Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kbrady Hijack This Log


  • Please log in to reply
3 replies to this topic

#1 kbrady

kbrady

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 02 June 2007 - 03:01 PM

I've used spysweeper among a host of others...avg, vcleaner, etc... and I've quarantined and deleted everything they found. I even sent my hijack this log through a parser so I wouldn't have to bother anyone , maybe that was a bad idea. My computer is getting bombarded with ads, browser hijacking among others and avg is finding a least two trojans everytime i'm at the computer. Please help me remedy this problem.

here is my log

Logfile of HijackThis v1.99.1
Scan saved at 3:55:26 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ResChanger 2005\ResChanger2005.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0E3DHM] "C:\PROGRA~1\COMMON~1\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ResChanger 2005] "C:\Program Files\ResChanger 2005\ResChanger2005.exe"
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145212251765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 02 June 2007 - 03:29 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum kbrady :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

***************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


***************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to xyz.bat
Double click on xyz.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 kbrady

kbrady
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 02 June 2007 - 09:22 PM

Got email telling me to scan my computer and post logs for hijakc this (xyz.bat), combofix and vendu. here are the results

combo fix log

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jbtmecpo.dll
C:\WINDOWS\system32\kmkwhfss.dll
C:\WINDOWS\system32\opqss.bak1
C:\WINDOWS\system32\opqss.bak2
C:\WINDOWS\system32\opqss.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 )))))))))))))))))))))))))))))))


2007-06-02 21:39 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-06-02 17:26 <DIR> d-------- C:\VundoFix Backups
2007-06-01 19:31 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-06-01 19:31 <DIR> d-------- C:\Program Files\Hamachi
2007-06-01 19:31 <DIR> d-------- C:\DOCUME~1\FUNKMA~1\APPLIC~1\Hamachi
2007-06-01 19:20 83,552 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-06-01 19:20 63,040 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-06-01 19:20 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-06-01 19:20 26,176 --a------ C:\WINDOWS\system32\LMIport.dll
2007-06-01 12:49 131,124 --a------ C:\WINDOWS\system32\ixdatiwy.dll
2007-06-01 04:22 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-26 20:13 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-26 20:11 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-26 20:11 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-26 20:11 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-26 20:11 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-26 20:11 <DIR> d-------- C:\Program Files\Webroot
2007-05-26 20:11 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-26 20:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-26 20:10 <DIR> d-------- C:\DOCUME~1\FUNKMA~1\APPLIC~1\Webroot
2007-05-25 15:22 24,000 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-05-25 15:22 10,304 --a------ C:\WINDOWS\system32\lmimirr2.dll
2007-05-21 20:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-05-21 19:45 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2007-05-21 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-05-21 19:28 <DIR> d-------- C:\Program Files\Bonjour
2007-05-21 19:24 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-05-21 18:13 <DIR> d-------- C:\Program Files\PowerISO
2007-05-15 16:14 <DIR> d-------- C:\DOCUME~1\FUNKMA~1\APPLIC~1\uTorrent
2007-05-12 17:09 <DIR> d-------- C:\DOCUME~1\FUNKMA~1\APPLIC~1\Azureus
2007-05-12 17:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-05-12 16:38 <DIR> d-------- C:\Program Files\Snapshot
2007-05-11 03:58 <DIR> d-------- C:\DOCUME~1\FUNKMA~1\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-05-11 03:51 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-05-11 03:46 <DIR> d-------- C:\Program Files\Electronic Arts


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 02:05:41 -------- d-----w C:\Program Files\PeerGuardian2
2007-06-01 22:48:45 20,352 ----a-w C:\DOCUME~1\FUNKMA~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-31 23:28:11 -------- d-----w C:\Program Files\Advanced System Optimizer
2007-05-11 07:38:14 -------- d-----w C:\Program Files\EA GAMES
2007-05-11 07:38:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-11 07:35:37 -------- d-----w C:\DOCUME~1\FUNKMA~1\APPLIC~1\My Games
2007-04-17 18:00:30 10,144 ----a-w C:\WINDOWS\system32\drivers\lmimirr.sys
2007-04-09 12:27:07 31,548 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2007-03-15 23:16:20 335 -c--a-w C:\WINDOWS\mozregistry.dat
2007-03-15 23:06:14 335 -c--a-w C:\WINDOWS\nsreg.dat
2007-03-15 23:06:02 11,942 -c--a-w C:\WINDOWS\mozver.dat
2007-03-15 23:05:53 118,784 -c--a-w C:\WINDOWS\GREUninstall.exe
2007-03-12 23:41:21 4 ------w C:\WINDOWSRegDefrag.dat
2007-03-12 00:18:20 92,672 -c--a-w C:\WINDOWS\system32\KillBox.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0827F5ED-210C-4F4A-83A5-BE9E5732EAA9}=C:\WINDOWS\system32\ddayy.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-11 03:36]
"@"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 21:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=0
"NoLowDiskSpaceChecks"=0
"NoInstrumentation"=0 (0x0)
"HideClock"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"StartmenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoThemesTab"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\pptp32.sys]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\pptp64.sys]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless PCI Card Configuration Utility.lnk]
backup=C:\WINDOWS\pss\Wireless PCI Card Configuration Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
"C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAM Idle Professional]
C:\Program Files\RAM Idle\RAM_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - PGFILTER

Contents of the 'Scheduled Tasks' folder
2007-06-01 21:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-03-12 04:11:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-02 22:07:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-02 22:08:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-02 22:08

--- E O F ---


vendufix.log


VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:26:01 PM 6/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\fmltcuvq.dll
C:\WINDOWS\system32\khfddde.dll
C:\WINDOWS\system32\qvuctlmf.ini
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\system32\yyadd.bak2
C:\WINDOWS\system32\yyadd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\awvvu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\ddayy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fmltcuvq.dll
C:\WINDOWS\system32\fmltcuvq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfddde.dll
C:\WINDOWS\system32\khfddde.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qvuctlmf.ini
C:\WINDOWS\system32\qvuctlmf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\uvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\system32\yyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyadd.bak2
C:\WINDOWS\system32\yyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyadd.ini
C:\WINDOWS\system32\yyadd.ini Has been deleted!

Performing Repairs to the registry.
Done!

and hijack this log (renamed xyz.bat)

Logfile of HijackThis v1.99.1
Scan saved at 10:13:24 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\xyz.bat.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0827F5ED-210C-4F4A-83A5-BE9E5732EAA9} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145212251765
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 03 June 2007 - 12:26 PM

Hi kbrady,

I merged your second log with your original thread (Topic). When you post follow up logs, please stick to the same thread. Just click the Add Reply button to the original Topic. Do not create a new topic for your reply. This will cause confusion and a delay in the help you are receiving.

Please subscribe to this topic so you get an email notice and a link to it when you get a response. To do that click on the Options box toward the top right of your topic (just underneath Add Reply and New Topic). Then click on Track this topic, put a dot next to Immediate Email Notification, then scroll down and click Proceed.

Or, when you visit the forum, click on My Topics toward the top of any bleepingcomputer forum page. Thanks!

RichieUK will be with you when he is available.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users