Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log Please Look


  • Please log in to reply
3 replies to this topic

#1 trenchdog73

trenchdog73

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 14 June 2007 - 02:11 PM

anything wrong here?

Logfile of HijackThis v1.99.1
Scan saved at 2:09:50 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\scvhost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Raxco\PerfectDisk\PerfectDisk.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Documents and Settings\Parker\Desktop\hijacktis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [D-Link RangeBooster G WUA-2340] C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [msvb32] C:\WINDOWS\system32\msvb.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [msvb32] C:\WINDOWS\system32\msvb.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179953855515
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 PM

Posted 14 June 2007 - 04:16 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.
Unfortunately we are looking a really nasty log here, with many infections..

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [msvb32] C:\WINDOWS\system32\msvb.exe
O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [msvb32] C:\WINDOWS\system32\msvb.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\msvb.exe
C:\WINDOWS\system32\scvhost.exe

Reboot back to normal mode.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Edited by D-Trojanator, 14 June 2007 - 04:16 PM.


#3 trenchdog73

trenchdog73
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 14 June 2007 - 04:56 PM

ComboFix 07-06-13.3 - C:\Documents and Settings\Parker\Desktop\ComboFix.exe
"Parker" - 2007-06-14 16:51:27 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))


2007-06-14 16:45 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 16:25 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-14 08:36 <DIR> d-------- C:\Program Files\SEGA
2007-06-14 08:36 <DIR> d-------- C:\DOCUME~1\Parker\APPLIC~1\InstallShield
2007-06-13 19:53 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-13 19:53 <DIR> d-------- C:\Program Files\ATI Technologies
2007-06-13 19:52 <DIR> d-------- C:\ATI
2007-06-13 15:16 <DIR> d-------- C:\DOCUME~1\Parker\APPLIC~1\Apple Computer
2007-06-13 15:14 <DIR> d-------- C:\Program Files\QuickTime
2007-06-13 15:14 <DIR> d-------- C:\Program Files\Apple Software Update
2007-06-13 15:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-13 12:03 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-12 07:04 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-11 11:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-11 11:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\LogiShrd
2007-06-07 10:16 51,733 --a------ C:\WINDOWS\system32\plugin1.dat
2007-06-07 10:13 71,168 --a------ C:\WINDOWS\system32\ijl11.dll
2007-06-07 08:49 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-07 08:46 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-06-07 08:46 36,999 --a------ C:\WINDOWS\DIIUnin.dat
2007-06-07 08:46 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-06-07 08:46 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-06-07 08:46 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-06-07 08:46 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-06-07 08:36 <DIR> d-------- C:\Program Files\Diablo II
2007-06-07 07:52 <DIR> d-------- C:\DOCUME~1\Parker\APPLIC~1\Viewpoint
2007-06-04 00:02 <DIR> d-------- C:\DOCUME~1\Parker\APPLIC~1\DivX
2007-06-03 23:54 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-06-03 23:54 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-06-03 23:41 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-06-03 23:41 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-03 23:41 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-03 23:41 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-03 23:41 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-03 23:41 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-03 23:41 <DIR> d-------- C:\Program Files\DivX
2007-06-03 23:40 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-03 23:40 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-03 23:40 <DIR> d-------- C:\Program Files\Xvid
2007-06-03 23:23 <DIR> d-------- C:\DECCHECK
2007-06-03 23:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zenturi
2007-06-03 23:11 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-03 22:06 <DIR> d-------- C:\Program Files\CAPCOM
2007-06-03 21:06 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-03 21:06 <DIR> dr-h----- C:\DOCUME~1\Parker\APPLIC~1\SecuROM
2007-06-03 21:01 <DIR> d-------- C:\Program Files\World In Conflict - Closed MP Beta
2007-06-02 17:38 <DIR> d-------- C:\Program Files\GameSpot
2007-06-01 16:51 <DIR> d-------- C:\Incomplete
2007-06-01 16:45 <DIR> d-------- C:\DOCUME~1\Parker\Shared
2007-06-01 16:45 <DIR> d-------- C:\DOCUME~1\Parker\Incomplete
2007-06-01 16:45 <DIR> d-------- C:\DOCUME~1\Parker\APPLIC~1\LimeWire
2007-06-01 16:43 <DIR> d-------- C:\Program Files\LimeWire
2007-06-01 05:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Earthsim
2007-05-31 18:38 <DIR> d-------- C:\TWWGUSB_TEMP
2007-05-31 18:32 663,552 --a------ C:\WINDOWS\system32\ANIWZCS2.dll
2007-05-31 18:32 57,407 --a------ C:\WINDOWS\system32\ANICtl.dll
2007-05-31 18:32 49,152 --a------ C:\WINDOWS\system32\JJAKEn.dll
2007-05-31 18:32 49,152 --a------ C:\WINDOWS\system32\AQCKGen.dll
2007-05-31 18:32 48,128 --a------ C:\WINDOWS\system32\ANIO64.sys
2007-05-31 18:32 36,864 --a------ C:\WINDOWS\system32\ANIOApi.dll
2007-05-31 18:32 28,195 --a------ C:\WINDOWS\system32\ANIO.sys
2007-05-31 18:32 241,664 --a------ C:\WINDOWS\system32\wlanapi.dll
2007-05-31 18:32 196,608 --a------ C:\WINDOWS\system32\WlanApp.dll
2007-05-31 18:32 184,320 --a------ C:\WINDOWS\system32\aIPH.dll
2007-05-31 18:32 11,904 --a------ C:\WINDOWS\system32\anio4.sys
2007-05-31 18:32 1,327,189 --a------ C:\WINDOWS\system32\odSupp_M.dll
2007-05-31 18:32 <DIR> d-------- C:\Program Files\D-Link
2007-05-31 18:32 <DIR> d-------- C:\Program Files\ANI
2007-05-31 01:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 01:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 01:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 01:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-30 07:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
2007-05-30 06:08 <DIR> d-------- C:\CloneDVDTemp
2007-05-29 18:21 <DIR> d-------- C:\ViewSonic
2007-05-29 11:17 26,368 --a------ C:\WINDOWS\system32\drivers\tapgamerail.sys
2007-05-29 11:17 <DIR> d-------- C:\Program Files\GameRail
2007-05-29 11:17 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2007-05-28 23:22 2,164,736 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-05-27 20:21 <DIR> d--h----- C:\WINDOWS\system32\win
2007-05-27 20:20 <DIR> d-------- C:\Program Files\Cyberathlete Amateur League
2007-05-27 18:38 <DIR> d-------- C:\Program Files\NuGardt Software
2007-05-27 15:47 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-05-27 15:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-27 15:00 <DIR> d-------- C:\DOCUME~1\Parker\APPLIC~1\Xfire
2007-05-26 23:50 <DIR> d-------- C:\Program Files\Activision
2007-05-26 15:45 <DIR> d---s---- C:\Program Files\Xfire
2007-05-25 14:48 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-05-25 14:47 <DIR> d-------- C:\Program Files\Guild Wars
2007-05-25 12:30 <DIR> d-------- C:\FullDisc
2007-05-24 16:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-24 16:51 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-23 23:44 <DIR> d-------- C:\Program Files\BitComet
2007-05-23 23:17 1,331,200 --------- C:\WINDOWS\UNNMP.exe
2007-05-23 23:16 <DIR> d-------- C:\DOCUME~1\Parker\APPLIC~1\Ahead
2007-05-23 23:15 155,648 -ra------ C:\WINDOWS\system32\NeroCheck.exe
2007-05-23 23:14 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2007-05-23 23:14 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2007-05-23 23:14 38,912 -ra------ C:\WINDOWS\system32\picn20.dll
2007-05-23 23:14 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 23:46:10 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-23 23:34:39 17,408 ----a-w C:\WINDOWS\system32\drivers\bb-run.sys
2007-05-23 23:34:39 162,304 ----a-w C:\WINDOWS\system32\drivers\fttxr54P.sys
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 03:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-05 18:15:55 144,357 ----a-w C:\WINDOWS\system32\atiicdxx.dat
2007-03-23 20:23:23 77,824 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-23 16:14]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11]
"D-Link RangeBooster G WUA-2340"="C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2006-09-01 12:09]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 17:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Parker^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Parker^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Parker^Start Menu^Programs^Startup^Xfire.lnk]
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Documents and Settings\Parker\Desktop\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
"C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvb32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


Contents of the 'Scheduled Tasks' folder
2007-06-13 20:14:27 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-14 21:50:10 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 16:52:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-14 16:52:57
C:\ComboFix-quarantined-files.txt ... 2007-06-14 16:52

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 4:51:06 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\GameSpot\DownloadManager_Win32.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Parker\Desktop\hijacktis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [D-Link RangeBooster G WUA-2340] C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179953855515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:28 PM

Posted 15 June 2007 - 12:15 PM

Good work! Let's continue... :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvb32]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Also please let me know how the system is running...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users