Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cid Popups Everytime On Ie7


  • This topic is locked This topic is locked
19 replies to this topic

#1 swmkong

swmkong

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AUSTRALIA
  • Local time:06:45 PM

Posted 25 May 2007 - 08:50 AM

Hello first time at this.... this is a HJT log. My computer has been coming up with popups everytime i start IE7 but now im using mozilla firefox for timebeing. I have Norton Antivirus 2007, Adaware Profressional, Uniblue spyeraser and registry booster1.4 and speedup my p.c. i also have spybot S&D. the following is the log. The popups all have one thing in common and that is that they all have "CiD" on the top left corner PLEASE HELP!!! :thumbsup:

THANKING YOU IN ADVANCE!!!!!!


Logfile of HijackThis v1.99.1
Scan saved at 11:41:46 PM, on 25/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O6 "USB001" /M "Stylus CX3100"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bookownsboldthunk] C:\Documents and Settings\All Users\Application Data\Ref stupid book owns\AcidFor.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Admin Ace] C:\DOCUME~1\JASONK~1\APPLIC~1\DOWNLO~1\Mfcd Style.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175130127734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175134155765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Edited by swmkong, 25 May 2007 - 09:07 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 25 May 2007 - 09:11 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum swmkong :thumbsup:

Click on Start>Control Panel>Add/Remove Programs.
Uninstall/remove any of the following programs if listed:
Netpumper
Bitroll
Bitgrabber
CiD Help / CiD Manager
Download Plugin for Internet Explorer
Zone Media

This is because they are often bundled with the malware you are dealing with.
Don't worry if none of them are present.
If you removed any of them please restart your pc.

******************************

Download NoLop.exe to your desktop.

* First close any other programs you have running as this will require a reboot.
* Double click NoLop.exe to run it.
* Then click the button labelled "Search and Destroy".
* When scanning is finished you will be prompted to reboot only if infected,click 'OK'.
* Now click the "REBOOT" Button.
* A Message should popup from NoLop, if not,double click the program again and it will finish.
Post the contents of C:\NoLop.log and a new Hijack This log into your next reply.

If you receive the error,that mscomctl.ocx or one of its dependencies are not correctly registered, please download this file to your 'System32' folder then rerun the program: http://www.boletrice.com/downloads/mscomctl.ocx
Posted Image
Posted Image

#3 swmkong

swmkong
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AUSTRALIA
  • Local time:06:45 PM

Posted 25 May 2007 - 09:25 AM

Thank you for a fast reply!It said that it didnt have any infections here is the nolop.log



NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Jason Kong\Desktop
[26/05/2007]
[12:18:53 AM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Acd Systems
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Ahead
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Dvd Shrink
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Nexonus
C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Ref Stupid Book Owns
C:\Documents and Settings\All Users\Application Data\Skype
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Winzip -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Jason Kong\Application Data\Acd Systems
C:\Documents and Settings\Jason Kong\Application Data\Adobe
C:\Documents and Settings\Jason Kong\Application Data\Apple Computer
C:\Documents and Settings\Jason Kong\Application Data\Download Cast Skip
C:\Documents and Settings\Jason Kong\Application Data\Epson
C:\Documents and Settings\Jason Kong\Application Data\Hamachi
C:\Documents and Settings\Jason Kong\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Jason Kong\Application Data\Identities
C:\Documents and Settings\Jason Kong\Application Data\Lavasoft
C:\Documents and Settings\Jason Kong\Application Data\Limewire
C:\Documents and Settings\Jason Kong\Application Data\Macromedia
C:\Documents and Settings\Jason Kong\Application Data\Microsoft
C:\Documents and Settings\Jason Kong\Application Data\Mozilla
C:\Documents and Settings\Jason Kong\Application Data\Screenshot Sender
C:\Documents and Settings\Jason Kong\Application Data\Sun
C:\Documents and Settings\Jason Kong\Application Data\True Sword -- EMPTY Directory
C:\Documents and Settings\Jason Kong\Application Data\Uniblue
C:\Documents and Settings\Jason Kong\Application Data\Xfire
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Olivia Kong\Application Data\Adobe
C:\Documents and Settings\Olivia Kong\Application Data\Identities
C:\Documents and Settings\Olivia Kong\Application Data\Macromedia
C:\Documents and Settings\Olivia Kong\Application Data\Microsoft
C:\Documents and Settings\Olivia Kong\Application Data\Mozilla
C:\Documents and Settings\Olivia Kong\Application Data\Sun
C:\Documents and Settings\Steven Kong\Application Data\Adobe
C:\Documents and Settings\Steven Kong\Application Data\Identities
C:\Documents and Settings\Steven Kong\Application Data\Macromedia
C:\Documents and Settings\Steven Kong\Application Data\Microsoft
C:\Documents and Settings\Steven Kong\Application Data\Mozilla


Here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:20:26 AM, on 26/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O6 "USB001" /M "Stylus CX3100"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [bookownsboldthunk] C:\Documents and Settings\All Users\Application Data\Ref stupid book owns\AcidFor.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Admin Ace] C:\DOCUME~1\JASONK~1\APPLIC~1\DOWNLO~1\Mfcd Style.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175130127734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175134155765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

THANKING YOU IN ADVANCE!!! :thumbsup:

Edited by swmkong, 25 May 2007 - 09:25 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 25 May 2007 - 09:34 AM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O4 - HKLM\..\Run: [bookownsboldthunk] C:\Documents and Settings\All Users\Application Data\Ref stupid book owns\AcidFor.exe
O4 - HKCU\..\Run: [Admin Ace] C:\DOCUME~1\JASONK~1\APPLIC~1\DOWNLO~1\Mfcd Style.exe


Exit Hijackthis,find and delete:
C:\Documents and Settings\All Users\Application Data\Ref Stupid Book Owns
C:\Documents and Settings\Jason Kong\Application Data\Download Cast Skip

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 swmkong

swmkong
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AUSTRALIA
  • Local time:06:45 PM

Posted 25 May 2007 - 06:53 PM

THANK YOU FOR A FAST REPLY!Hey sorry for not replying but the scan took forever and i decided to go to sleep.i just woke up.THE DAMN POPUPS ARE STILL COMING!!!! but other than that the domputer is fine.only when IE7 starts and then the popups come!here are the reports

AVG REPORT


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:36:54 AM 26/05/2007

+ Scan result:



C:\WINDOWS\system32\ipmon.exe -> Hijacker.Agent.is : Cleaned.
:mozilla.26:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jason Kong\Cookies\jason kong@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Steven Kong\Cookies\steven kong@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jason Kong\Cookies\jason kong@7search[2].txt -> TrackingCookie.7search : Cleaned.
:mozilla.171:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.172:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.113:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.116:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.117:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.118:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.34:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.73:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Steven Kong\Cookies\steven kong@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.131:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.138:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.139:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.140:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.141:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.142:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.143:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.74:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.99:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.92:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.93:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.94:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.95:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Jason Kong\Cookies\jason kong@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.24:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Jason Kong\Cookies\jason kong@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.79:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.80:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.81:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.82:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.83:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.132:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.133:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.134:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.135:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Jason Kong\Cookies\jason kong@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.146:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.147:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.75:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.137:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.44:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.47:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.48:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.60:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.61:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.66:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.67:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.68:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.76:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@ehg-volania.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Steven Kong\Cookies\steven kong@ehg-volania.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.27:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.28:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.53:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.54:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.55:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.56:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.58:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.59:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.17:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.76:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Jason Kong\Cookies\jason kong@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.14:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.29:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Steven Kong\Cookies\steven kong@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.11:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.100:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.101:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.96:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.97:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.98:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.99:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.33:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.34:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.35:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.36:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.37:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.38:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.39:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.40:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.41:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.42:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.43:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.165:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.166:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.167:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.168:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.169:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.170:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.57:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.58:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.63:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\Steven Kong\Cookies\steven kong@site.skype[1].txt -> TrackingCookie.Skype : Cleaned.
:mozilla.42:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.144:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Jason Kong\Cookies\jason kong@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.109:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.110:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.111:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.112:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.113:C:\Documents and Settings\Olivia Kong\Application Data\Mozilla\Firefox\Profiles\ym1ivkf7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.132:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.84:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.86:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.87:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.88:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.145:C:\Documents and Settings\Jason Kong\Application Data\Mozilla\Firefox\Profiles\33hvus4k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.43:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.49:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.50:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.51:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.52:C:\Documents and Settings\Steven Kong\Application Data\Mozilla\Firefox\Profiles\5266ep0z.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Olivia Kong\Cookies\olivia kong@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\Temp\win12.tmp.exe -> Trojan.Agent.qt : Cleaned.
C:\WINDOWS\Temp\win3D.tmp.exe -> Trojan.Agent.qt : Cleaned.


::Report end


HJT LOG


Logfile of HijackThis v1.99.1
Scan saved at 9:49:21 AM, on 26/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O6 "USB001" /M "Stylus CX3100"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175130127734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175134155765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

THANKING YOU IN ADVANCE!!!!:thumbsup:

Edited by swmkong, 25 May 2007 - 06:56 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 25 May 2007 - 11:35 PM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


*****************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#7 swmkong

swmkong
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AUSTRALIA
  • Local time:06:45 PM

Posted 26 May 2007 - 02:49 AM

The computer is FIXED mate! thanks for your help and i much appreciated it. here are the logs just in case.if anything wrong please tell me THANKS!

vundofix.txt log


VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.11

Scan started at 4:43:24 PM 26/05/2007

Listing files found while scanning....


VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.11

Scan started at 4:56:22 PM 26/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\hggheda.dll
C:\WINDOWS\system32\rqrropo.dll
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.tmp
C:\WINDOWS\system32\vtutt.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hggheda.dll
C:\WINDOWS\system32\hggheda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrropo.dll
C:\WINDOWS\system32\rqrropo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.tmp
C:\WINDOWS\system32\ttutv.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Performing Repairs to the registry.
Done!

COMBO fix log

"Jason Kong" - 2007-05-26 17:31:15 Service Pack 2
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Jason Kong\Desktop\"

Rootkit driver xpdt is present. A rootkit scan is required

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\DOCUME~1\JASONK~1\Desktop.\internet explorer.lnk"


((((((((((((((((((((((((((((((( Files Created from 2007-04-26 to 2007-05-26 ))))))))))))))))))))))))))))))))))


2007-05-26 16:43 <DIR> d-------- C:\VundoFix Backups
2007-05-26 13:18 50,745 --a------ C:\WINDOWS\system32\dpxsdkgr.dll
2007-05-26 09:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-26 01:24 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-26 00:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-26 00:13 212 --a------ C:\delete.bat
2007-05-25 20:58 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\True Sword
2007-05-25 13:16 <DIR> d-------- C:\Program Files\RegistryCleaner
2007-05-25 07:51 557,741 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-05-25 07:48 60,574 --a------ C:\WINDOWS\system32\xpdt.sys
2007-05-25 07:48 1,536 --a------ C:\cwainda.exe
2007-05-24 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-05-24 17:56 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\Help
2007-05-23 16:28 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-05-22 17:01 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\Lavasoft
2007-05-22 16:48 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-22 16:21 17,480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-05-22 16:05 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\Uniblue
2007-05-21 22:17 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-21 22:14 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-21 18:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-20 14:58 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\Hamachi
2007-05-20 14:17 <DIR> d-------- C:\Program Files\DOWNLOAD CAST SKIP
2007-05-11 16:30 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\EPSON
2007-05-11 01:01 <DIR> d-------- C:\Program Files\Google
2007-05-10 19:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-10 19:32 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-10 01:50 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-05 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-02 17:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NexonUS
2007-05-02 13:16 <DIR> d-------- C:\Program Files\QuickTime
2007-05-01 13:56 <DIR> d-------- C:\Program Files\Skype
2007-05-01 13:56 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-05-01 13:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-04-30 07:48 78 --a------ C:\DOCUME~1\OLIVIA~1\APPLIC~1\wklnhst.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 23:44:01 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-25 14:06:14 -------- d-----w C:\Program Files\Yahoo!
2007-05-24 11:53:26 1,882 ----a-w C:\DOCUME~1\JASONK~1\APPLIC~1\wklnhst.dat
2007-05-23 06:28:44 -------- d-----w C:\Program Files\MSN Messenger
2007-05-22 06:25:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-21 09:51:23 -------- d-----w C:\Program Files\MessengerPlus! 3
2007-05-06 06:42:01 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\Xfire
2007-05-02 03:14:22 -------- d-----w C:\Program Files\Apple Software Update
2007-05-02 02:40:03 -------- d-----w C:\Program Files\Microsoft Money
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-16 10:59:08 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\ACD Systems
2007-04-16 09:52:31 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\Apple Computer
2007-04-13 01:10:38 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-13 01:09:57 -------- d-----w C:\Program Files\Microsoft Games
2007-04-07 05:44:07 -------- d-----w C:\Program Files\iPod
2007-04-03 03:31:53 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\LimeWire
2007-04-02 02:57:44 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-01 08:33:30 -------- d-----w C:\Program Files\Common Files\Nero
2007-04-01 08:31:37 -------- d-----w C:\Program Files\Ahead
2007-04-01 07:48:53 -------- d-----w C:\Program Files\PowerQuest
2007-04-01 07:47:57 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-01 07:46:05 -------- d-----w C:\Program Files\Common Files\ACD Systems
2007-04-01 07:46:05 -------- d-----w C:\Program Files\ACD Systems
2007-04-01 07:43:14 -------- d-----w C:\Program Files\PENTAX
2007-04-01 04:35:43 -------- d-----w C:\Program Files\Pinnacle
2007-04-01 00:07:49 -------- d-----w C:\Program Files\DV Studio2
2007-04-01 00:06:38 -------- d-----w C:\Program Files\DVD Shrink
2007-03-31 23:58:20 -------- d-----w C:\Program Files\Microsoft Works
2007-03-31 23:58:07 -------- d-----w C:\Program Files\MSBuild
2007-03-31 23:30:08 -------- d-----w C:\Program Files\Microsoft Works Suite 2004
2007-03-31 23:28:23 2,272 ----a-w C:\WINDOWS\system32\w95inf16.dll
2007-03-31 23:28:22 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-03-31 23:28:15 -------- d-----w C:\Program Files\CyberLink
2007-03-31 23:21:10 -------- d-----w C:\Program Files\Common Files\Ahead
2007-03-31 22:41:17 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\Screenshot Sender
2007-03-31 22:29:16 -------- d-----w C:\Program Files\Messenger
2007-03-31 22:14:15 -------- d-----w C:\Program Files\Symantec
2007-03-31 22:14:12 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-03-31 22:14:12 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-03-29 14:55:26 -------- d-----w C:\Program Files\Movie Maker
2007-03-29 14:53:18 -------- d-----w C:\Program Files\Windows NT
2007-03-29 10:04:04 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-29 10:04:02 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-29 01:13:50 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-29 00:54:13 -------- d-----w C:\Program Files\Norton AntiVirus
2007-03-29 00:39:34 -------- d-----w C:\Program Files\EPSON
2007-03-29 00:39:02 -------- d-----w C:\Program Files\ArcSoft
2007-03-29 00:37:48 -------- d-----w C:\Program Files\Common Files\Python
2007-03-29 00:35:53 -------- d-----w C:\Program Files\Common Files\EPSON
2007-03-29 00:27:54 -------- d-----w C:\Program Files\Analog Devices
2007-03-29 00:27:53 44 ----a-w C:\WINDOWS\system32\msssc.dll
2007-03-29 00:20:09 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-29 00:20:01 0 --sha-r C:\MSDOS.SYS
2007-03-29 00:20:01 0 --sha-r C:\IO.SYS
2007-03-29 00:20:01 0 ----a-w C:\CONFIG.SYS
2007-03-29 00:20:01 0 ----a-w C:\AUTOEXEC.BAT
2007-03-29 00:18:08 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-29 00:17:47 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-29 00:17:07 -------- d-----w C:\Program Files\Online Services
2007-03-29 00:16:56 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 03:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}=C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2007-04-20 17:51]
{3409D09D-6A28-4E9C-997D-8457BA37A195}=C:\WINDOWS\system32\vaskeauv.dll []
{4B646AFB-9341-4330-8FD1-C32485AEE619}=C:\WINDOWS\system32\dpxsdkgr.dll [2007-05-26 13:18]
{53707962-6F74-2D53-2644-206D7942484F}=F:\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7789BEEC-9CF0-472A-BB6E-7FC7830836E9}=C:\WINDOWS\system32\vaskeauv.dll []
{E884EA54-AF25-4E59-93E8-F22944A63ABE}=C:\WINDOWS\system32\vtutt.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 11:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"!AVG Anti-Spyware"="F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="F:\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-29 00:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
winbjt32.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aed3b88c-dfde-11db-b2e7-000ea6121e47}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070526-005723-722
O4 - HKCU\..\Run: [Admin Ace] C:\DOCUME~1\JASONK~1\APPLIC~1\DOWNLO~1\Mfcd Style.exe

backup-20070526-005723-942
O4 - HKLM\..\Run: [bookownsboldthunk] C:\Documents and Settings\All Users\Application Data\Ref stupid book owns\AcidFor.exe

backup-20070525-235146-606
O4 - HKLM\..\Run: [ipmon] ipmon.exe
Contents of the 'Scheduled Tasks' folder
2007-05-23 03:14:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-25 10:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Alex Kong.job
2007-05-21 09:52:29 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-05-21 09:52:27 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
2007-05-21 08:56:48 C:\WINDOWS\tasks\Uniblue SpyEraser.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 17:36:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-26 17:38:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-26 17:38

--- E O F ---

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 5:44:26 PM, on 26/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {3409D09D-6A28-4E9C-997D-8457BA37A195} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\dpxsdkgr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7789BEEC-9CF0-472A-BB6E-7FC7830836E9} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {E884EA54-AF25-4E59-93E8-F22944A63ABE} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175130127734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175134155765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

THANKS, CHECK IF ANYTHING WRONG if nothing wrong then leave it

THANKS :thumbsup::flowers::D:D

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 26 May 2007 - 03:07 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\cwainda.exe
C:\WINDOWS\system32\dpxsdkgr.dll

Folders to delete:
C:\Program Files\RegistryCleaner
C:\WINDOWS\system32\RegistryCleanerSetup.exe
C:\Program Files\DOWNLOAD CAST SKIP

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

********************************

Download AVG Anti-Rootkit and save to your desktop
1. Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit.
2. Accept the license and follow the prompts to install.
3. You will be asked to reboot to finish the installation so click "Finish".
4. After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
5. You will see a window with four buttons at the bottom.
6. Click "Search For Rootkits" and the scan will begin.
7. You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
8. When the scan has finished, a small window will open so you can view the results.
9. Right click and select "Save Result To File".
10. By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file). Copy and paste the results in your next reply.
11. If anything was found, click "Remove selected items"
12. If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.

Restart your pc,post a new Hijackthis log please.
Posted Image
Posted Image

#9 swmkong

swmkong
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AUSTRALIA
  • Local time:06:45 PM

Posted 26 May 2007 - 10:55 AM

HERES THE AVENGER LOG I GOT NO AVG ROOTKIT BECAUSE THERE WAS NOTHING FOUND!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uwbgorik

*******************

Script file located at: \??\C:\Program Files\raeroduo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\cwainda.exe deleted successfully.
File C:\WINDOWS\system32\dpxsdkgr.dll deleted successfully.
Folder C:\Program Files\RegistryCleaner deleted successfully.


Error: C:\WINDOWS\system32\RegistryCleanerSetup.exe is not a folder! It may instead be a file.
Deletion of folder C:\WINDOWS\system32\RegistryCleanerSetup.exe failed!

Could not process line:
C:\WINDOWS\system32\RegistryCleanerSetup.exe
Status: 0xc0000103

Folder C:\Program Files\DOWNLOAD CAST SKIP deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


HJT LOG


Logfile of HijackThis v1.99.1
Scan saved at 1:51:47 AM, on 27/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {3409D09D-6A28-4E9C-997D-8457BA37A195} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\dpxsdkgr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {709AFF26-6BB0-4AD3-A3A3-1286592465D6} - C:\WINDOWS\system32\pmnmnmk.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7789BEEC-9CF0-472A-BB6E-7FC7830836E9} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {D6137F7D-B729-47D8-9F70-F5D8D6F324F3} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {E884EA54-AF25-4E59-93E8-F22944A63ABE} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175130127734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175134155765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll
O20 - Winlogon Notify: pmnmnmk - C:\WINDOWS\SYSTEM32\pmnmnmk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

THANKING YOU IN ADVANCE!!!!:thumbsup::flowers:

Edited by swmkong, 26 May 2007 - 10:56 AM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 26 May 2007 - 11:04 AM

Start up Avenger again.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\RegistryCleanerSetup.exe
C:\WINDOWS\system32\pmnmnmk.dll
C:\WINDOWS\system32\pmnlm.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*****************************

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.

Posted Image
Posted Image

#11 swmkong

swmkong
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AUSTRALIA
  • Local time:06:45 PM

Posted 27 May 2007 - 07:03 AM

here are the logs richieuk.... thanks so far for your help

AVENGER LOG

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\myikdcoi

*******************

Script file located at: \??\C:\WINDOWS\system32\uixwrhwi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\RegistryCleanerSetup.exe deleted successfully.
File C:\WINDOWS\system32\pmnmnmk.dll deleted successfully.
File C:\WINDOWS\system32\pmnlm.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

COMBOFIX LOG

"Jason Kong" - 2007-05-27 21:28:20 Service Pack 2
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Jason Kong\Desktop\"

Rootkit driver xpdt is present. A rootkit scan is required

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\rqrqono.dll
C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\mlnmp.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-27 21:25 <DIR> d-------- C:\avenger
2007-05-27 00:54 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-26 17:38 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-26 16:43 <DIR> d-------- C:\VundoFix Backups
2007-05-26 09:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-26 01:24 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-26 00:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-26 00:13 212 --a------ C:\delete.bat
2007-05-25 20:58 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\True Sword
2007-05-25 07:48 60,574 --a------ C:\WINDOWS\system32\xpdt.sys
2007-05-24 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-05-24 17:56 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\Help
2007-05-23 16:28 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-05-22 17:01 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\Lavasoft
2007-05-22 16:48 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-22 16:21 17,480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-05-22 16:05 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\Uniblue
2007-05-21 22:17 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-21 22:14 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-21 18:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-20 14:58 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\Hamachi
2007-05-11 16:30 <DIR> d-------- C:\DOCUME~1\JASONK~1\APPLIC~1\EPSON
2007-05-11 01:01 <DIR> d-------- C:\Program Files\Google
2007-05-10 19:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-10 19:32 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-10 01:50 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-05 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-02 17:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NexonUS
2007-05-02 13:16 <DIR> d-------- C:\Program Files\QuickTime
2007-05-01 13:56 <DIR> d-------- C:\Program Files\Skype
2007-05-01 13:56 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-05-01 13:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-04-30 07:48 78 --a------ C:\DOCUME~1\OLIVIA~1\APPLIC~1\wklnhst.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 10:02:52 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-25 14:06:14 -------- d-----w C:\Program Files\Yahoo!
2007-05-24 11:53:26 1,882 ----a-w C:\DOCUME~1\JASONK~1\APPLIC~1\wklnhst.dat
2007-05-23 06:28:44 -------- d-----w C:\Program Files\MSN Messenger
2007-05-22 06:25:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-21 09:51:23 -------- d-----w C:\Program Files\MessengerPlus! 3
2007-05-06 06:42:01 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\Xfire
2007-05-02 03:14:22 -------- d-----w C:\Program Files\Apple Software Update
2007-05-02 02:40:03 -------- d-----w C:\Program Files\Microsoft Money
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-16 10:59:08 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\ACD Systems
2007-04-16 09:52:31 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\Apple Computer
2007-04-13 01:10:38 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-13 01:09:57 -------- d-----w C:\Program Files\Microsoft Games
2007-04-07 05:44:07 -------- d-----w C:\Program Files\iPod
2007-04-03 03:31:53 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\LimeWire
2007-04-02 02:57:44 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-01 08:33:30 -------- d-----w C:\Program Files\Common Files\Nero
2007-04-01 08:31:37 -------- d-----w C:\Program Files\Ahead
2007-04-01 07:48:53 -------- d-----w C:\Program Files\PowerQuest
2007-04-01 07:47:57 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-01 07:46:05 -------- d-----w C:\Program Files\Common Files\ACD Systems
2007-04-01 07:46:05 -------- d-----w C:\Program Files\ACD Systems
2007-04-01 07:43:14 -------- d-----w C:\Program Files\PENTAX
2007-04-01 04:35:43 -------- d-----w C:\Program Files\Pinnacle
2007-04-01 00:07:49 -------- d-----w C:\Program Files\DV Studio2
2007-04-01 00:06:38 -------- d-----w C:\Program Files\DVD Shrink
2007-03-31 23:58:20 -------- d-----w C:\Program Files\Microsoft Works
2007-03-31 23:58:07 -------- d-----w C:\Program Files\MSBuild
2007-03-31 23:30:08 -------- d-----w C:\Program Files\Microsoft Works Suite 2004
2007-03-31 23:28:23 2,272 ----a-w C:\WINDOWS\system32\w95inf16.dll
2007-03-31 23:28:22 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-03-31 23:28:15 -------- d-----w C:\Program Files\CyberLink
2007-03-31 23:21:10 -------- d-----w C:\Program Files\Common Files\Ahead
2007-03-31 22:41:17 -------- d-----w C:\DOCUME~1\JASONK~1\APPLIC~1\Screenshot Sender
2007-03-31 22:29:16 -------- d-----w C:\Program Files\Messenger
2007-03-31 22:14:15 -------- d-----w C:\Program Files\Symantec
2007-03-31 22:14:12 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-03-31 22:14:12 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-03-29 14:55:26 -------- d-----w C:\Program Files\Movie Maker
2007-03-29 14:53:18 -------- d-----w C:\Program Files\Windows NT
2007-03-29 10:04:04 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-29 10:04:02 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-29 01:13:50 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-29 00:54:13 -------- d-----w C:\Program Files\Norton AntiVirus
2007-03-29 00:39:34 -------- d-----w C:\Program Files\EPSON
2007-03-29 00:39:02 -------- d-----w C:\Program Files\ArcSoft
2007-03-29 00:37:48 -------- d-----w C:\Program Files\Common Files\Python
2007-03-29 00:35:53 -------- d-----w C:\Program Files\Common Files\EPSON
2007-03-29 00:27:54 -------- d-----w C:\Program Files\Analog Devices
2007-03-29 00:27:53 44 ----a-w C:\WINDOWS\system32\msssc.dll
2007-03-29 00:20:09 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-29 00:20:01 0 --sha-r C:\MSDOS.SYS
2007-03-29 00:20:01 0 --sha-r C:\IO.SYS
2007-03-29 00:20:01 0 ----a-w C:\CONFIG.SYS
2007-03-29 00:20:01 0 ----a-w C:\AUTOEXEC.BAT
2007-03-29 00:18:08 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-29 00:17:47 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-29 00:17:07 -------- d-----w C:\Program Files\Online Services
2007-03-29 00:16:56 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 03:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}=C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2007-04-20 17:51]
{3409D09D-6A28-4E9C-997D-8457BA37A195}=C:\WINDOWS\system32\vaskeauv.dll []
{4B646AFB-9341-4330-8FD1-C32485AEE619}=C:\WINDOWS\system32\dpxsdkgr.dll []
{53707962-6F74-2D53-2644-206D7942484F}=F:\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5AA279AF-B948-4384-BE0D-8F844CD722D0}=C:\WINDOWS\system32\pmnlm.dll []
{709AFF26-6BB0-4AD3-A3A3-1286592465D6}=C:\WINDOWS\system32\pmnmnmk.dll []
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7789BEEC-9CF0-472A-BB6E-7FC7830836E9}=C:\WINDOWS\system32\vaskeauv.dll []
{D6137F7D-B729-47D8-9F70-F5D8D6F324F3}=C:\WINDOWS\system32\pmnlm.dll []
{E884EA54-AF25-4E59-93E8-F22944A63ABE}=C:\WINDOWS\system32\vtutt.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 11:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"!AVG Anti-Spyware"="F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="F:\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-29 00:13]
"{709AFF26-6BB0-4AD3-A3A3-1286592465D6}"="C:\WINDOWS\system32\pmnmnmk.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlm]
C:\WINDOWS\system32\pmnlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmnmk]
pmnmnmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
winbjt32.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aed3b88c-dfde-11db-b2e7-000ea6121e47}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe


Contents of the 'Scheduled Tasks' folder
2007-05-23 03:14:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-25 10:00:00 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Alex Kong.job
2007-05-21 09:52:29 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-05-21 09:52:27 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
2007-05-21 08:56:48 C:\WINDOWS\tasks\Uniblue SpyEraser.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 21:43:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-27 21:44:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 21:44
C:\ComboFix2.txt ... 2007-05-26 17:38

--- E O F ---


HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 9:56:29 PM, on 27/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {3409D09D-6A28-4E9C-997D-8457BA37A195} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\dpxsdkgr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5AA279AF-B948-4384-BE0D-8F844CD722D0} - C:\WINDOWS\system32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {709AFF26-6BB0-4AD3-A3A3-1286592465D6} - C:\WINDOWS\system32\pmnmnmk.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7789BEEC-9CF0-472A-BB6E-7FC7830836E9} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {D6137F7D-B729-47D8-9F70-F5D8D6F324F3} - C:\WINDOWS\system32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {E884EA54-AF25-4E59-93E8-F22944A63ABE} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175130127734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175134155765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll (file missing)
O20 - Winlogon Notify: pmnmnmk - pmnmnmk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

THANKIN YOU IN ADVANCE AND FOR HELPING ME :thumbsup::flowers:]

swmkong

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 27 May 2007 - 07:12 AM

Download rustbfix.exe and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will be asked to reboot the computer.
The reboot will probably take quite a while,possibly two reboots will be needed,this should happen automatically..
After the reboot two logfiles will/should open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Post the contents of those logfiles along with a new HijackThis log.
Posted Image
Posted Image

#13 swmkong

swmkong
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AUSTRALIA
  • Local time:06:45 PM

Posted 27 May 2007 - 07:31 AM

HEY, richieuk here are the logs

pelog.txt LOG

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Sun 27/05/2007 22:18:07.81

******************* Pre-run Status of system *******************

Rootkit driver xpdt is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


avenger.txt LOG

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rohalcgk

*******************

Script file located at: \??\C:\utjgdfwl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver xpdt unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 10:26:09 PM, on 27/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {3409D09D-6A28-4E9C-997D-8457BA37A195} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\dpxsdkgr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5AA279AF-B948-4384-BE0D-8F844CD722D0} - C:\WINDOWS\system32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {709AFF26-6BB0-4AD3-A3A3-1286592465D6} - C:\WINDOWS\system32\pmnmnmk.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7789BEEC-9CF0-472A-BB6E-7FC7830836E9} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {D6137F7D-B729-47D8-9F70-F5D8D6F324F3} - C:\WINDOWS\system32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {E884EA54-AF25-4E59-93E8-F22944A63ABE} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175130127734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175134155765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll (file missing)
O20 - Winlogon Notify: pmnmnmk - pmnmnmk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


THANKING YOU IN ADVANCE !!! :thumbsup::flowers:

SWMKONG

Edited by swmkong, 27 May 2007 - 07:31 AM.


#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 27 May 2007 - 07:42 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {3409D09D-6A28-4E9C-997D-8457BA37A195} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\dpxsdkgr.dll (file missing)
O2 - BHO: (no name) - {5AA279AF-B948-4384-BE0D-8F844CD722D0} - C:\WINDOWS\system32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {709AFF26-6BB0-4AD3-A3A3-1286592465D6} - C:\WINDOWS\system32\pmnmnmk.dll (file missing)
O2 - BHO: (no name) - {7789BEEC-9CF0-472A-BB6E-7FC7830836E9} - C:\WINDOWS\system32\vaskeauv.dll (file missing)
O2 - BHO: (no name) - {D6137F7D-B729-47D8-9F70-F5D8D6F324F3} - C:\WINDOWS\system32\pmnlm.dll (file missing)
O2 - BHO: (no name) - {E884EA54-AF25-4E59-93E8-F22944A63ABE} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll (file missing)
O20 - Winlogon Notify: pmnmnmk - pmnmnmk.dll (file missing)
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)


Exit Hijackthis.

********************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Restart your pc.
Post the BitDefender Online Scanner log,and a new Hijackthis log into your next reply.
Let me know how your pc is running now.

Posted Image
Posted Image

#15 swmkong

swmkong
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AUSTRALIA
  • Local time:06:45 PM

Posted 27 May 2007 - 07:57 AM

hey i cant do this now. im going to sleep now sorry. will apply actions 2morrow but i have school so mayb at 5:00 my time cya laterz....

swmkong]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users