program Files\DVD Decrypter
2007-03-05 11:05:38 -------- d-----w C:\Program Files\CambridgeSoft
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{074C1DC5-9320-4A9A-947D-C042949C6216}=C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 15:13]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{B941F689-4158-4922-B254-1A372E7E4C9A}=C:\WINDOWS\system32\ssqpo.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2005-06-29 10:08]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2005-07-04 06:29]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2006-06-01 12:26]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-06-19 14:37]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-05-15 16:52]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"Speed Fan"="C:\Program Files\SpeedFan\speedfan.exe" [2006-10-12 17:33]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2006-11-08 17:32]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SoundMan"="SOUNDMAN.EXE" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2006-11-08 17:32]
"WindowsUpdate"="C:\WINDOWS\system32\mjdgwsdd.dll,realset" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
"NoCDBurning"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"mount.exe"=C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"SiSRaid"=C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070129-150032-144
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070129-150032-286
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20061205-200412-809
O2 - BHO: (no name) - {C447FAC1-0D7B-4DA1-BF7D-762EBA448F42} - C:\WINDOWS\system32\mljgf.dll (file missing)

backup-20061205-200412-546
O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\ssqpmjg.dll (file missing)

backup-20061205-200412-530
O2 - BHO: (no name) - {68A59F17-3AE6-325C-69CB-02616E0C25CA} - C:\WINDOWS\system32\htgvzbd.dll

backup-20061205-200412-499
O4 - HKLM\..\Run: [lwwmbon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\lwwmbon.dll,ritsagd

backup-20061205-200412-490
O2 - BHO: (no name) - {3A8C993A-DD20-2BDE-103C-0BEA119B75A9} - C:\WINDOWS\system32\spknedl.dll

backup-20061205-200412-662
O2 - BHO: (no name) - {56F51BFB-7315-7DEC-714A-02FDDF87298A} - C:\WINDOWS\system32\rxoxghd.dll

backup-20061205-200412-861
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - C:\WINDOWS\system32\ixt0.dll (file missing)

backup-20061205-200412-137
O2 - BHO: (no name) - {31358CFA-E65E-058B-4373-0A816F54BA8D} - C:\WINDOWS\system32\vkmspbi.dll

backup-20061205-200412-916
O2 - BHO: (no name) - {2501D0BD-5628-3180-587B-0386D666EC26} - C:\WINDOWS\system32\drfwbvk.dll

backup-20061205-200412-521
O2 - BHO: (no name) - {1F1942A9-BE12-CCC2-8CAF-080E393257FC} - C:\WINDOWS\system32\cjlpwkf.dll

backup-20061205-200412-210
O2 - BHO: (no name) - {0C858766-7D94-25CC-7392-072284CA6772} - C:\WINDOWS\system32\dabyime.dll

backup-20061205-200412-886
O2 - BHO: (no name) - {041425A9-E267-BBA5-A836-039A659B08FC} - C:\WINDOWS\system32\xyeicxb.dll

backup-20061205-191005-312
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

backup-20061205-191005-698
O18 - Filter: text/html - (no CLSID) - (no file)
Contents of the 'Scheduled Tasks' folder
2007-05-12 11:43:47 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-06 04:09:34 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-05-06 03:58:44 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-19 13:17:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-19 13:20:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-19 13:20


--- E O F ---

vundofix performed loag as follows:


VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 12:46:32 19/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddswgdjm.ini
C:\WINDOWS\system32\mjdgwsdd.dll
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqqooo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddswgdjm.ini
C:\WINDOWS\system32\ddswgdjm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mjdgwsdd.dll
C:\WINDOWS\system32\mjdgwsdd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqooo.dll
C:\WINDOWS\system32\ssqqooo.dll Has been deleted!

Performing Repairs to the registry.
Done!

however i now get a message telling me that mjdgwsdd.dll could not be found whenever i log onto windows, should this file be restored?

will

#5 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 19 May 2007 - 10:44 AM

Hijack this log after doing combo and vundo

Logfile of HijackThis v1.99.1
Scan saved at 16:40:22, on 19/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SpeedFan\speedfan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tv.student.ask4.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B941F689-4158-4922-B254-1A372E7E4C9A} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Speed Fan] C:\Program Files\SpeedFan\speedfan.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\mjdgwsdd.dll",realset
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk.disabled
O4 - Global Startup: usb phone.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162422153265
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

#6 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 20 May 2007 - 02:03 PM

it would appear that i have solved it myself, if someone could check the logs for me would be much appreciated

will

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:28 PM

Posted 21 May 2007 - 03:47 PM

Hi Will,

however i now get a message telling me that mjdgwsdd.dll could not be found whenever i log onto windows, should this file be restored?

No.



It's a good start but you are not clean yet.

Download KillBox to the desktop. Do not run it yet, we will need it later.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B941F689-4158-4922-B254-1A372E7E4C9A} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O4 - HKCU\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\mjdgwsdd.dll",realset
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab




Run Killbox program, in the field labeled "Full Path of File to Delete" enter (or copy and paste)

C:\WINDOWS\system32\mjdgwsdd.dll


select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, press the Yes button

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer to the Normal Mode.


Run ComboFox and post the log.


Finally, post a new Hijackthis log, the new ComboFix log and tell me how your computer is running.

Edited by SifuMike, 21 May 2007 - 03:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 21 May 2007 - 05:27 PM

in hijack this i could find the following to delete.

O4 - HKCU\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\mjdgwsdd.dll",realset

computer seems to be running fine. the only thing i notice now is the bitmap of a line of smileys called userimages keeps appearing in D:\Applications. but appart from that all seems well.


combofix log and new hijack this log as follows

"William Durrant" - 2007-05-21 23:08:10 Service Pack 2 [SAFE MODE]
ComboFix 07-05.19.5.V - Running from: "C:\Documents and Settings\William Durrant\Desktop\"



((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


2007-05-21 22:14 <DIR> d-------- C:\!KillBox
2007-05-21 22:07 <DIR> d-------- C:\Program Files\CCleaner
2007-05-20 13:35 <DIR> d-------- C:\Program Files\HD Tune
2007-05-19 13:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-19 12:46 <DIR> d-------- C:\VundoFix Backups
2007-05-19 10:37 <DIR> d-------- C:\Program Files\VideoReDoPlus
2007-05-19 10:37 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\VideoReDoPlus
2007-05-19 10:31 53,248 --a------ C:\WINDOWS\system32\GenSvcInst.exe
2007-05-19 10:31 33,408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2007-05-19 10:31 118,784 --a------ C:\WINDOWS\system32\bgsvcgen.exe
2007-05-19 10:31 <DIR> d-------- C:\Program Files\Pegasys Inc
2007-05-19 10:12 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Pegasys Inc
2007-05-18 17:51 <DIR> d-------- C:\KAV
2007-05-18 16:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-18 16:01 1,006,685 ---hs---- C:\WINDOWS\system32\opqss.bak1
2007-05-18 01:11 <DIR> d-------- C:\DOCUME~1\WILLIA~1\.DownloadManager
2007-05-17 23:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-05-17 23:25 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-05-17 23:25 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-05-17 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-05-17 21:07 <DIR> d-------- C:\Program Files\Bonjour
2007-05-17 20:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-05-16 19:04 <DIR> d-------- C:\Program Files\UseNeXT
2007-05-16 19:04 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\UseNeXT
2007-05-16 18:29 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\SlySoft
2007-05-16 18:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-05-16 18:26 <DIR> d-------- C:\Program Files\SlySoft
2007-05-15 18:00 <DIR> d-------- C:\Program Files\3DLivePool_at
2007-05-13 13:56 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\DivX
2007-05-13 13:36 <DIR> d-------- C:\divx
2007-05-13 13:35 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-13 13:35 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-13 13:35 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-12 16:28 <DIR> d-------- C:\Program Files\QuickTime
2007-05-12 11:20 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-05-11 18:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 05:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 05:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 05:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 05:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-08 11:35 73,928 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-05-06 17:23 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\vlc
2007-05-06 14:06 <DIR> d-------- C:\Program Files\VideoLAN
2007-05-06 05:10 <DIR> d-------- C:\Program Files\Uniblue
2007-05-06 04:58 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Uniblue
2007-05-05 13:06 <DIR> d-------- C:\Program Files\EA GAMES
2007-05-05 11:47 <DIR> d-------- C:\Program Files\Kontiki
2007-05-05 11:47 <DIR> d-------- C:\Program Files\Channel4
2007-05-04 22:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll
2007-05-04 22:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll
2007-05-04 22:31 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-04 22:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll
2007-05-04 22:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll
2007-05-04 22:31 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-05-04 22:31 152,064 --a------ C:\WINDOWS\system32\unrar.dll
2007-05-04 22:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll
2007-05-04 22:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll
2007-05-04 22:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll
2007-05-04 22:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll
2007-05-04 22:31 <DIR> d-------- C:\Program Files\ACE Mega CoDecS Pack
2007-04-29 10:25 4 --a------ C:\WINDOWS\jknradee.sys
2007-04-27 00:42 <DIR> d-------- C:\Kontiki
2007-04-26 12:30 73,728 --a------ C:\WINDOWS\system32\GkSui18.EXE
2007-04-26 12:30 69,632 --a------ C:\WINDOWS\system32\Copy of GkSui18.EXE
2007-04-26 12:30 <DIR> d-------- C:\Program Files\Folding@Home
2007-04-24 19:54 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\CoreFTP
2007-04-24 17:42 247,608 --a------ C:\jre-1_5_0_07-windows-i586-p-iftw.exe
2007-04-23 23:45 <DIR> d-------- C:\Program Files\MagicISO
2007-04-23 01:15 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 01:15 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-04-23 01:15 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-04-23 01:02 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-04-23 01:02 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 01:02 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-04-23 01:02 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 01:02 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-04-23 01:02 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-04-23 01:02 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-04-23 01:02 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-04-23 01:01 124,472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-23 01:01 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-21 20:38 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\dvdcss
2007-04-21 17:39 <DIR> d-------- C:\Program Files\DVD Audio Extractor


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-21 21:55:56 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Skype
2007-05-21 21:05:05 -------- d-----w C:\Program Files\SpeedFan
2007-05-21 21:03:31 -------- d-----w C:\Program Files\Yahoo!
2007-05-20 21:44:13 -------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2007-05-20 13:14:37 92,256 ----a-w C:\DOCUME~1\WILLIA~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-19 20:48:16 -------- d-----w C:\Program Files\SpywareBlaster
2007-05-18 01:16:09 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\HP
2007-05-18 01:15:54 112,357 ----a-w C:\WINDOWS\hpoins07.dat
2007-05-17 23:58:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-13 12:35:33 -------- d-----w C:\Program Files\DivX
2007-05-12 11:43:45 -------- d-----w C:\Program Files\Apple Software Update
2007-05-06 13:53:48 4,338 ----a-w C:\WINDOWS\mozver.dat
2007-05-05 17:26:55 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-05 12:31:06 29,392 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-04 21:32:51 98,304 ----a-w C:\WINDOWS\system32\qttask.exe
2007-04-25 08:30:52 -------- d-----w C:\Program Files\iTunes
2007-04-23 00:15:25 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-20 15:37:02 -------- d-----w C:\Program Files\Selectsoft
2007-04-17 21:33:30 -------- d-----w C:\Program Files\MixVibesPro6DEMO
2007-04-15 21:36:51 -------- d-----w C:\Program Files\HP
2007-04-01 12:34:21 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-03-21 19:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-21 19:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-21 19:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-19 08:25:50 -------- d-----w C:\Program Files\iPod
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:10:34 -------- d-----w C:\Program Files\Tidy
2007-03-12 13:02:26 947,472 ----a-w C:\WINDOWS\system32\msjava.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 20:30:25 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Ahead
2007-03-05 13:23:35 -------- d-----w C:\Program Files\DVD Shrink
2007-03-05 13:23:11 -------- d-----w C:\Program Files\DVD Decrypter
2007-03-05 11:05:38 -------- d-----w C:\Program Files\CambridgeSoft
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{074C1DC5-9320-4A9A-947D-C042949C6216}=C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 15:13]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2005-06-29 10:08]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2005-07-04 06:29]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2006-06-01 12:26]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-06-19 14:37]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-05-15 16:52]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Speed Fan"="C:\Program Files\SpeedFan\speedfan.exe" [2006-10-12 17:33]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"SoundMan"="SOUNDMAN.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"HD Tune"="C:\PROGRA~1\HDTUNE~1\HDTune.exe" [2007-01-22 02:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
"NoCDBurning"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"mount.exe"=C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
"kdx"=C:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"SiSRaid"=C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"4oD"="C:\Program Files\Kontiki\KHost.exe" -all
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-19 12:21:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-06 04:09:34 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-05-06 03:58:44 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 23:12:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-21 23:13:01
C:\ComboFix-quarantined-files.txt ... 2007-05-21 23:13
C:\ComboFix2.txt ... 2007-05-19 13:20


--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 23:18:25, on 21/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HDTUNE~1\HDTune.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tv.student.ask4.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Speed Fan] C:\Program Files\SpeedFan\speedfan.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162422153265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:28 PM

Posted 21 May 2007 - 05:46 PM

Hi,

I still see a Vundo remenent, so please run VundoFix again and post the VundoFix log.

Edited by SifuMike, 21 May 2007 - 05:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 21 May 2007 - 06:13 PM

vundo fix found nothing

will

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:28 PM

Posted 21 May 2007 - 11:28 PM

Hi Will,


Download KillBox to the desktop.

Run Killbox program, in the field labeled "Full Path of File to Delete" enter (or copy and paste)
C:\WINDOWS\system32\opqss.bak1

select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, press the Yes button

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Run ComboFix and post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 22 May 2007 - 02:26 AM

all done, combofix log as follows

"William Durrant" - 2007-05-22 8:13:31 Service Pack 2
ComboFix 07-05.19.5.V - Running from: "C:\Documents and Settings\William Durrant\Desktop\"



((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))


2007-05-21 22:07 <DIR> d-------- C:\Program Files\CCleaner
2007-05-20 13:35 <DIR> d-------- C:\Program Files\HD Tune
2007-05-19 13:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-19 10:37 <DIR> d-------- C:\Program Files\VideoReDoPlus
2007-05-19 10:37 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\VideoReDoPlus
2007-05-19 10:31 53,248 --a------ C:\WINDOWS\system32\GenSvcInst.exe
2007-05-19 10:31 33,408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2007-05-19 10:31 118,784 --a------ C:\WINDOWS\system32\bgsvcgen.exe
2007-05-19 10:31 <DIR> d-------- C:\Program Files\Pegasys Inc
2007-05-19 10:12 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Pegasys Inc
2007-05-18 16:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-18 01:11 <DIR> d-------- C:\DOCUME~1\WILLIA~1\.DownloadManager
2007-05-17 23:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-05-17 23:25 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-05-17 23:25 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-05-17 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-05-17 21:07 <DIR> d-------- C:\Program Files\Bonjour
2007-05-17 20:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-05-16 19:04 <DIR> d-------- C:\Program Files\UseNeXT
2007-05-16 19:04 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\UseNeXT
2007-05-16 18:29 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\SlySoft
2007-05-16 18:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-05-16 18:26 <DIR> d-------- C:\Program Files\SlySoft
2007-05-15 18:00 <DIR> d-------- C:\Program Files\3DLivePool_at
2007-05-13 13:56 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\DivX
2007-05-13 13:35 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-13 13:35 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-13 13:35 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-12 16:28 <DIR> d-------- C:\Program Files\QuickTime
2007-05-12 11:20 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-05-11 18:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 05:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 05:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 05:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 05:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-08 11:35 73,928 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-05-06 17:23 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\vlc
2007-05-06 14:06 <DIR> d-------- C:\Program Files\VideoLAN
2007-05-06 05:10 <DIR> d-------- C:\Program Files\Uniblue
2007-05-06 04:58 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Uniblue
2007-05-05 13:06 <DIR> d-------- C:\Program Files\EA GAMES
2007-05-05 11:47 <DIR> d-------- C:\Program Files\Kontiki
2007-05-05 11:47 <DIR> d-------- C:\Program Files\Channel4
2007-05-04 22:31 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll
2007-05-04 22:31 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll
2007-05-04 22:31 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-04 22:31 65,536 --a------ C:\WINDOWS\system32\mplapx.dll
2007-05-04 22:31 65,536 --a------ C:\WINDOWS\system32\mplam6.dll
2007-05-04 22:31 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-05-04 22:31 152,064 --a------ C:\WINDOWS\system32\unrar.dll
2007-05-04 22:31 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll
2007-05-04 22:31 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll
2007-05-04 22:31 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll
2007-05-04 22:31 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll
2007-05-04 22:31 <DIR> d-------- C:\Program Files\ACE Mega CoDecS Pack
2007-04-29 10:25 4 --a------ C:\WINDOWS\jknradee.sys
2007-04-27 00:42 <DIR> d-------- C:\Kontiki
2007-04-26 12:30 73,728 --a------ C:\WINDOWS\system32\GkSui18.EXE
2007-04-26 12:30 69,632 --a------ C:\WINDOWS\system32\Copy of GkSui18.EXE
2007-04-26 12:30 <DIR> d-------- C:\Program Files\Folding@Home
2007-04-24 19:54 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\CoreFTP
2007-04-24 17:42 247,608 --a------ C:\jre-1_5_0_07-windows-i586-p-iftw.exe
2007-04-23 23:45 <DIR> d-------- C:\Program Files\MagicISO
2007-04-23 01:15 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 01:15 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-04-23 01:15 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-04-23 01:02 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-04-23 01:02 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 01:02 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-04-23 01:02 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 01:02 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-04-23 01:02 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-04-23 01:02 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-04-23 01:02 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-04-23 01:01 124,472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-23 01:01 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 07:08:14 -------- d-----w C:\Program Files\SpeedFan
2007-05-21 21:55:56 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Skype
2007-05-21 21:03:31 -------- d-----w C:\Program Files\Yahoo!
2007-05-20 21:44:13 -------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2007-05-20 13:14:37 92,256 ----a-w C:\DOCUME~1\WILLIA~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-19 20:48:16 -------- d-----w C:\Program Files\SpywareBlaster
2007-05-18 01:16:09 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\HP
2007-05-18 01:15:54 112,357 ----a-w C:\WINDOWS\hpoins07.dat
2007-05-17 23:58:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-13 12:35:33 -------- d-----w C:\Program Files\DivX
2007-05-12 11:43:45 -------- d-----w C:\Program Files\Apple Software Update
2007-05-06 13:53:48 4,338 ----a-w C:\WINDOWS\mozver.dat
2007-05-05 17:26:55 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-05 12:31:06 29,392 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-04 21:32:51 98,304 ----a-w C:\WINDOWS\system32\qttask.exe
2007-04-25 08:30:52 -------- d-----w C:\Program Files\iTunes
2007-04-23 00:15:25 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-21 19:49:58 -------- d-----w C:\Program Files\DVD Audio Extractor
2007-04-21 19:38:15 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\dvdcss
2007-04-20 15:37:02 -------- d-----w C:\Program Files\Selectsoft
2007-04-17 21:33:30 -------- d-----w C:\Program Files\MixVibesPro6DEMO
2007-04-15 21:36:51 -------- d-----w C:\Program Files\HP
2007-04-01 12:34:21 86,016 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2007-03-21 19:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-21 19:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-21 19:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-19 08:25:50 -------- d-----w C:\Program Files\iPod
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:10:34 -------- d-----w C:\Program Files\Tidy
2007-03-12 13:02:26 947,472 ----a-w C:\WINDOWS\system32\msjava.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 20:30:25 -------- d-----w C:\DOCUME~1\WILLIA~1\APPLIC~1\Ahead
2007-03-05 13:23:35 -------- d-----w C:\Program Files\DVD Shrink
2007-03-05 13:23:11 -------- d-----w C:\Program Files\DVD Decrypter
2007-03-05 11:05:38 -------- d-----w C:\Program Files\CambridgeSoft
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{074C1DC5-9320-4A9A-947D-C042949C6216}=C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 15:13]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2005-06-29 10:08]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2005-07-04 06:29]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2006-06-01 12:26]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-06-19 14:37]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-05-15 16:52]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Speed Fan"="C:\Program Files\SpeedFan\speedfan.exe" [2006-10-12 17:33]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"SoundMan"="SOUNDMAN.EXE" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"HD Tune"="C:\PROGRA~1\HDTUNE~1\HDTune.exe" [2007-01-22 02:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
"NoCDBurning"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"mount.exe"=C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
"kdx"=C:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"SiSRaid"=C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"4oD"="C:\Program Files\Kontiki\KHost.exe" -all
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070521-230155-519
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????`???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070521-230155-425
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????`???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070521-230155-250
O2 - BHO: (no name) - {B941F689-4158-4922-B254-1A372E7E4C9A} - C:\WINDOWS\system32\ssqpo.dll (file missing)

backup-20070521-230155-802
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20070129-150032-144
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070129-150032-286
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20061205-200412-499
O4 - HKLM\..\Run: [lwwmbon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\lwwmbon.dll,ritsagd

backup-20061205-200412-530
O2 - BHO: (no name) - {68A59F17-3AE6-325C-69CB-02616E0C25CA} - C:\WINDOWS\system32\htgvzbd.dll

backup-20061205-200412-546
O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\ssqpmjg.dll (file missing)

backup-20061205-200412-809
O2 - BHO: (no name) - {C447FAC1-0D7B-4DA1-BF7D-762EBA448F42} - C:\WINDOWS\system32\mljgf.dll (file missing)

backup-20061205-200412-662
O2 - BHO: (no name) - {56F51BFB-7315-7DEC-714A-02FDDF87298A} - C:\WINDOWS\system32\rxoxghd.dll

backup-20061205-200412-861
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - C:\WINDOWS\system32\ixt0.dll (file missing)

backup-20061205-200412-490
O2 - BHO: (no name) - {3A8C993A-DD20-2BDE-103C-0BEA119B75A9} - C:\WINDOWS\system32\spknedl.dll

backup-20061205-200412-137
O2 - BHO: (no name) - {31358CFA-E65E-058B-4373-0A816F54BA8D} - C:\WINDOWS\system32\vkmspbi.dll

backup-20061205-200412-916
O2 - BHO: (no name) - {2501D0BD-5628-3180-587B-0386D666EC26} - C:\WINDOWS\system32\drfwbvk.dll

backup-20061205-200412-210
O2 - BHO: (no name) - {0C858766-7D94-25CC-7392-072284CA6772} - C:\WINDOWS\system32\dabyime.dll

backup-20061205-200412-521
O2 - BHO: (no name) - {1F1942A9-BE12-CCC2-8CAF-080E393257FC} - C:\WINDOWS\system32\cjlpwkf.dll

backup-20061205-200412-886
O2 - BHO: (no name) - {041425A9-E267-BBA5-A836-039A659B08FC} - C:\WINDOWS\system32\xyeicxb.dll

backup-20061205-191005-312
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

backup-20061205-191005-698
O18 - Filter: text/html - (no CLSID) - (no file)
Contents of the 'Scheduled Tasks' folder
2007-05-19 12:21:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-06 04:09:34 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-05-06 03:58:44 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-22 08:15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-22 8:16:34


--- E O F ---

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:28 PM

Posted 22 May 2007 - 10:22 AM

Hi Will,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.



Please read and follow How did I get infected?, With steps so it does not happen again!
as well as How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 binx1310

binx1310
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 22 May 2007 - 11:26 AM

thanks for all your help.

i have donated to BC. you guys have helped me loads in the past so is worth ever penny

thanks again

will

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:28 PM

Posted 22 May 2007 - 11:34 AM

Thank you for the donation. I hope you computer continues to run smoothly. :thumbsup:

Edited by SifuMike, 29 May 2007 - 06:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users