Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nebyzkdm


  • This topic is locked This topic is locked
9 replies to this topic

#1 jimn2

jimn2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 24 June 2007 - 09:07 AM

I had Vundo a few days ago and removed it with ComboFix, this broke somthing with the system hive which i have managed to fix I still think there are bits of stuff floting around.Im getting popups to odd sites despite adaware and s&d being clean.

Here is my Hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 16:00:39, on 23/06/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Portrait Displays\ImageTune\DTSRVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\ComputerAssociates\InocuLAN\INOJOBSV.EXE
C:\WINNT\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINNT\system32\IoctlSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Portrait Displays\ImageTune\dthtml.exe
C:\Program Files\ComputerAssociates\InocuLAN\realmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Administrator\Local Settings\Temp\msconfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Exif Launcher 2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: ImageTune.lnk = C:\Program Files\Portrait Displays\ImageTune\dthtml.exe
O4 - Global Startup: InoculateIT Realtime Monitor.LNK = C:\Program Files\ComputerAssociates\InocuLAN\realmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ARCserve Database Engine (ASDBEngine) - Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Job Engine (ASJobEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe
O23 - Service: ARCserve Tape Engine (ASTapeEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AutoDownload Server - Computer Associates - C:\Program Files\ComputerAssociates\InocuLAN\GetBBS.EXE
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\Alert\ALERT.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\ImageTune\DTSRVC.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: InoculateIT E-mail Server - Unknown owner - C:\Program Files\ComputerAssociates\InocuLAN\INEXCHSV.EXE
O23 - Service: InoculateIT Server - Unknown owner - C:\Program Files\ComputerAssociates\InocuLAN\INOJOBSV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINNT\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINNT\system32\snmptrap.exe (file missing)


Thank in advance for anyone who spends time looking at these logs.

Edited by jimn2, 24 June 2007 - 09:15 AM.


BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:29 AM

Posted 30 June 2007 - 12:06 PM

Hello jimn2,

Welcome to Bleeping Computer :thumbsup:

Could you please run ComboFix again and post the log? I'd also like to see a fresh HijackThis log, and we'll go from there. Please also let me know of any changes you've experienced since your original logs.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 jimn2

jimn2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 30 June 2007 - 03:58 PM

Hi,
I have made a few changes since that HJT log, I have got rid off NIS and replaced it with Sunbelt (kerio), I have also run a bitdefender av scan which picked up some infections. I have also tried to trim the startup a bit by removing some stuff, my add/remove programs only works in safe mode. Im not getting the pop-ups any more but I'm getting a few strange things like I have to select restart twice before the PC will restart. here is the combo fix log

ComboFix 07-06-13.3 - C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
"Administrator" - 30/06/2007 21:43:08 - Service Pack 4 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-30 18:37 528 --a------ C:\CFCleanUp.bat
2007-06-30 18:31 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_684.dat
2007-06-30 13:21 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-06-30 11:21 0 --a------ C:\WINNT\system32\SBRC.dat
2007-06-30 11:21 0 --a------ C:\WINNT\system32\SBFC.dat
2007-06-30 11:14 15,544 --a------ C:\WINNT\system32\drivers\sbhr.sys
2007-06-30 11:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-06-30 11:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sunbelt Software
2007-06-30 10:53 <DIR> d-------- C:\Program Files\CCleaner
2007-06-29 17:57 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_644.dat
2007-06-29 16:41 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_674.dat
2007-06-26 11:55 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_670.dat
2007-06-25 19:37 451,072 --a------ C:\WINNT\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-06-25 16:26 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-25 14:49 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-16 19:10 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-16 13:44 <DIR> d-------- C:\WINNT\system32\mevqvvvb
2007-06-16 12:58 86,016 --------- C:\WINNT\system32\bgsvcgen.exe
2007-06-16 12:58 57,344 --------- C:\WINNT\system32\GenSvcInst.exe
2007-06-16 12:58 49,152 --------- C:\WINNT\system32\setupsvc.dll
2007-06-16 12:58 32,256 --------- C:\WINNT\system32\drivers\cdrbsdrv.sys
2007-06-16 12:58 <DIR> d-------- C:\Program Files\PIXELA
2007-06-16 12:56 208,896 --a------ C:\WINNT\system32\FFRafShellEx.dll
2007-06-16 12:56 <DIR> d-------- C:\Program Files\FinePixViewer
2007-06-16 12:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\FUJIFILM
2007-06-16 12:55 81,924 --------- C:\WINNT\system32\drivers\VC4CB104.SYS
2007-06-16 12:55 81,924 --------- C:\WINNT\system32\drivers\V3cb0115.sys
2007-06-16 12:55 81,924 --------- C:\WINNT\system32\drivers\V3cb0113.sys
2007-06-16 12:55 81,924 --------- C:\WINNT\system32\drivers\V3cb010B.sys
2007-06-16 12:55 81,796 --------- C:\WINNT\system32\drivers\V3cb0109.sys
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb013F.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb013D.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb013B.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0131.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb012F.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb012D.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb012B.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0129.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0127.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0125.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0123.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0121.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb011d.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb011B.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0119.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0117.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb0111.SYS
2007-06-16 12:55 81,700 --------- C:\WINNT\system32\drivers\V3cb010F.SYS
2007-06-16 12:55 69,632 --------- C:\WINNT\system32\FREGSHEX.DLL
2007-06-16 12:55 65,536 --------- C:\WINNT\system32\FINFCHECK.dll
2007-06-16 12:55 45,056 --------- C:\WINNT\system32\FINFCOPY.dll
2007-06-16 12:55 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2007-06-16 12:55 274,432 --a------ C:\WINNT\system32\FFTIFF16.dll
2007-06-16 12:55 155,648 --a------ C:\WINNT\system32\FFRAFLIB.DLL
2007-06-16 12:55 <DIR> d-------- C:\Program Files\REGSHAVE
2007-06-15 14:37 27,376 --a------ C:\WINNT\system32\SBBD.exe
2007-06-09 09:00 <DIR> d-------- C:\QUARANTINE
2007-06-06 19:33 <DIR> d-------- C:\found.000
2007-06-03 22:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-03 18:43 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-05-20 00:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-05-19 22:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-19 20:08 <DIR> d-------- C:\VundoFix Backups
2007-05-12 09:24 <DIR> d-------- C:\Program Files\BellesBeautyBoutique_at


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 20:31:02 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Skype
2007-06-30 17:34:48 -------- d-----w C:\Program Files\hijack this
2007-06-30 09:37:59 -------- d--h--w C:\DOCUME~1\ADMINI~1\APPLIC~1\yahoo!
2007-06-30 09:36:10 -------- d-----w C:\Program Files\YahELite
2007-06-29 18:38:46 -------- d-----w C:\Program Files\Gigabyte
2007-06-29 17:59:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-25 19:59:15 -------- d-----w C:\Program Files\ComputerAssociates
2007-06-25 18:56:08 -------- d-----w C:\Program Files\MultiRes
2007-06-25 18:37:31 -------- d-----w C:\Program Files\Radeon Omega Drivers
2007-06-25 15:29:00 -------- d-----w C:\Program Files\SymNetDrv
2007-06-25 15:26:35 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-25 15:26:34 -------- d-----w C:\Program Files\Symantec
2007-06-03 21:46:12 -------- d--ha-w C:\Program Files\WindowsUpdate
2007-06-03 20:12:51 -------- d-----w C:\Program Files\CasinoOnNet
2007-06-03 19:01:18 -------- d-----w C:\Program Files\PPLive TV
2007-06-03 18:33:51 -------- d-----w C:\Program Files\QuickTime
2007-06-03 18:33:23 -------- d-----w C:\Program Files\MSN Messenger
2007-06-03 18:31:28 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-06-03 18:24:49 -------- d-----w C:\Program Files\Cordless USB Phone
2007-06-03 18:23:16 -------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-06-03 14:43:56 -------- d-----w C:\Program Files\Ipswitch
2007-05-25 20:36:20 -------- d-----w C:\Program Files\eMule
2007-05-05 07:31:06 -------- d-----w C:\Program Files\Skype
2007-05-05 07:31:05 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-30 09:15:34 -------- d-----w C:\Program Files\Hewlett-Packard
2007-04-30 09:11:13 -------- d-----w C:\Program Files\AIM
2007-04-16 21:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-14 09:36:54 8,704 ----a-w C:\WINNT\system32\sporder.dll
2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [18/12/06 04:16 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [31/05/05 01:04 ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [14/03/07 03:43 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [11/03/03 17:24 ]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [06/03/03 08:00 ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [25/02/03 12:00 ]
"@"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [14/03/07 03:43 ]
"SoundMan"="SOUNDMAN.EXE" [18/03/03 10:04 C:\WINNT\SOUNDMAN.EXE]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/02 22:32 ]
"Synchronization Manager"="mobsync.exe" [19/06/03 20:05 C:\WINNT\system32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [12/11/04 02:10 C:\WINNT\system32\atiptaxx.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [31/08/05 03:34 ]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [15/06/07 15:17 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [07/12/99 13:00 C:\WINNT\system32\internat.exe]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/07 13:34 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
WcesWlgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sygate Personal Firewall]
super.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe"
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"Synchronization Manager"=mobsync.exe /logon
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Sygate Personal Firewall"=super.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN


Contents of the 'Scheduled Tasks' folder
2005-04-30 12:02:26 C:\WINNT\tasks\connect.job
2005-04-30 12:02:32 C:\WINNT\tasks\connect_at_start.job
2007-06-25 13:12:22 C:\WINNT\tasks\Spybot - Search & Destroy - Scheduled Task.job
2005-09-07 07:52:56 C:\WINNT\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 21:44:07
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Hardware Profiles\0001\System\ControlSet001\Services\ati2mtag]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\ATI2MTAG]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ati2mtag]
"ImagePath"="system32\DRIVERS\ati2mtag.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Hardware Profiles\0001\System\ControlSet001\Services\ati2mtag]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Hardware Profiles\0001\System\ControlSet001\Services\ati2mtag]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\ATI2MTAG]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ati2mtag]
"ImagePath"="system32\DRIVERS\ati2mtag.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Hardware Profiles\0001\System\ControlSet001\Services\ati2mtag]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\MNMDD]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mnmdd]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\VGASAVE]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Hardware Profiles\0001\System\ControlSet001\Services\ati2mtag]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\ATI2MTAG]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ati2mtag]
"ImagePath"="system32\DRIVERS\ati2mtag.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Hardware Profiles\0001\System\ControlSet001\Services\ati2mtag]

Completion time: 30/06/2007 21:44:50
C:\ComboFix-quarantined-files.txt ... 30/06/07 21:44
C:\ComboFix2.txt ... 30/06/07 18:41
C:\ComboFix3.txt ... 24/06/07 18:31

--- E O F ---


and her is the new HJT log


Logfile of HijackThis v1.99.1
Scan saved at 18:34:48, on 30/06/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\WINNT\system32\bgsvcgen.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Portrait Displays\ImageTune\DTSRVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINNT\system32\IoctlSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
c:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk.disabled
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Exif Launcher 2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: ImageTune.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ARCserve Database Engine (ASDBEngine) - Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\DBENG.exe
O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Computer Associates - C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
O23 - Service: ARCserve Job Engine (ASJobEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\jobeng.exe
O23 - Service: ARCserve Message Engine (ASMsgEngine) - Computer Associates International, Inc. - C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\ImageTune\dtsslsrv.exe
O23 - Service: ARCserve Tape Engine (ASTapeEngine) - Unknown owner - C:\Program Files\ComputerAssociates\ARCserve\tapeeng.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\ImageTune\DTSRVC.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINNT\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINNT\system32\snmptrap.exe (file missing)
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

Thanks for the intrest

Jim.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:29 AM

Posted 03 July 2007 - 12:10 PM

Hello,

I see you've done a lot on your own, or have had help somewhere else. This is bad, because now I have no way of knowing what's been going on and what you might have done, or how to fix your problem with accuracy. :thumbsup: There is nothing glaring in your HijackThis log, and nothing deleted with ComboFix.

Do you have a log from BitDefender? You said it found some things and I'd like to see what.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 jimn2

jimn2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 03 July 2007 - 05:23 PM

Hi
Yeh, I have done one or two changes, I away from home for the week working so only get to look at the problem at weekends. Everything "seems" ok now, I found the bits service was stuck in starting I managed to reinstall this which fixed the add/remove programs issue and allowed me to do an auto update, there was quite a lot of updates to be done, I also picked up a hardware fault when I removed the scsi card, it looks like there was a problem on one of the ide ribbons that was causing crashes and freezes. I will post the bit defender log on Friday if you keep this open.

loads of thanks

Jim.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:29 AM

Posted 03 July 2007 - 07:34 PM

Hello, and thanks for letting me know. :thumbsup: If you think you still have a malware issue, then by all means post the BD report. If all seems well after a few days, then I'll close the thread.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 jimn2

jimn2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 06 July 2007 - 04:35 PM

Hi Tea
here is the BD scan


BitDefender Online Scanner







Scan report generated at: Sat, Jun 30, 2007 - 16:08:55









Scan path: A:\;C:\;D:\;E:\;















Statistics

Time


02:45:04

Files


1063732

Folders


9250

Boot Sectors


4

Archives


36459

Packed Files


75867







Results

Identified Viruses


5

Infected Files


7

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


7







Engines Info

Virus Definitions


636067

Engine build


AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\matureslut[1].htm


Infected with: VBS.Trojan.Downloader.Small.E

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\matureslut[1].htm


Disinfection failed

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\matureslut[1].htm


Deleted

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{380D6A7E-3D47-4CAC-9A50-EFD130FF1851}\Microsoft\Outlook Express\Inbox.dbx=>(message 267)=>[Subject: Here that page which you asked to send][Date: Thu, 15 Mar 2007 10:21:54 +0530]=>(MIME part)=>msg.zip=>ht.hta


Infected with: JS.Feebs2.Gen

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{380D6A7E-3D47-4CAC-9A50-EFD130FF1851}\Microsoft\Outlook Express\Inbox.dbx=>(message 267)=>[Subject: Here that page which you asked to send][Date: Thu, 15 Mar 2007 10:21:54 +0530]=>(MIME part)=>msg.zip=>ht.hta


Disinfection failed

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{380D6A7E-3D47-4CAC-9A50-EFD130FF1851}\Microsoft\Outlook Express\Inbox.dbx=>(message 267)=>[Subject: Here that page which you asked to send][Date: Thu, 15 Mar 2007 10:21:54 +0530]=>(MIME part)=>msg.zip=>ht.hta


Deleted

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{380D6A7E-3D47-4CAC-9A50-EFD130FF1851}\Microsoft\Outlook Express\Inbox.dbx=>(message 267)=>[Subject: Here that page which you asked to send][Date: Thu, 15 Mar 2007 10:21:54 +0530]=>(MIME part)=>msg.zip


Updated

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{380D6A7E-3D47-4CAC-9A50-EFD130FF1851}\Microsoft\Outlook Express\Inbox.dbx=>(message 267)=>[Subject: Here that page which you asked to send][Date: Thu, 15 Mar 2007 10:21:54 +0530]=>(MIME part)


Updated

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{380D6A7E-3D47-4CAC-9A50-EFD130FF1851}\Microsoft\Outlook Express\Inbox.dbx=>(message 267)


Updated

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{380D6A7E-3D47-4CAC-9A50-EFD130FF1851}\Microsoft\Outlook Express\Inbox.dbx


Update failed

C:\WINNT\system32\scchk32.exe


Infected with: Trojan.Agent.AOL

C:\WINNT\system32\scchk32.exe


Disinfection failed

C:\WINNT\system32\scchk32.exe


Deleted

E:\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Hi][From: kutties@aol.com]=>MyMovie.zip=>My-Private-H0t-Movies.exe


Infected with: Trojan.Dialer.PN

E:\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Hi][From: kutties@aol.com]=>MyMovie.zip=>My-Private-H0t-Movies.exe


Disinfection failed

E:\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Hi][From: kutties@aol.com]=>MyMovie.zip=>My-Private-H0t-Movies.exe


Deleted

E:\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: Hi][From: kutties@aol.com]=>MyMovie.zip


Updated

E:\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst


Updated

E:\downloads\eMule\Incoming\norton 2005 4 in 1 NSW 2005 NIS 2005 nav 2005 norton ghost v 9 by cobra.iso=>SYSTEMW/CRACK/KGNSW.EXE


Infected with: Trojan.Downloader.Delf.BR

E:\downloads\eMule\Incoming\norton 2005 4 in 1 NSW 2005 NIS 2005 nav 2005 norton ghost v 9 by cobra.iso=>SYSTEMW/CRACK/KGNSW.EXE


Disinfection failed

E:\downloads\eMule\Incoming\norton 2005 4 in 1 NSW 2005 NIS 2005 nav 2005 norton ghost v 9 by cobra.iso=>SYSTEMW/CRACK/KGNSW.EXE


Deleted

E:\downloads\eMule\Incoming\norton 2005 4 in 1 NSW 2005 NIS 2005 nav 2005 norton ghost v 9 by cobra.iso


Update failed

E:\downloads\eMule\Incoming\Symantec Norton 2005 Key Generators (Antivirus - Systemworks - Internet Sec=>Symantec Norton 2005 Key Generators ( antivirus - systemworks - internet security )\Systemworks 2005 Key Generator\KEY GENERATOR.EXE


Infected with: Trojan.Downloader.Delf.BR

E:\downloads\eMule\Incoming\Symantec Norton 2005 Key Generators (Antivirus - Systemworks - Internet Sec=>Symantec Norton 2005 Key Generators ( antivirus - systemworks - internet security )\Systemworks 2005 Key Generator\KEY GENERATOR.EXE


Disinfection failed

E:\downloads\eMule\Incoming\Symantec Norton 2005 Key Generators (Antivirus - Systemworks - Internet Sec=>Symantec Norton 2005 Key Generators ( antivirus - systemworks - internet security )\Systemworks 2005 Key Generator\KEY GENERATOR.EXE


Deleted

E:\downloads\eMule\Incoming\Symantec Norton 2005 Key Generators (Antivirus - Systemworks - Internet Sec


Update failed

E:\downloads\norton\SYSTEMW\CRACK\KGNSW.EXE


Infected with: Trojan.Downloader.Delf.BR

E:\downloads\norton\SYSTEMW\CRACK\KGNSW.EXE


Disinfection failed

E:\downloads\norton\SYSTEMW\CRACK\KGNSW.EXE


Deleted



I think the machine is clean now. thanks for all your help with the issues.

Jim.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:29 AM

Posted 06 July 2007 - 06:33 PM

Hello,

You're welcome, but as long as you keep downloading illegal programs you'll keep getting infected. :thumbsup: You need to go through Outlook and delete everything you don't recognize or need. Empty Dr. Web's quarantine also. Delete ComboFix and it's folder C:\Qoobox

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 jimn2

jimn2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 07 July 2007 - 01:50 AM

I take it your talking about the stuff on the E:\ drive, this was a back up of a machine that I did for someone ages ago, I will shread and format that drive, I completly forgot it had that partition :thumbsup: . Thanks once again for your help.

Jim.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:29 AM

Posted 11 July 2007 - 10:08 AM

Glad I could help. :thumbsup:

http://mvps.org/winhelp2002/unwanted.htm <<<excellent reading here!

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users