Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • Please log in to reply
5 replies to this topic

#1 fixitgirl28

fixitgirl28

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 10 June 2007 - 10:12 AM

I have run both spybot and Adaware and they both find Virtumonde but neither of them can remove it.. here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:00:23 AM, on 6/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\TpShocks.exe
C:\WINDOWS\TEMP\2447609.exe
C:\WINDOWS\smgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\A?pPatch\ati2evxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\Melissa\APPLIC~1\SCURIT~1\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13142338-AFF5-4F7E-BFE8-A1924ED09CFC} - C:\WINDOWS\System32\gebyv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\b4iaxLf5.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\System32\awttttq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B673113F-85D9-8F2A-D90A-8EADDB94709E} - C:\WINDOWS\System32\grdrg.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\System32\sjanggig.dll
O2 - BHO: (no name) - {E85BFFB2-E751-4FC5-A415-3F2D52C55819} - C:\WINDOWS\System32\ljhff.dll
O2 - BHO: (no name) - {F451D6D5-1F62-45AC-8EA8-E214A0FEC40B} - C:\WINDOWS\System32\efeed.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\2447609.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\System32\shvewjyu.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvded.dll,startup
O4 - HKLM\..\Run: [gjepsvkz.exe] C:\Documents and Settings\All Users\Application Data\gjepsvkz.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Rgwrg] "C:\Program Files\A?pPatch\ati2evxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Nurs] "C:\DOCUME~1\Melissa\APPLIC~1\SCURIT~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D27D89A-18E2-452A-B809-7D327CCD5331}: Domain = finalnull.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: awttttq - C:\WINDOWS\SYSTEM32\awttttq.dll
O20 - Winlogon Notify: ljhff - C:\WINDOWS\System32\ljhff.dll
O20 - Winlogon Notify: winouw32 - C:\WINDOWS\SYSTEM32\winouw32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Please help!!

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 10 June 2007 - 10:44 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum fixitgirl28 :thumbsup:

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player


Then restart your pc.

****************************

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\SYSTEM32\winouw32.dll

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

****************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 fixitgirl28

fixitgirl28
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 10 June 2007 - 12:07 PM

ok here is what I have:

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 9:36:24 AM 6/9/2007

Listing files found while scanning....

C:\WINDOWS\system32\asdjmlbjnidf.dll
C:\WINDOWS\System32\deefe.bak1
C:\WINDOWS\System32\deefe.bak2
C:\WINDOWS\System32\deefe.ini
C:\WINDOWS\system32\dotrexrmjaks.dll
C:\WINDOWS\System32\efeed.dll
C:\WINDOWS\system32\fgyjwhop.dll
C:\WINDOWS\system32\khfcdeb.dll
C:\WINDOWS\system32\opnmnmk.dll
C:\WINDOWS\system32\pohwjygf.ini
C:\WINDOWS\system32\qommjkh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\asdjmlbjnidf.dll
C:\WINDOWS\system32\asdjmlbjnidf.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\deefe.bak1
C:\WINDOWS\System32\deefe.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\deefe.bak2
C:\WINDOWS\System32\deefe.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\deefe.ini
C:\WINDOWS\System32\deefe.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dotrexrmjaks.dll
C:\WINDOWS\system32\dotrexrmjaks.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\efeed.dll
C:\WINDOWS\System32\efeed.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgyjwhop.dll
C:\WINDOWS\system32\fgyjwhop.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfcdeb.dll
C:\WINDOWS\system32\khfcdeb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmnmk.dll
C:\WINDOWS\system32\opnmnmk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pohwjygf.ini
C:\WINDOWS\system32\pohwjygf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qommjkh.dll
C:\WINDOWS\system32\qommjkh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 11:07:29 AM 6/9/2007

Listing files found while scanning....

C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\khfecby.dll
C:\WINDOWS\system32\scstggpr.dll
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\vybeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\gebyv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\khfecby.dll
C:\WINDOWS\system32\khfecby.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\scstggpr.dll
C:\WINDOWS\system32\scstggpr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\vybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\gebyv.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 12:21:56 PM 6/10/2007

Listing files found while scanning....

C:\windows\system32\avmlrtlx.exe
C:\windows\system32\bcbay.bak1
C:\windows\system32\bcbay.ini
C:\windows\system32\byxxuvt.dll
C:\windows\system32\eqqklgdf.exe
C:\WINDOWS\System32\shvewjyu.dll
C:\windows\system32\sjanggig.dll
C:\WINDOWS\System32\uyjwevhs.ini
C:\windows\system32\vturstt.dll
C:\WINDOWS\System32\yabcb.dll

Beginning removal...

Attempting to delete C:\windows\system32\avmlrtlx.exe
C:\windows\system32\avmlrtlx.exe Has been deleted!

Attempting to delete C:\windows\system32\bcbay.bak1
C:\windows\system32\bcbay.bak1 Has been deleted!

Attempting to delete C:\windows\system32\bcbay.ini
C:\windows\system32\bcbay.ini Has been deleted!

Attempting to delete C:\windows\system32\byxxuvt.dll
C:\windows\system32\byxxuvt.dll Has been deleted!

Attempting to delete C:\windows\system32\eqqklgdf.exe
C:\windows\system32\eqqklgdf.exe Has been deleted!

Attempting to delete C:\WINDOWS\System32\shvewjyu.dll
C:\WINDOWS\System32\shvewjyu.dll Has been deleted!

Attempting to delete C:\windows\system32\sjanggig.dll
C:\windows\system32\sjanggig.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\uyjwevhs.ini
C:\WINDOWS\System32\uyjwevhs.ini Has been deleted!

Attempting to delete C:\windows\system32\vturstt.dll
C:\windows\system32\vturstt.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\yabcb.dll
C:\WINDOWS\System32\yabcb.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\yabcb.dll
C:\WINDOWS\System32\yabcb.dll Has been deleted!

Performing Repairs to the registry.
Done!

ComboFix 07-06-10 - C:\Documents and Settings\Melissa\Desktop\ComboFix.exe
"Melissa" - 2007-06-10 12:52:00 - Service Pack 1 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Melissa\APPLIC~1.\scurit~1
C:\DOCUME~1\Melissa\APPLIC~1.\scurit~1\mshta.exe
C:\Program Files\appatc~1
C:\Program Files\appatc~1\ati2evxx.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\avp.exe
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\svchost.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))


2007-06-10 12:51 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-10 12:20 <DIR> d-------- C:\!KillBox
2007-06-10 11:36 93,696 --a------ C:\WINDOWS\system32\drvsab.dll
2007-06-10 10:54 93,696 --a------ C:\WINDOWS\system32\drvded.dll
2007-06-10 10:54 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\gjepsvkz.exe
2007-06-09 12:17 1,808,519 ---hs---- C:\WINDOWS\system32\ffhjl.bak1
2007-06-09 12:16 263,220 --a------ C:\WINDOWS\system32\ljhff.dll.vir
2007-06-09 12:06 33,302 --a------ C:\WINDOWS\system32\awttttq.dll.vir
2007-06-09 11:00 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-09 09:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-09 09:41 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-09 09:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-09 09:36 <DIR> d-------- C:\VundoFix Backups
2007-06-09 08:55 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\twbutobw.exe
2007-06-08 22:22 60,928 --a------ C:\WINDOWS\system32\grdrg.dll
2007-06-08 22:22 2 --a------ C:\WINDOWS\system32\wcpicom32.exe
2007-06-08 22:21 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-06-08 18:43 <DIR> d-------- C:\Program Files\AIM6
2007-06-07 19:53 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-07 19:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-07 18:51 69,632 --a------ C:\WINDOWS\system32\b4iaxLf5.dll
2007-06-07 18:51 <DIR> d-------- C:\DOCUME~1\Melissa\APPLIC~1\AdwareAlert
2007-06-07 18:42 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\AdwareAlert
2007-06-07 18:29 <DIR> d-------- C:\WINDOWS\system32\bmgenkji
2007-06-07 17:55 99,880 --a------ C:\bmgenkji1.exe
2007-06-07 17:55 95,808 --a------ C:\bmgenkji3.exe
2007-06-07 17:55 69,632 --a------ C:\WINDOWS\system32\URdNlkXM.dll
2007-06-07 17:55 122,372 --a------ C:\WINDOWS\system32\tmp421af.exe
2007-06-07 17:55 100,952 --a------ C:\bmgenkji2.exe
2007-06-07 17:55 10,752 --a------ C:\qfalpjip.exe
2007-06-06 18:19 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-05 16:59 68,096 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-06-05 16:59 57,856 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-06-05 16:59 53,248 --a------ C:\WINDOWS\system32\devenum.dll
2007-06-05 16:59 524,800 --a------ C:\WINDOWS\system32\qedit.dll
2007-06-05 16:59 382,976 --a------ C:\WINDOWS\system32\qdvd.dll
2007-06-05 16:59 377,856 --a------ C:\WINDOWS\system32\dpnet.dll
2007-06-05 16:59 276,480 --a------ C:\WINDOWS\system32\qdv.dll
2007-06-05 16:59 22,016 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-06-05 16:59 203,264 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-06-05 16:59 194,560 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-06-05 16:59 177,152 --a------ C:\WINDOWS\system32\qcap.dll
2007-06-05 16:59 104,448 --a------ C:\WINDOWS\system32\dmusic.dll
2007-06-05 16:59 1,689,600 --a------ C:\WINDOWS\system32\d3d9.dll
2007-06-05 16:59 1,179,648 --a------ C:\WINDOWS\system32\d3d8.dll
2007-06-05 16:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-05 16:47 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-06-05 15:43 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-06-04 20:01 381,952 --------- C:\WINDOWS\system32\dsound.dll
2007-06-04 20:01 292,864 --------- C:\WINDOWS\system32\ddraw.dll
2007-06-04 20:01 <DIR> d-------- C:\Program Files\NCSoft
2007-06-04 19:57 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\InstallShield
2007-06-04 18:30 <DIR> d-------- C:\DOCUME~1\Nick\.coc
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-28 19:43 <DIR> dr-h----- C:\MSOCache
2007-05-28 08:41 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\AdobeUM
2007-05-27 15:45 <DIR> d-------- C:\Program Files\StarWarsGalaxies
2007-05-27 15:45 <DIR> d-------- C:\Program Files\Sony
2007-05-20 08:38 <DIR> d-------- C:\Program Files\Bethesda Softworks
2007-05-19 23:44 <DIR> d--h----- C:\DOCUME~1\Nick\APPLIC~1\Move Networks
2007-05-19 07:56 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Ahead
2007-05-19 07:52 <DIR> d-------- C:\DOCUME~1\Nick\.limewire
2007-05-15 22:22 <DIR> d---s---- C:\DOCUME~1\Nick\UserData
2007-05-15 14:21 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Apple Computer
2007-05-15 14:15 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Logitech
2007-05-15 14:15 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\HP
2007-05-15 14:15 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Google
2007-05-15 07:04 1,572,864 --ah----- C:\DOCUME~1\Nick\NTUSER.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 16:12:47 -------- d-----w C:\Program Files\Viewpoint
2007-06-09 19:23:29 -------- d-----w C:\Program Files\World of Warcraft
2007-06-07 23:53:11 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 22:57:27 -------- d--h--w C:\DOCUME~1\Melissa\APPLIC~1\Move Networks
2007-06-05 00:01:34 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-08 09:35:32 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\Image Zone Express
2007-05-08 09:35:31 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\Printer Info Cache
2007-05-07 23:07:11 130,500 ----a-w C:\WINDOWS\HPHins13.dat
2007-05-07 23:06:03 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\HP
2007-05-07 23:00:15 -------- d-----w C:\Program Files\Common Files\HP
2007-05-07 23:00:10 -------- d-----w C:\Program Files\HP
2007-05-05 00:19:32 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\Google
2007-04-22 21:35:24 -------- d-----w C:\Program Files\iPod
2007-04-22 21:22:22 -------- d-----w C:\Program Files\iTunes
2007-04-22 17:21:32 -------- d-----w C:\Program Files\QuickTime
2007-04-22 17:18:05 -------- d-----w C:\Program Files\Apple Software Update
2007-04-14 05:28:05 -------- d-----w C:\Program Files\Symantec
2007-04-14 05:28:04 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-04-07 01:07]
{13142338-AFF5-4F7E-BFE8-A1924ED09CFC}=C:\WINDOWS\System32\gebyv.dll []
{2BC7F5B8-CAE7-48A6-83D5-E8E9E56A7A29}=C:\WINDOWS\System32\yabcb.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{53B5F2B1-94DD-43E5-8187-EB4E31F00701}=C:\WINDOWS\System32\b4iaxLf5.dll [2007-06-07 18:51]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-04-07 01:21]
{B673113F-85D9-8F2A-D90A-8EADDB94709E}=C:\WINDOWS\System32\grdrg.dll [2007-05-21 09:59]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\System32\sjanggig.dll []
{F451D6D5-1F62-45AC-8EA8-E214A0FEC40B}=C:\WINDOWS\System32\efeed.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" []
"suScheduler"="C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe" []
"TpShocks"="TpShocks.exe" [2005-08-22 19:29 C:\WINDOWS\system32\TpShocks.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" []
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"gjepsvkz.exe"="C:\Documents and Settings\All Users\Application Data\gjepsvkz.exe" [2007-06-10 10:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 21:38]
"Rgwrg"="C:\Program Files\A?pPatch\ati2evxx.exe" []
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 08:00]
"Nurs"="C:\DOCUME~1\Melissa\APPLIC~1\SCURIT~1\mshta.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"="C:\WINDOWS\System32\b4iaxLf5.dll" [2007-06-07 18:51]
"{42248C91-2117-477B-AC0E-C280556B1001}"="C:\WINDOWS\system32\dotrexrmjaks.dll" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"="C:\WINDOWS\System32\vturstt.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winouw32]
winouw32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Melissa^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Melissa\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
rundll32.exe "C:\WINDOWS\System32\fgyjwhop.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\2529357.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINDOWS\System32\drvseh.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1169342293\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nurs]
"C:\DOCUME~1\Melissa\APPLIC~1\SCURIT~1\mshta.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\WINDOWS\System32\scchk32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
smgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbutobw.exe]
C:\Documents and Settings\All Users\Application Data\twbutobw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"SysmonLog"=3 (0x3)
"seclogon"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=2 (0x2)
"RasAuto"=2 (0x2)
"mnmsrvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


Contents of the 'Scheduled Tasks' folder
2007-06-10 07:00:00 C:\WINDOWS\tasks\AdwareAlert Scheduled Scan.job
2007-06-08 12:44:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 22:01:34 C:\WINDOWS\tasks\WebReg Deskjet D2400 series.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 12:56:32
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 12:57:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-10 12:57

--- E O F ---
and the new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:02:49 PM, on 6/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\TpShocks.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\gjepsvkz.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13142338-AFF5-4F7E-BFE8-A1924ED09CFC} - C:\WINDOWS\System32\gebyv.dll (file missing)
O2 - BHO: (no name) - {2BC7F5B8-CAE7-48A6-83D5-E8E9E56A7A29} - C:\WINDOWS\System32\yabcb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\b4iaxLf5.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B673113F-85D9-8F2A-D90A-8EADDB94709E} - C:\WINDOWS\System32\grdrg.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\System32\sjanggig.dll (file missing)
O2 - BHO: (no name) - {F451D6D5-1F62-45AC-8EA8-E214A0FEC40B} - C:\WINDOWS\System32\efeed.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gjepsvkz.exe] C:\Documents and Settings\All Users\Application Data\gjepsvkz.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Rgwrg] "C:\Program Files\A?pPatch\ati2evxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Nurs] "C:\DOCUME~1\Melissa\APPLIC~1\SCURIT~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D27D89A-18E2-452A-B809-7D327CCD5331}: Domain = finalnull.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winouw32 - winouw32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 10 June 2007 - 12:48 PM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: ComboFix-Do.txt to your desktop.

File::
C:\DOCUME~1\ALLUSE~1\APPLIC~1\gjepsvkz.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\twbutobw.exe
C:\WINDOWS\system32\ffhjl.bak1
C:\WINDOWS\system32\ljhff.dll.vir
C:\WINDOWS\system32\awttttq.dll.vir
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\grdrg.dll
C:\WINDOWS\system32\wcpicom32.exe
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\b4iaxLf5.dll
C:\bmgenkji1.exe
C:\bmgenkji3.exe
C:\WINDOWS\system32\URdNlkXM.dll
C:\WINDOWS\system32\tmp421af.exe
C:\bmgenkji2.exe
C:\qfalpjip.exe

Folder::
C:\Program Files\GameSpy Arcade
C:\Program Files\Viewpoint
C:\WINDOWS\system32\bmgenkji

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{13142338-AFF5-4F7E-BFE8-A1924ED09CFC}=-
{2BC7F5B8-CAE7-48A6-83D5-E8E9E56A7A29}=-
{53B5F2B1-94DD-43E5-8187-EB4E31F00701}=-
{B673113F-85D9-8F2A-D90A-8EADDB94709E}=-
{E12BFF69-38A7-406e-A8EF-2738107A7831}=-
{F451D6D5-1F62-45AC-8EA8-E214A0FEC40B}=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gjepsvkz.exe"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rgwrg"=-
"Nurs"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"=-
"{42248C91-2117-477B-AC0E-C280556B1001}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A61098D-612B-4EF2-943D-64E920684061}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winouw32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nurs]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbutobw.exe]

Then drag and drop the ComboFix-Do.txt file onto ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

Edited by RichieUK, 10 June 2007 - 12:52 PM.

Posted Image
Posted Image

#5 fixitgirl28

fixitgirl28
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 10 June 2007 - 09:05 PM

ComboFix 07-06-10 - C:\Documents and Settings\Melissa\Desktop\ComboFix.exe
"Melissa" - 2007-06-10 21:55:25 - Service Pack 1 NTFS
Command switches used :: C:\Documents and Settings\Melissa\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bmgenkji1.exe
C:\bmgenkji2.exe
C:\bmgenkji3.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\gjepsvkz.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\twbutobw.exe
C:\Program Files\GameSpy Arcade
C:\Program Files\GameSpy Arcade\banner.html
C:\Program Files\GameSpy Arcade\gp.info
C:\Program Files\GameSpy Arcade\Profiles\svcdata.cfg
C:\Program Files\GameSpy Arcade\Services\_assets\z36.swf
C:\Program Files\GameSpy Arcade\Services\_assets\z37.swf
C:\Program Files\GameSpy Arcade\Services\_assets\z38.swf
C:\Program Files\GameSpy Arcade\Services\_assets\z57.swf
C:\Program Files\GameSpy Arcade\Services\_assets\z58.swf
C:\Program Files\GameSpy Arcade\Services\_common\catmap.cfg
C:\Program Files\GameSpy Arcade\Services\_common\splash_banner.psd
C:\Program Files\GameSpy Arcade\Services\_comrade\RuleMap.xml
C:\Program Files\GameSpy Arcade\Services\_comrade\server.query.xml
C:\Program Files\GameSpy Arcade\Services\detection.cfg
C:\Program Files\GameSpy Arcade\Services\fileplanet\service_tab.png
C:\Program Files\GameSpy Arcade\Services\fileplanet\service_tab.psd
C:\Program Files\GameSpy Arcade\Services\files.cfg
C:\Program Files\GameSpy Arcade\Services\full.cfg
C:\Program Files\GameSpy Arcade\Services\GameSpy.com\service_tab.png
C:\Program Files\GameSpy Arcade\Services\GameSpy.com\service_tab.psd
C:\Program Files\GameSpy Arcade\Services\gsarcadetour\service_tab.png
C:\Program Files\GameSpy Arcade\Services\gsarcadetour\service_tab.psd
C:\Program Files\GameSpy Arcade\Services\gslive\service_tab.png
C:\Program Files\GameSpy Arcade\Services\halodemo\service_tab.png
C:\Program Files\GameSpy Arcade\Services\halodemo\service_tab.psd
C:\Program Files\GameSpy Arcade\Services\knownsvc-1-60-856-.cfg
C:\Program Files\GameSpy Arcade\Services\livewire\service_tab.png
C:\Program Files\GameSpy Arcade\Services\livewire\service_tab.psd
C:\Program Files\GameSpy Arcade\Services\servicestatus.cfg
C:\Program Files\GameSpy Arcade\Services\swg\service_tab.png
C:\Program Files\GameSpy Arcade\Services\swg\service_tab.psd
C:\Program Files\GameSpy Arcade\Services\webgames\service_tab.png
C:\Program Files\GameSpy Arcade\Services\webgames\service_tab.psd
C:\Program Files\GameSpy Arcade\Services\wow\service_tab.png
C:\Program Files\GameSpy Arcade\Services\wow\service_tab.psd
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AolInstantInstallMMX_Win.mtj
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0302021C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
C:\qfalpjip.exe
C:\WINDOWS\system32\awttttq.dll.vir
C:\WINDOWS\system32\b4iaxLf5.dll
C:\WINDOWS\system32\bmgenkji
C:\WINDOWS\system32\bmgenkji\bg1.gif
C:\WINDOWS\system32\bmgenkji\bgtop.gif
C:\WINDOWS\system32\bmgenkji\bmgenkji2.exe
C:\WINDOWS\system32\bmgenkji\bottom1.gif
C:\WINDOWS\system32\bmgenkji\essentials.gif
C:\WINDOWS\system32\bmgenkji\icon1.ico
C:\WINDOWS\system32\bmgenkji\install1.gif
C:\WINDOWS\system32\bmgenkji\left1.gif
C:\WINDOWS\system32\bmgenkji\li.gif
C:\WINDOWS\system32\bmgenkji\logo.gif
C:\WINDOWS\system32\bmgenkji\main.htm
C:\WINDOWS\system32\bmgenkji\mainframe.htm
C:\WINDOWS\system32\bmgenkji\reinstall1.gif
C:\WINDOWS\system32\bmgenkji\right1.gif
C:\WINDOWS\system32\bmgenkji\s1.htm
C:\WINDOWS\system32\bmgenkji\s2.htm
C:\WINDOWS\system32\bmgenkji\s3.htm
C:\WINDOWS\system32\bmgenkji\SMTop1.gif
C:\WINDOWS\system32\bmgenkji\SMTop2.gif
C:\WINDOWS\system32\bmgenkji\SMTop3.gif
C:\WINDOWS\system32\bmgenkji\SMTop4.gif
C:\WINDOWS\system32\bmgenkji\soft1_off.gif
C:\WINDOWS\system32\bmgenkji\soft1_off_ext.gif
C:\WINDOWS\system32\bmgenkji\soft1_on.gif
C:\WINDOWS\system32\bmgenkji\soft1_on_ext.gif
C:\WINDOWS\system32\bmgenkji\soft2_off.gif
C:\WINDOWS\system32\bmgenkji\soft2_off_ext.gif
C:\WINDOWS\system32\bmgenkji\soft2_on.gif
C:\WINDOWS\system32\bmgenkji\soft2_on_ext.gif
C:\WINDOWS\system32\bmgenkji\soft3_off.gif
C:\WINDOWS\system32\bmgenkji\soft3_off_ext.gif
C:\WINDOWS\system32\bmgenkji\soft3_on.gif
C:\WINDOWS\system32\bmgenkji\soft3_on_ext.gif
C:\WINDOWS\system32\bmgenkji\softbottom_off.gif
C:\WINDOWS\system32\bmgenkji\softbottom_on.gif
C:\WINDOWS\system32\bmgenkji\softleft_off.gif
C:\WINDOWS\system32\bmgenkji\softleft_on.gif
C:\WINDOWS\system32\bmgenkji\top1.gif
C:\WINDOWS\system32\bmgenkji\top2.gif
C:\WINDOWS\system32\bmgenkji\turnoff1.gif
C:\WINDOWS\system32\bmgenkji\turnon1.gif
C:\WINDOWS\system32\ffhjl.bak1
C:\WINDOWS\system32\grdrg.dll
C:\WINDOWS\system32\ljhff.dll.vir
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\tmp421af.exe
C:\WINDOWS\system32\URdNlkXM.dll
C:\WINDOWS\system32\wcpicom32.exe
C:\WINDOWS\system32\winsys64.exe


((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))


2007-06-10 12:51 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-10 12:20 <DIR> d-------- C:\!KillBox
2007-06-10 11:36 93,696 --a------ C:\WINDOWS\system32\drvsab.dll
2007-06-10 10:54 93,696 --a------ C:\WINDOWS\system32\drvded.dll
2007-06-09 09:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-09 09:41 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-09 09:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-09 09:36 <DIR> d-------- C:\VundoFix Backups
2007-06-08 18:43 <DIR> d-------- C:\Program Files\AIM6
2007-06-07 19:53 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-07 19:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-07 18:51 <DIR> d-------- C:\DOCUME~1\Melissa\APPLIC~1\AdwareAlert
2007-06-07 18:42 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\AdwareAlert
2007-06-06 18:19 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-05 16:59 68,096 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-06-05 16:59 57,856 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-06-05 16:59 53,248 --a------ C:\WINDOWS\system32\devenum.dll
2007-06-05 16:59 524,800 --a------ C:\WINDOWS\system32\qedit.dll
2007-06-05 16:59 382,976 --a------ C:\WINDOWS\system32\qdvd.dll
2007-06-05 16:59 377,856 --a------ C:\WINDOWS\system32\dpnet.dll
2007-06-05 16:59 276,480 --a------ C:\WINDOWS\system32\qdv.dll
2007-06-05 16:59 22,016 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-06-05 16:59 203,264 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-06-05 16:59 194,560 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-06-05 16:59 177,152 --a------ C:\WINDOWS\system32\qcap.dll
2007-06-05 16:59 104,448 --a------ C:\WINDOWS\system32\dmusic.dll
2007-06-05 16:59 1,689,600 --a------ C:\WINDOWS\system32\d3d9.dll
2007-06-05 16:59 1,179,648 --a------ C:\WINDOWS\system32\d3d8.dll
2007-06-05 16:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-05 15:43 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-06-04 20:01 381,952 --------- C:\WINDOWS\system32\dsound.dll
2007-06-04 20:01 292,864 --------- C:\WINDOWS\system32\ddraw.dll
2007-06-04 20:01 <DIR> d-------- C:\Program Files\NCSoft
2007-06-04 19:57 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\InstallShield
2007-06-04 18:30 <DIR> d-------- C:\DOCUME~1\Nick\.coc
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-28 19:43 <DIR> dr-h----- C:\MSOCache
2007-05-28 08:41 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\AdobeUM
2007-05-27 15:45 <DIR> d-------- C:\Program Files\StarWarsGalaxies
2007-05-27 15:45 <DIR> d-------- C:\Program Files\Sony
2007-05-20 08:38 <DIR> d-------- C:\Program Files\Bethesda Softworks
2007-05-19 23:44 <DIR> d--h----- C:\DOCUME~1\Nick\APPLIC~1\Move Networks
2007-05-19 07:56 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Ahead
2007-05-19 07:52 <DIR> d-------- C:\DOCUME~1\Nick\.limewire
2007-05-15 22:22 <DIR> d---s---- C:\DOCUME~1\Nick\UserData
2007-05-15 14:21 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Apple Computer
2007-05-15 14:15 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Logitech
2007-05-15 14:15 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\HP
2007-05-15 14:15 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Google
2007-05-15 07:04 1,572,864 --ah----- C:\DOCUME~1\Nick\NTUSER.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 19:23:29 -------- d-----w C:\Program Files\World of Warcraft
2007-06-07 23:53:11 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 22:57:27 -------- d--h--w C:\DOCUME~1\Melissa\APPLIC~1\Move Networks
2007-06-05 00:01:34 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-08 09:35:32 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\Image Zone Express
2007-05-08 09:35:31 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\Printer Info Cache
2007-05-07 23:07:11 130,500 ----a-w C:\WINDOWS\HPHins13.dat
2007-05-07 23:06:03 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\HP
2007-05-07 23:00:15 -------- d-----w C:\Program Files\Common Files\HP
2007-05-07 23:00:10 -------- d-----w C:\Program Files\HP
2007-05-05 00:19:32 -------- d-----w C:\DOCUME~1\Melissa\APPLIC~1\Google
2007-04-22 21:35:24 -------- d-----w C:\Program Files\iPod
2007-04-22 21:22:22 -------- d-----w C:\Program Files\iTunes
2007-04-22 17:21:32 -------- d-----w C:\Program Files\QuickTime
2007-04-22 17:18:05 -------- d-----w C:\Program Files\Apple Software Update
2007-04-14 05:28:05 -------- d-----w C:\Program Files\Symantec
2007-04-14 05:28:04 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-04-07 01:07]
{13142338-AFF5-4F7E-BFE8-A1924ED09CFC}=C:\WINDOWS\System32\gebyv.dll []
{2BC7F5B8-CAE7-48A6-83D5-E8E9E56A7A29}=C:\WINDOWS\System32\yabcb.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{53B5F2B1-94DD-43E5-8187-EB4E31F00701}=C:\WINDOWS\System32\b4iaxLf5.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-04-07 01:21]
{B673113F-85D9-8F2A-D90A-8EADDB94709E}=C:\WINDOWS\System32\grdrg.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\System32\sjanggig.dll []
{F451D6D5-1F62-45AC-8EA8-E214A0FEC40B}=C:\WINDOWS\System32\efeed.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" []
"suScheduler"="C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe" []
"TpShocks"="TpShocks.exe" [2005-08-22 19:29 C:\WINDOWS\system32\TpShocks.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" []
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 21:38]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 08:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Melissa^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Melissa\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1169342293\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"SysmonLog"=3 (0x3)
"seclogon"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=2 (0x2)
"RasAuto"=2 (0x2)
"mnmsrvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


Contents of the 'Scheduled Tasks' folder
2007-06-10 07:00:00 C:\WINDOWS\tasks\AdwareAlert Scheduled Scan.job
2007-06-08 12:44:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-11 01:20:05 C:\WINDOWS\tasks\WebReg Deskjet D2400 series.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 21:56:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 21:57:00
C:\ComboFix-quarantined-files.txt ... 2007-06-10 21:56
C:\ComboFix2.txt ... 2007-06-10 12:57

--- E O F ---
And the latest HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:40 PM, on 6/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\TpShocks.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13142338-AFF5-4F7E-BFE8-A1924ED09CFC} - C:\WINDOWS\System32\gebyv.dll (file missing)
O2 - BHO: (no name) - {2BC7F5B8-CAE7-48A6-83D5-E8E9E56A7A29} - C:\WINDOWS\System32\yabcb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\b4iaxLf5.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B673113F-85D9-8F2A-D90A-8EADDB94709E} - C:\WINDOWS\System32\grdrg.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\System32\sjanggig.dll (file missing)
O2 - BHO: (no name) - {F451D6D5-1F62-45AC-8EA8-E214A0FEC40B} - C:\WINDOWS\System32\efeed.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D27D89A-18E2-452A-B809-7D327CCD5331}: Domain = finalnull.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (file missing)

Thanks :thumbsup:

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 11 June 2007 - 03:43 AM

You've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

********************

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {13142338-AFF5-4F7E-BFE8-A1924ED09CFC} - C:\WINDOWS\System32\gebyv.dll (file missing)
O2 - BHO: (no name) - {2BC7F5B8-CAE7-48A6-83D5-E8E9E56A7A29} - C:\WINDOWS\System32\yabcb.dll (file missing)
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\b4iaxLf5.dll (file missing)
O2 - BHO: (no name) - {B673113F-85D9-8F2A-D90A-8EADDB94709E} - C:\WINDOWS\System32\grdrg.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\System32\sjanggig.dll (file missing)
O2 - BHO: (no name) - {F451D6D5-1F62-45AC-8EA8-E214A0FEC40B} - C:\WINDOWS\System32\efeed.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

Exit Hijackthis.

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users