Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Errorsafe/systemdoctor/various Popus - Trojan


  • This topic is locked This topic is locked
43 replies to this topic

#1 Stick-man

Stick-man

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Queensland, AUS
  • Local time:12:14 PM

Posted 02 July 2007 - 11:53 PM

2 days ago I was hit with a nasty little bug that decidedto put ads and popups on my screen while I was trying to do work. I have been reading various How-To guides and websites (including this one) and trying to follow as many steps as possible.

Everyone recommends different software, and different strategies - and none of them are working for me. However the use of HJT is one constant, so I am now going to use it in the hopes that someone can help me!!!

Logfile of HijackThis v1.99.1
Scan saved at 2:45:29 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\Christopher Allen\Application Data\tmp20D.tmp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe
C:\Documents and Settings\Christopher Allen\Application Data\tmp629.tmp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Christopher Allen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4barsrest.com/downunder/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {4e776c98-065b-4db8-a818-c2b1faeda817} - C:\WINDOWS\system32\dvdlib.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\ssqpnkk.dll
O20 - Winlogon Notify: dvdlib - C:\WINDOWS\SYSTEM32\dvdlib.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


I am also running another Panda scan (I've just paid for the 6 month service, so I could complain that it wouldn't disinfect the files, like it told me it would when I upgraded) and is finding and disinfecting some more viruses......... I'll inform you if it's of any consequence.

Attached Files



BC AdBot (Login to Remove)

 


#2 Stick-man

Stick-man
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Queensland, AUS
  • Local time:12:14 PM

Posted 03 July 2007 - 02:11 AM

OK, her's the panda results too.....

Attached Files



#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 05 July 2007 - 05:36 PM

Hello Stick-man,

I am SifuMike and I will be helping you. :flowers:

I am also running another Panda scan (I've just paid for the 6 month service, so I could complain that it wouldn't disinfect the files, like it told me it would when I upgraded) and is finding and disinfecting some more viruses.........



Before we start, you need to realize that you are missing one important program on that computer: An antivirus. :thumbsup:
I dont see Panda antivirus program in your log, but see you ran the Panda Online scanner.

Online Virus scanners will not protect your computer from viruses as they are not actively running. Viruses can sneak into your computer in seconds, so you have to have an antivirus program resident in memory and running. Online Virus scanners ment to supplement your antivirus program, NOT replace it.

This is somewhat suicidal in today's digital world.

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!






Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt (Do not attach the log).
***********************


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log in your next reply and a fresh Hijackthis log (DO NOT attach the logs).

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 05 July 2007 - 06:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Stick-man

Stick-man
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Queensland, AUS
  • Local time:12:14 PM

Posted 07 July 2007 - 04:58 AM

Hi,

Just befor I begin, I wish to clarify that my computer was purchased 6 months ago with Norton. When the trial ran out, I upgraded to Norton 360, a viruschecker AND firewall. I acknoledge that the Norton name carries little pull, however it cannot be said that I was not running any form of virus scanner.

I am now running Avast!


VundoFix
VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 6:41:15 PM 7/7/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp6.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!



ComboFix

"Christopher Allen" - 2007-07-07 19:15:24 - ComboFix 07-07-07.3 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ssqpnkk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp13.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp14.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp15.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp18.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp20D.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp211.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp214.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp629.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp62A.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp62C.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp9E5.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp9E6.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmp9E8.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmpAA.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmpAB.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmpB3.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmpC.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmpE2.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmpE5.tmp.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\tmpF.tmp.exe
C:\WINDOWS\system32\tmp15.tmp.dll
C:\WINDOWS\system32\tmp214.tmp.dll
C:\WINDOWS\system32\tmp62C.tmp.dll
C:\WINDOWS\system32\tmp9E8.tmp.dll
C:\WINDOWS\system32\tmpAB.tmp.dll
C:\WINDOWS\system32\tmpE5.tmp.dll
C:\WINDOWS\system32\tmpF.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))


2007-07-07 19:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 19:11 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-07 19:11 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-07 19:11 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-07 19:11 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-07 19:10 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-07 19:10 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-07 19:10 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-07 19:10 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-07 18:41 <DIR> d-------- C:\VundoFix Backups
2007-07-04 17:39 134,993 --a------ C:\WINDOWS\gebyaw.dll
2007-07-03 18:47 134,914 --a------ C:\WINDOWS\byyyvs.dll
2007-07-03 12:02 134,972 --a------ C:\WINDOWS\mlmkhh.dll
2007-07-03 11:40 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2007-07-03 11:40 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2007-07-03 11:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-03 10:34 3,890 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-03 09:09 <DIR> d-------- C:\WINDOWS\CSC
2007-07-02 08:34 92,818 --a------ C:\WINDOWS\system32\dvdlib.dll
2007-07-02 08:33 105,442 --a------ C:\WINDOWS\system32\awvvs.exe
2007-07-02 07:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-02 07:21 92,737 --a------ C:\WINDOWS\system32\ipxuth.dll
2007-07-02 07:21 105,504 --a------ C:\WINDOWS\system32\pmkjk.exe
2007-07-02 07:11 134,871 --a------ C:\WINDOWS\khihff.dll
2007-07-02 00:02 105,451 --a------ C:\WINDOWS\system32\mljge.exe
2007-07-01 23:14 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Tenebril
2007-07-01 23:09 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-07-01 23:09 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-07-01 23:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-07-01 22:56 105,456 --a------ C:\WINDOWS\system32\mljji.exe
2007-07-01 21:50 92,625 --a------ C:\WINDOWS\system32\kbdhta.dll
2007-07-01 21:50 105,396 --a------ C:\WINDOWS\system32\vturo.exe
2007-06-30 12:20 84,585 --a------ C:\WINDOWS\system32\dn3099a3b3.dat
2007-06-30 11:56 <DIR> d-------- C:\DOCUME~1\CHRIST~1\Incomplete
2007-06-30 11:56 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\LimeWire
2007-06-25 17:07 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Help
2007-06-22 12:19 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-12 15:24 <DIR> d-------- C:\Program Files\Telstra
2007-06-12 08:42 56,320 --a------ C:\WINDOWS\system32\iyvu9_32.dll
2007-06-12 08:42 136,704 --a------ C:\WINDOWS\system32\iacenc.dll
2007-06-12 08:40 <DIR> d-------- C:\Program Files\LucasArts
2007-06-10 20:52 <DIR> d-------- C:\Program Files\IMVU
2007-06-07 16:34 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\IMVU


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-07 09:47:17 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-07 09:19:34 -------- d-----w C:\Program Files\Norton 360
2007-07-07 09:05:42 -------- d-----w C:\Program Files\Plaxo
2007-07-04 05:29:42 -------- d-----w C:\Program Files\Protector Suite QL
2007-07-03 13:46:18 -------- d-----w C:\Program Files\QuickTime
2007-07-03 09:59:25 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Simple Sudoku
2007-07-03 04:56:39 -------- d-----w C:\Program Files\MSN Messenger
2007-07-03 01:38:16 -------- d-----w C:\Program Files\Messenger
2007-07-02 14:02:16 -------- d-----w C:\Program Files\BitLord
2007-07-01 10:02:26 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-29 06:38:59 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-29 06:34:40 -------- d--h--r C:\DOCUME~1\CHRIST~1\APPLIC~1\yahoo!
2007-06-29 06:32:42 -------- d-----w C:\Program Files\BitLord2
2007-06-25 07:07:15 -------- d-----w C:\Program Files\Simple Sudoku
2007-06-17 12:27:08 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Canon
2007-05-29 02:01:23 -------- d-----w C:\Program Files\Zero G Registry
2007-05-29 02:01:22 -------- d-----w C:\Program Files\Pyware iPAS
2007-05-26 01:33:33 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\toshiba
2007-05-23 08:05:00 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Symantec
2007-05-22 13:12:44 -------- d-----w C:\Program Files\Thinc
2007-05-22 13:08:55 -------- d-----w C:\Program Files\Symantec
2007-05-22 13:08:54 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-22 13:08:54 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 21:25:45 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-01 07:12:35 0 ----a-w C:\WINDOWS\system32\SBRC.dat
2007-05-01 07:12:35 0 ----a-w C:\WINDOWS\system32\SBFC.dat
2007-04-28 10:14:14 81,920 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\ezpinst.exe
2007-04-28 10:14:14 47,360 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\pcouffin.sys
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e776c98-065b-4db8-a818-c2b1faeda817}]
2007-07-02 08:34 92818 --a------ C:\WINDOWS\system32\dvdlib.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 08:29 C:\WINDOWS\agrsmmsg.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 20:43 C:\WINDOWS\Alcmtr.exe]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 10:13]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-12-01 06:25]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-06 08:02]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-12 09:03 C:\WINDOWS\system32\TDispVol.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 18:02]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 17:36]
"TPSMain"="TPSMain.exe" [2005-05-31 21:00 C:\WINDOWS\system32\TPSMain.exe]
"CFSServ.exe"="CFSServ.exe" []
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 11:47]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 15:59]
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-24 08:21]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-05-01 01:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 18:32]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 12:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-04-14 06:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dvdlib]
dvdlib.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ssqpnkk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli psqlpwd


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f9f8e42-d992-11db-b6de-0018de4bc76b}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72e19fec-ea70-11db-b6f9-0018de4bc76b}]
AutoRun\command- E:\setupSNK.exe

*Newly Created Service* - AAVMKER4
*Newly Created Service* - ASWMON2
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWTDI
*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER

Contents of the 'Scheduled Tasks' folder
2007-07-07 09:48:04 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 19:48:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-07 19:51:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-07 19:50

--- E O F ---


HJT
Logfile of HijackThis v1.99.1
Scan saved at 7:57:37 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Christopher Allen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566....com/downunder/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: (no name) - {4e776c98-065b-4db8-a818-c2b1faeda817} - C:\WINDOWS\system32\dvdlib.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\ssqpnkk.dll
O20 - Winlogon Notify: dvdlib - C:\WINDOWS\SYSTEM32\dvdlib.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 07 July 2007 - 12:17 PM

Hi Stick-man,

I see a lot of malware on your comptuer, so lets run AVG antispyware. It should remove some of it. :thumbsup:


Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports"
    and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop.
    A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

Run ComboFix again and post a ComboFix log.

When done, submit the AVG Anti-Spyware 7.5 log, the ComboFix log and a fresh Hijackthis log.
Please do not attach any of the logs, as they are harder to read that way.

Edited by SifuMike, 07 July 2007 - 12:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Stick-man

Stick-man
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Queensland, AUS
  • Local time:12:14 PM

Posted 07 July 2007 - 07:21 PM

AVG
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 09:57 2007-07-08

+ Scan result:



C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmp13.tmp.exe.vir -> Downloader.Tiny.id : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmp20D.tmp.exe.vir -> Downloader.Tiny.id : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmp4.tmp.exe.vir -> Downloader.Tiny.id : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmp629.tmp.exe.vir -> Downloader.Tiny.id : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmp7.tmp.exe.vir -> Downloader.Tiny.id : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmp9E5.tmp.exe.vir -> Downloader.Tiny.id : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmpC.tmp.exe.vir -> Downloader.Tiny.id : Cleaned.
C:\Documents and Settings\Christopher Allen\Cookies\christopher allen@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Christopher Allen\Cookies\christopher allen@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Christopher Allen\Cookies\christopher allen@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Christopher Allen\Cookies\christopher allen@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Christopher Allen\Cookies\christopher allen@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Christopher Allen\Cookies\christopher allen@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Christopher Allen\Cookies\christopher allen@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Christopher Allen\Cookies\christopher allen@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmpB3.tmp.exe.vir -> Trojan.Pakes : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmp9E6.tmp.exe.vir -> Trojan.Small : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmpAA.tmp.exe.vir -> Trojan.Small : Cleaned.
C:\QooBox\Quarantine\C\DOCUME~1\CHRIST~1\APPLIC~1\tmpAB.tmp.exe.vir -> Trojan.Small : Cleaned.


::Report end

Combofix
"Christopher Allen" - 2007-07-08 10:13:49 - ComboFix 07-07-07.3 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


2007-07-08 07:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-08 07:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-07 19:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 19:11 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-07 19:11 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-07 19:11 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-07 19:11 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-07 19:10 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-07 19:10 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-07 19:10 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-07 19:10 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-07 18:41 <DIR> d-------- C:\VundoFix Backups
2007-07-03 18:47 134,914 --a------ C:\WINDOWS\byyyvs.dll
2007-07-03 12:02 134,972 --a------ C:\WINDOWS\mlmkhh.dll
2007-07-03 11:40 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2007-07-03 11:40 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2007-07-03 11:06 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-03 10:34 3,890 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-03 09:09 <DIR> d-------- C:\WINDOWS\CSC
2007-07-02 08:34 92,818 --a------ C:\WINDOWS\system32\dvdlib.dll
2007-07-02 08:33 105,442 --a------ C:\WINDOWS\system32\awvvs.exe
2007-07-02 07:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-02 07:21 92,737 --a------ C:\WINDOWS\system32\ipxuth.dll
2007-07-02 07:21 105,504 --a------ C:\WINDOWS\system32\pmkjk.exe
2007-07-02 07:11 134,871 --a------ C:\WINDOWS\khihff.dll
2007-07-02 00:02 105,451 --a------ C:\WINDOWS\system32\mljge.exe
2007-07-01 23:14 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Tenebril
2007-07-01 23:09 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-07-01 23:09 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-07-01 23:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-07-01 22:56 105,456 --a------ C:\WINDOWS\system32\mljji.exe
2007-07-01 21:50 92,625 --a------ C:\WINDOWS\system32\kbdhta.dll
2007-07-01 21:50 105,396 --a------ C:\WINDOWS\system32\vturo.exe
2007-06-30 12:20 18 --a------ C:\WINDOWS\system32\dn3099a3b3.dat
2007-06-30 11:56 <DIR> d-------- C:\DOCUME~1\CHRIST~1\Incomplete
2007-06-30 11:56 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\LimeWire
2007-06-25 17:07 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Help
2007-06-22 12:19 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-12 15:24 <DIR> d-------- C:\Program Files\Telstra
2007-06-12 08:42 56,320 --a------ C:\WINDOWS\system32\iyvu9_32.dll
2007-06-12 08:42 136,704 --a------ C:\WINDOWS\system32\iacenc.dll
2007-06-12 08:40 <DIR> d-------- C:\Program Files\LucasArts
2007-06-10 20:52 <DIR> d-------- C:\Program Files\IMVU


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 00:06:39 -------- d-----w C:\Program Files\Plaxo
2007-07-07 10:01:43 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 09:47:17 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-07 09:19:34 -------- d-----w C:\Program Files\Norton 360
2007-07-04 05:29:42 -------- d-----w C:\Program Files\Protector Suite QL
2007-07-03 13:46:18 -------- d-----w C:\Program Files\QuickTime
2007-07-03 09:59:25 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Simple Sudoku
2007-07-03 04:56:39 -------- d-----w C:\Program Files\MSN Messenger
2007-07-03 01:38:16 -------- d-----w C:\Program Files\Messenger
2007-07-02 14:02:16 -------- d-----w C:\Program Files\BitLord
2007-06-29 06:38:59 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-29 06:34:40 -------- d--h--r C:\DOCUME~1\CHRIST~1\APPLIC~1\yahoo!
2007-06-29 06:32:42 -------- d-----w C:\Program Files\BitLord2
2007-06-26 13:14:18 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\IMVU
2007-06-25 07:07:15 -------- d-----w C:\Program Files\Simple Sudoku
2007-06-17 12:27:08 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Canon
2007-05-29 02:01:23 -------- d-----w C:\Program Files\Zero G Registry
2007-05-29 02:01:22 -------- d-----w C:\Program Files\Pyware iPAS
2007-05-26 01:33:33 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\toshiba
2007-05-23 08:05:00 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Symantec
2007-05-22 13:12:44 -------- d-----w C:\Program Files\Thinc
2007-05-22 13:08:55 -------- d-----w C:\Program Files\Symantec
2007-05-22 13:08:54 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-22 13:08:54 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 21:25:45 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-01 07:12:35 0 ----a-w C:\WINDOWS\system32\SBRC.dat
2007-05-01 07:12:35 0 ----a-w C:\WINDOWS\system32\SBFC.dat
2007-04-28 10:14:14 81,920 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\ezpinst.exe
2007-04-28 10:14:14 47,360 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\pcouffin.sys
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}]
C:\Program Files\SpyCatcher\SCActiveBlock.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e776c98-065b-4db8-a818-c2b1faeda817}]
2007-07-02 08:34 92818 --a------ C:\WINDOWS\system32\dvdlib.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 08:29 C:\WINDOWS\agrsmmsg.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 20:43 C:\WINDOWS\Alcmtr.exe]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 10:13]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-12-01 06:25]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-06 08:02]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-12 09:03 C:\WINDOWS\system32\TDispVol.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 18:02]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 17:36]
"TPSMain"="TPSMain.exe" [2005-05-31 21:00 C:\WINDOWS\system32\TPSMain.exe]
"CFSServ.exe"="CFSServ.exe" []
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 11:47]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 15:59]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-24 08:21]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-05-01 01:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 18:32]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 12:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-04-14 06:51]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 22:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dvdlib]
dvdlib.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli psqlpwd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f9f8e42-d992-11db-b6de-0018de4bc76b}]
AutoRun\command- E:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
2007-07-08 00:08:07 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 10:16:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-08 10:17:10
C:\ComboFix-quarantined-files.txt ... 2007-07-08 10:16
C:\ComboFix2.txt ... 2007-07-07 19:51

--- E O F ---


HJT
Logfile of HijackThis v1.99.1
Scan saved at 10:18:03 AM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Christopher Allen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4barsrest.com/downunder/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: (no name) - {4e776c98-065b-4db8-a818-c2b1faeda817} - C:\WINDOWS\system32\dvdlib.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dvdlib - C:\WINDOWS\SYSTEM32\dvdlib.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 07 July 2007 - 07:50 PM

Hi Stick-man,

You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\SYSTEM32\dvdlib.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\archlib.dll
C:\WINDOWS\system32\mljge.exe
C:\WINDOWS\system32\mljji.exe
C:\WINDOWS\system32\kbdhta.dll
C:\WINDOWS\system32\vturo.exe


Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Stick-man

Stick-man
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Queensland, AUS
  • Local time:12:14 PM

Posted 07 July 2007 - 09:18 PM

Antivirus Version Update Result
AhnLab-V3 2007.7.7.0 07.06.2007 no virus found
AntiVir 7.4.0.39 07.07.2007 no virus found
Authentium 4.93.8 07.07.2007 no virus found
Avast 4.7.997.0 07.06.2007 no virus found
AVG 7.5.0.476 07.07.2007 no virus found
BitDefender 7.2 07.08.2007 no virus found
CAT-QuickHeal 9.00 07.07.2007 no virus found
ClamAV devel-20070416 07.07.2007 no virus found
DrWeb 4.33 07.07.2007 no virus found
eSafe 7.0.15.0 07.06.2007 no virus found
eTrust-Vet 30.8.3769 07.07.2007 no virus found
Ewido 4.0 07.07.2007 no virus found
FileAdvisor 1 07.08.2007 no virus found
Fortinet 2.91.0.0 07.08.2007 no virus found
F-Prot 4.3.2.48 07.06.2007 no virus found
F-Secure 6.70.13260.0 07.07.2007 no virus found
Ikarus T3.1.1.8 07.07.2007 no virus found
Kaspersky 4.0.2.24 07.08.2007 no virus found
McAfee 5069 07.06.2007 no virus found
Microsoft 1.2704 07.07.2007 no virus found
NOD32v2 2383 07.06.2007 no virus found
Norman 5.80.02 07.06.2007 no virus found
Panda 9.0.0.4 07.07.2007 Suspicious file
Sophos 4.19.0 07.06.2007 no virus found
Sunbelt 2.2.907.0 07.07.2007 VIPRE.Suspicious
Symantec 10 07.08.2007 no virus found
TheHacker 6.1.6.143 07.05.2007 no virus found
VBA32 3.12.0.2 07.07.2007 no virus found
VirusBuster 4.3.23:9 07.07.2007 no virus found
Webwasher-Gateway 6.0.1 07.07.2007 Win32.Malware.gen (suspicious)


Aditional Information
File size: 92818 bytes
MD5: 4a0ebf940ba7e4b4dd782d090fa5ec71
SHA1: 2fad4bb597701f4780de7a14fcffbadaeb5e564e
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

STATUS: FINISHEDComplete scanning result of "archlib.dll", received in VirusTotal at 07.08.2007, 03:29:09 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.7.0 07.06.2007 no virus found
AntiVir 7.4.0.39 07.07.2007 no virus found
Authentium 4.93.8 07.07.2007 no virus found
Avast 4.7.997.0 07.06.2007 no virus found
AVG 7.5.0.476 07.07.2007 no virus found
BitDefender 7.2 07.08.2007 no virus found
CAT-QuickHeal 9.00 07.07.2007 no virus found
ClamAV devel-20070416 07.07.2007 no virus found
DrWeb 4.33 07.07.2007 no virus found
eSafe 7.0.15.0 07.06.2007 no virus found
eTrust-Vet 30.8.3769 07.07.2007 no virus found
Ewido 4.0 07.07.2007 no virus found
FileAdvisor 1 07.08.2007 no virus found
Fortinet 2.91.0.0 07.08.2007 no virus found
F-Prot 4.3.2.48 07.06.2007 no virus found
Ikarus T3.1.1.8 07.07.2007 no virus found
Kaspersky 4.0.2.24 07.08.2007 no virus found
McAfee 5069 07.06.2007 no virus found
Microsoft 1.2704 07.07.2007 no virus found
NOD32v2 2383 07.06.2007 no virus found
Norman 5.80.02 07.06.2007 no virus found
Panda 9.0.0.4 07.07.2007 no virus found
Sophos 4.19.0 07.06.2007 no virus found
Sunbelt 2.2.907.0 07.07.2007 no virus found
Symantec 10 07.08.2007 no virus found
TheHacker 6.1.6.143 07.05.2007 no virus found
VBA32 3.12.0.2 07.07.2007 no virus found
VirusBuster 4.3.23:9 07.07.2007 no virus found
Webwasher-Gateway 6.0.1 07.07.2007 no virus found


STATUS: FINISHEDComplete scanning result of "mljge.exe", received in VirusTotal at 07.08.2007, 03:45:17 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.7.0 07.06.2007 no virus found
AntiVir 7.4.0.39 07.07.2007 no virus found
Authentium 4.93.8 07.07.2007 no virus found
Avast 4.7.997.0 07.06.2007 no virus found
AVG 7.5.0.476 07.07.2007 no virus found
BitDefender 7.2 07.08.2007 no virus found
CAT-QuickHeal 9.00 07.07.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.07.2007 no virus found
DrWeb 4.33 07.07.2007 no virus found
eSafe 7.0.15.0 07.06.2007 suspicious Trojan/Worm
eTrust-Vet 30.8.3769 07.07.2007 no virus found
Ewido 4.0 07.07.2007 no virus found
FileAdvisor 1 07.08.2007 no virus found
Fortinet 2.91.0.0 07.08.2007 no virus found
F-Prot 4.3.2.48 07.06.2007 no virus found
Ikarus T3.1.1.8 07.07.2007 no virus found
Kaspersky 4.0.2.24 07.08.2007 no virus found
McAfee 5069 07.06.2007 no virus found
Microsoft 1.2704 07.08.2007 no virus found
NOD32v2 2383 07.06.2007 no virus found
Norman 5.80.02 07.06.2007 no virus found
Panda 9.0.0.4 07.07.2007 Suspicious file
Sophos 4.19.0 07.06.2007 no virus found
Sunbelt 2.2.907.0 07.07.2007 VIPRE.Suspicious
Symantec 10 07.08.2007 no virus found
TheHacker 6.1.6.143 07.05.2007 no virus found
VBA32 3.12.0.2 07.07.2007 no virus found
VirusBuster 4.3.23:9 07.07.2007 no virus found
Webwasher-Gateway 6.0.1 07.08.2007 Win32.Malware.gen (suspicious)


Aditional Information
File size: 105451 bytes
MD5: 4dd388db7518c803cb61be1d1431bc58




the next file is in the queue for 2 hours......

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 07 July 2007 - 09:22 PM

Sorry to hear the queue is so long.
Are you still getting popups?

Edited by SifuMike, 07 July 2007 - 09:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Stick-man

Stick-man
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Queensland, AUS
  • Local time:12:14 PM

Posted 07 July 2007 - 09:26 PM

I honestly thought that after what the AVG spycatcher and virus checkers pulled out this morning, that all would start looking good, but the WinAntivirus warning buttons got really fierce just after the last combofix

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 07 July 2007 - 09:30 PM

That means one or several of the suspicious files is the culprit. When we have the results from Virus Total we will begin the removal process. :thumbsup:

Are you emailing the files to VirusTotal?

Edited by SifuMike, 07 July 2007 - 09:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Stick-man

Stick-man
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Queensland, AUS
  • Local time:12:14 PM

Posted 07 July 2007 - 09:35 PM

I emailed the remaining files just a minute ago, decided it may be quicker

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 07 July 2007 - 10:25 PM

Good choice. That is what I always do and it is far quicker.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Stick-man

Stick-man
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Queensland, AUS
  • Local time:12:14 PM

Posted 08 July 2007 - 05:22 AM

Complete scanning result of "vturo.exe", processed in VirusTotal at 07/08/2007 09:16:09 (CET).

[ file data ]
* name: vturo.exe
* size: 105396
* md5.: b11eee14628b5f812a2c4f1d90c5fb7b
* sha1: 058d6268ad9eb1a5f78dfd34b812d7312eb169f1

[ scan result ]
AhnLab-V3 2007.7.7.0/20070706 found nothing
AntiVir 7.4.0.39/20070707 found nothing
Authentium 4.93.8/20070707 found nothing
Avast 4.7.997.0/20070706 found nothing
AVG 7.5.0.476/20070707 found nothing
BitDefender 7.2/20070708 found nothing
CAT-QuickHeal 9.00/20070707 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070707 found nothing
DrWeb 4.33/20070707 found nothing
eSafe 7.0.15.0/20070706 found [suspicious Trojan/Worm]
eTrust-Vet 30.8.3769/20070707 found nothing
Ewido 4.0/20070707 found nothing
F-Prot 4.3.2.48/20070706 found nothing
F-Secure 6.70.13260.0/20070707 found nothing
FileAdvisor 1/20070708 found nothing
Fortinet 2.91.0.0/20070708 found nothing
Ikarus T3.1.1.8/20070708 found nothing
Kaspersky 4.0.2.24/20070708 found nothing
McAfee 5069/20070706 found nothing
Microsoft 1.2704/20070708 found nothing
NOD32v2 2384/20070708 found nothing
Norman 5.80.02/20070706 found nothing
Panda 9.0.0.4/20070707 found [Suspicious file]
Sophos 4.19.0/20070706 found nothing
Sunbelt 2.2.907.0/20070707 found [VIPRE.Suspicious]
Symantec 10/20070708 found nothing
TheHacker 6.1.6.143/20070705 found nothing
VBA32 3.12.0.2/20070707 found nothing
VirusBuster 4.3.23:9/20070707 found nothing
Webwasher-Gateway 6.0.1/20070708 found [Win32.Malware.gen (suspicious)]

[ notes ]
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.



Complete scanning result of "mljji.exe", processed in VirusTotal at 07/08/2007 09:16:09 (CET).

[ file data ]
* name: mljji.exe
* size: 105456
* md5.: ff54f468ae8168a591391aa0b83809a2
* sha1: d35d6c713da48789630929f4917ec78bb9c4008a

[ scan result ]
AhnLab-V3 2007.7.7.0/20070706 found nothing
AntiVir 7.4.0.39/20070707 found [HEUR/Crypted]
Authentium 4.93.8/20070707 found nothing
Avast 4.7.997.0/20070706 found nothing
AVG 7.5.0.476/20070707 found nothing
BitDefender 7.2/20070708 found nothing
CAT-QuickHeal 9.00/20070707 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070707 found nothing
DrWeb 4.33/20070707 found nothing
eSafe 7.0.15.0/20070706 found [suspicious Trojan/Worm]
eTrust-Vet 30.8.3769/20070707 found nothing
Ewido 4.0/20070707 found nothing
F-Prot 4.3.2.48/20070706 found nothing
F-Secure 6.70.13260.0/20070707 found nothing
FileAdvisor 1/20070708 found nothing
Fortinet 2.91.0.0/20070708 found nothing
Ikarus T3.1.1.8/20070708 found nothing
Kaspersky 4.0.2.24/20070708 found nothing
McAfee 5069/20070706 found nothing
Microsoft 1.2704/20070708 found nothing
NOD32v2 2384/20070708 found nothing
Norman 5.80.02/20070706 found nothing
Panda 9.0.0.4/20070707 found [Suspicious file]
Sophos 4.19.0/20070706 found nothing
Sunbelt 2.2.907.0/20070707 found [VIPRE.Suspicious]
Symantec 10/20070708 found nothing
TheHacker 6.1.6.143/20070705 found nothing
VBA32 3.12.0.2/20070707 found nothing
VirusBuster 4.3.23:9/20070707 found nothing
Webwasher-Gateway 6.0.1/20070708 found [Heuristic.Crypted]

[ notes ]
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


Complete scanning result of "mljji.exe", processed in VirusTotal at 07/08/2007 09:16:09 (CET).

[ file data ]
* name: mljji.exe
* size: 105456
* md5.: ff54f468ae8168a591391aa0b83809a2
* sha1: d35d6c713da48789630929f4917ec78bb9c4008a

[ scan result ]
AhnLab-V3 2007.7.7.0/20070706 found nothing
AntiVir 7.4.0.39/20070707 found [HEUR/Crypted]
Authentium 4.93.8/20070707 found nothing
Avast 4.7.997.0/20070706 found nothing
AVG 7.5.0.476/20070707 found nothing
BitDefender 7.2/20070708 found nothing
CAT-QuickHeal 9.00/20070707 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070707 found nothing
DrWeb 4.33/20070707 found nothing
eSafe 7.0.15.0/20070706 found [suspicious Trojan/Worm]
eTrust-Vet 30.8.3769/20070707 found nothing
Ewido 4.0/20070707 found nothing
F-Prot 4.3.2.48/20070706 found nothing
F-Secure 6.70.13260.0/20070707 found nothing
FileAdvisor 1/20070708 found nothing
Fortinet 2.91.0.0/20070708 found nothing
Ikarus T3.1.1.8/20070708 found nothing
Kaspersky 4.0.2.24/20070708 found nothing
McAfee 5069/20070706 found nothing
Microsoft 1.2704/20070708 found nothing
NOD32v2 2384/20070708 found nothing
Norman 5.80.02/20070706 found nothing
Panda 9.0.0.4/20070707 found [Suspicious file]
Sophos 4.19.0/20070706 found nothing
Sunbelt 2.2.907.0/20070707 found [VIPRE.Suspicious]
Symantec 10/20070708 found nothing
TheHacker 6.1.6.143/20070705 found nothing
VBA32 3.12.0.2/20070707 found nothing
VirusBuster 4.3.23:9/20070707 found nothing
Webwasher-Gateway 6.0.1/20070708 found [Heuristic.Crypted]

[ notes ]
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 08 July 2007 - 08:50 AM

Hi Stick-man,

You will have to disable your registry protectors before using Hijackthis, as they will prevent the fixes from working.

To disable Spybot's Teatimer:

Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

To disable Windows Defender
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.After all of the fixes are complete it is very important that you enable Real-time Protection again.

Having two or more registry protecots will slow your computer. You can install one registry protector (your choice) when we are finished using Hijackthis.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE



These are optinal fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources.)

*******************************************


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\byyyvs.dll
    C:\WINDOWS\mlmkhh.dll
    C:\WINDOWS\system32\pmkjk.exe
    C:\WINDOWS\khihff.dll
    C:\WINDOWS\system32\mljge.exe
    C:\WINDOWS\system32\mljji.exe
    C:\WINDOWS\system32\kbdhta.dll
    C:\WINDOWS\system32\vturo.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode , post the OTmoveit log, new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 08 July 2007 - 08:51 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users