Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan - Hijackthis Log - Svshost.exe


  • Please log in to reply
14 replies to this topic

#1 Belizean

Belizean

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 09 July 2007 - 11:04 AM

Hi, Ive received great help from you guys before, I noticed svshost.exe running but not sure what else it has brought into my system considering its a Trojan I believe, the pc has been disconnected from the network and internet to stop it from doing more harm than it probably has done already.
hijackthis log follows.

Thanks!

(Moderator edit: log post moved to Team Forum for review and Member help. jgweed)

Logfile of HijackThis v1.99.1
Scan saved at 4:07:06 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Perception\Secura Backup\securasvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\svshost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\Program Files\SetPoint\SetPoint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Axel.BHCSERVER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 74.52.238.242 www.bennys.bz
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Microsoft Updates] svshost.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Microsoft Updates] svshost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {527996C1-34AD-4421-AE98-D39B82B535BA} (SonySncMMDetection Control) - http://10.10.1.156:9001/adm/SonySncMMDetection.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1180665725573
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bennys.bz
O17 - HKLM\Software\..\Telephony: DomainName = bennys.bz
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5E540B7-2C33-4179-8C10-556C7576DDDA}: NameServer = 10.10.1.1,200.32.248.1,200.32.218.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bennys.bz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bennys.bz
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuraService - Unknown owner - C:\Program Files\Perception\Secura Backup\securasvc.exe

Edited by jgweed, 09 July 2007 - 11:09 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 09 July 2007 - 11:24 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Belizean :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm

------------------------------------------

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\system32\svshost.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

------------------------------------------

You are using Download Accelerator Plus - DAP.
Be informed that it delivers popup/popunder ads,and tracks your internet usage.
You can find safer alternatives here:
http://www.spywareinfo.com/downloads.php?cat=dlman#dlman
I strongly suggest you remove this program.
If you agree, go to Start > Control Panel > Add/Remove Programs and remove 'Download Accelerator Plus' if present,then reboot.

------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Belizean

Belizean
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 09 July 2007 - 12:29 PM

COMBOFIX LOG

"Axel" - 2007-07-09 10:56:08 - ComboFix 07-07-09.7 - Service Pack 2

ADS removed - system32: deleted 12 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-09 10:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-09 10:49 <DIR> d-------- C:\!KillBox
2007-07-05 17:59 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-04 18:39 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-04 18:37 <DIR> d-------- C:\DOCUME~1\AXEL~1.BHC\.housecall6.6
2007-07-04 17:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-04 14:18 786,432 --ah----- C:\DOCUME~1\ADMINI~1.BEN\NTUSER.DAT
2007-07-04 11:14 <DIR> d-------- C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\dvdcss
2007-07-04 10:31 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-07-04 10:31 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-07-04 10:31 <DIR> d-------- C:\Program Files\Xilisoft
2007-07-04 10:21 <DIR> d-------- C:\Xilisoft DVD Audio Ripper v4.5.37.8213
2007-07-03 18:25 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-07-03 17:22 <DIR> d-------- C:\Ass
2007-07-03 16:57 <DIR> d-------- C:\Snort
2007-07-03 16:37 <DIR> d-------- C:\snort-2.6.1.5
2007-06-12 12:07 <DIR> d-------- C:\recoery
2007-06-12 08:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-06-12 08:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-11 11:47 <DIR> d-------- C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\Yahoo!
2007-06-11 08:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 17:00:05 288 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2007-07-09 17:00:05 288 ----a-w C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2007-07-05 23:17:50 -------- d-----w C:\Program Files\CommView
2007-07-04 15:54:28 -------- d-----w C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\uTorrent
2007-07-04 00:11:50 -------- d-----w C:\Program Files\MySpace
2007-07-04 00:08:48 -------- d-----w C:\Program Files\HiDownload
2007-07-03 20:41:31 -------- d-----w C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\U3
2007-06-26 14:35:59 -------- d-----w C:\Program Files\Comcash 8.0
2007-06-26 14:31:41 -------- d-----w C:\Program Files\NET Traffic Meter
2007-06-18 19:34:57 -------- d-----w C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\FrostWire
2007-06-12 14:55:49 -------- d-----w C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\Apple Computer
2007-06-12 14:25:41 -------- d-----w C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\nView_Wallpaper
2007-06-01 02:47:37 -------- d-----w C:\Program Files\MSXML 6.0
2007-06-01 02:34:21 -------- d-----w C:\Program Files\MSXML 4.0
2007-05-30 18:08:11 -------- d-----w C:\Program Files\Screen Recorder
2007-05-16 22:21:24 -------- d-----w C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\MySpace
2007-05-16 18:15:36 -------- d-----w C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\Secura
2007-05-16 16:44:55 417,792 ----a-w C:\WINDOWS\rapidui.exe
2007-05-16 16:44:55 -------- d-----w C:\Program Files\Perception
2007-05-16 16:13:02 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 18:40:25 -------- d-----w C:\Program Files\Visioneer OneTouch
2007-05-15 18:25:21 -------- d-----w C:\DOCUME~1\AXEL~1.BHC\APPLIC~1\AdobeUM
2007-05-09 16:03:37 -------- d-----w C:\Program Files\Google
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 04:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-03-30 18:00:37 129,817 --sha-r C:\WINDOWS\system32\opeA6.exe
2007-03-30 18:00:47 129,817 --sha-r C:\WINDOWS\system32\opeA8.exe
2007-03-30 18:02:47 131,247 --sha-r C:\WINDOWS\system32\opeB1.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2007-03-20 15:39 803864 --a------ C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02DCA195-602B-4B1F-83FF-381B7E804BDB}]
2003-03-27 06:37 208896 --a------ C:\WINDOWS\system32\HDBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-07-26 03:17 434279 --a------ C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-03-02 12:25 2403392 -ra------ c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2006-12-18 04:18 231160 --a------ C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-04-03 19:31 324536 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2005-10-31 21:24 C:\WINDOWS\system32\nwiz.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 04:00 C:\WINDOWS\system32\regsvr32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 17:38 C:\WINDOWS\KHALMNPR.Exe]
"Logitech BT Wizard"="LBTWiz.exe" []
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"Microsoft Updates"="svshost.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 19:31]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Updates"=svshost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Axel.BHCSERVER^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Axel.BHCSERVER\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b48c5868-54b2-11db-a991-000cf1fac75c}]
AutoRun\command- K:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe


Contents of the 'Scheduled Tasks' folder
2007-07-02 22:36:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-12-28 16:31:06 C:\WINDOWS\tasks\LOGINquiry4 Task.job
2006-12-28 16:31:06 C:\WINDOWS\tasks\LOGINsert4 Task.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 11:01:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 11:03:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-09 11:03

--- E O F ---

#4 Belizean

Belizean
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 09 July 2007 - 12:30 PM

HIJACKTHIS LOG


Logfile of HijackThis v1.99.1
Scan saved at 11:22, on 2007-07-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Perception\Secura Backup\securasvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Documents and Settings\Axel.BHCSERVER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Microsoft Updates] svshost.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] svshost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {527996C1-34AD-4421-AE98-D39B82B535BA} (SonySncMMDetection Control) - http://10.10.1.156:9001/adm/SonySncMMDetection.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1180665725573
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bennys.bz
O17 - HKLM\Software\..\Telephony: DomainName = bennys.bz
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5E540B7-2C33-4179-8C10-556C7576DDDA}: NameServer = 10.10.1.1,200.32.248.1,200.32.218.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bennys.bz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bennys.bz
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuraService - Unknown owner - C:\Program Files\Perception\Secura Backup\securasvc.exe

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 09 July 2007 - 02:31 PM

Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\rapidui.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

-------------------------------------

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Microsoft Updates] svshost.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] svshost.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)


-------------------------------------

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\opeA6.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\opeA6.exe
Then click on 'Send'.
Post the results into your next reply.

Then do exactly the same with the following two files:
C:\WINDOWS\system32\opeA8.exe
C:\WINDOWS\system32\opeB1.exe

Also post a new Hijackthis log please.
Posted Image
Posted Image

#6 Belizean

Belizean
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 09 July 2007 - 02:58 PM

Virustotal scan log for opeA6.exe
the rest are currently being scanned



AntiVir 7.4.0.39 07.09.2007 TR/RcomSteal.B
Avast 4.7.997.0 07.09.2007 Win32:Delf-DLH
eSafe 7.0.15.0 07.08.2007 Suspicious Trojan/Worm
Ewido 4.0 07.09.2007 Dropper.Agent.aaq
Ikarus T3.1.1.8 07.09.2007 Backdoor.Win32.Hupigon.gs
McAfee 5070 07.09.2007 New Malware.cj
Panda 9.0.0.4 07.09.2007 Trj/RcomSteal.B
Sunbelt 2.2.907.0 07.07.2007 Trojan-Downloader.Gen
Symantec 10 07.09.2007 Downloader
Webwasher-Gateway 07.09.2007 Trojan.RcomSteal.B

File size: 129817 bytes
MD5: 5334ef6e1d87b7f31d581c7ee68cacfc
SHA1: bb1015283cb6923f62757684f0c15e769760329b
Sunbelt info: Trojan-Downloader.Gen is a group of Trojan Downloaders which install download and install multiple unwanted applications of adware and malware from remote servers.

#7 Belizean

Belizean
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 09 July 2007 - 03:07 PM

scan for opeA8.exe


AntiVir 7.4.0.39 07.09.2007 TR/RcomSteal.B

Avast 4.7.997.0 07.09.2007 Win32:Delf-DLH
eSafe 7.0.15.0 07.08.2007 Suspicious Trojan/Worm
Ewido 4.0 07.09.2007 Dropper.Agent.aaq
Ikarus T3.1.1.8 07.09.2007 Backdoor.Win32.Hupigon.gs
McAfee 5070 07.09.2007 New Malware.cj
Panda 9.0.0.4 07.09.2007 Trj/RcomSteal.B
Sunbelt 2.2.907.0 07.07.2007 Trojan-Downloader.Gen
Symantec 10 07.09.2007 Downloader
Webwasher-Gatewa 07.09.2007 Trojan.RcomSteal.B


File size: 129817 bytes
MD5: 5334ef6e1d87b7f31d581c7ee68cacfc
SHA1: bb1015283cb6923f62757684f0c15e769760329b
Sunbelt info: Trojan-Downloader.Gen is a group of Trojan Downloaders which install download and install multiple unwanted applications of adware and malware from remote servers.

#8 Belizean

Belizean
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 09 July 2007 - 03:18 PM

scan for opeB1.exe


AntiVir 7.4.0.39 07.09.2007 TR/Spy.Agent.98893
Avast 4.7.997.0 07.09.2007 Win32:Delf-DLH
eSafe 7.0.15.0 07.08.2007 Suspicious Trojan/Worm
Ewido 4.0 07.09.2007 Dropper.Agent.aaq
Ikarus T3.1.1.8 07.09.2007 Backdoor.Win32.Hupigon.gs
Panda 9.0.0.4 07.09.2007 Suspicious file
Webwasher-Gateway 6.0.1 07.09.2007 Trojan.Spy.Agent.98893

File size: 131247 bytes
MD5: bdf2250cee65b1197fee2ced4d84473f
SHA1: 47a7507ce54937d8e38057648c2598ee2368a1d2

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 09 July 2007 - 03:31 PM

Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\opeA6.exe
C:\WINDOWS\system32\opeA8.exe
C:\WINDOWS\system32\opeB1.exe


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

Also post a new Hijackthis log.
Let me know how your pc is running now.

Edited by RichieUK, 09 July 2007 - 03:32 PM.

Posted Image
Posted Image

#10 Belizean

Belizean
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 09 July 2007 - 04:42 PM

Hijackthis log

Im not sure if im just being paranoid, but im watching my network connection and it seems to be active, without any major programs
being run.

I just exited Kaspersky antivirus and immediately the bytes stopped flowing!
ive never seen Kaspersky so active and I checked, it was not running an update at the time.
Can it be the program has been compromised?



Logfile of HijackThis v1.99.1
Scan saved at 15:34, on 2007-07-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Perception\Secura Backup\securasvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Documents and Settings\Axel.BHCSERVER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {527996C1-34AD-4421-AE98-D39B82B535BA} (SonySncMMDetection Control) - http://10.10.1.156:9001/adm/SonySncMMDetection.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1180665725573
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bennys.bz
O17 - HKLM\Software\..\Telephony: DomainName = bennys.bz
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5E540B7-2C33-4179-8C10-556C7576DDDA}: NameServer = 10.10.1.1,200.32.248.1,200.32.218.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bennys.bz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bennys.bz
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuraService - Unknown owner - C:\Program Files\Perception\Secura Backup\securasvc.exe

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 09 July 2007 - 05:27 PM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

-------------------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

-------------------------------------------------------

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.
Posted Image
Posted Image

#12 Belizean

Belizean
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 10 July 2007 - 11:30 AM

COUNTERSPY LOG:

After I ran counterspy and ATF-Cleaner
all activity I was noticing before came to
a halt....finally!!!



Scan History Details
Start Date: 2007-07-10 14:37:58
End Date: 2007-07-10 15:54:21
Total Time: 76 Min 23 Sec
Detected security risks

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\axel.bhcserver\cookies\axel@atdmt[1].txt
c:\documents and settings\axel.bhcserver\cookies\axel@atdmt[2].txt


Cookie: PointRoll.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\axel.bhcserver\cookies\axel@ads.pointroll[2].txt


Trojan-Downloader.Gen Trojan Downloader more information...
Details: Trojan-Downloader.Gen is a group of Trojan Downloaders which install download and install multiple unwanted applications of adware and malware from remote servers.
Status: Deleted

Files detected
C:\!KillBox\opeA6.exe
C:\!KillBox\opeA8.exe


CoolOnlineOffers.ScreenSaver Adware Bundler more information...
Details: CoolOnlineOffers.ScreenSaver is a program which delivers advertisiment on you computer depending on your surfing behaviour.

Files detected
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\b28.4314AA7901C7C2FF.history\00000001.bak


PartyPoker Potentially Unwanted Program more information...
Details: PartyPoker is an online gambling application that requires the user to download its software in order to play.
Status: Deleted

Files detected
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Images\Thumbs.db:encryptable
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Images\system_but_bingo.jpg
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Images\system_but_gammon.jpg
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Images\Thumbs.db
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\10749.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\10753.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\12741.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\12743.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\16891.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\16895.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\16991.html
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\16997.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\17007.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\2.html
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\4.html
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\48252.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\48260.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\48262.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\48478.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\48514.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\52758.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\54708.html
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\54716.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\54718.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\54724.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\54768.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\54776.atc
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\6331.html
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Language\en_US\articles\6333.html
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Notes.txt
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\Uninstall.exe
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\usertab.txt
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\IMAGES
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\LANGUAGE
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\LANGUAGE\EN_US
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\LANGUAGE\EN_US\ARTICLES
C:\PROGRAM FILES\PARTYGAMING\PARTYPOKER\TEMP

Registry entries detected
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER
HKEY_USERS\S-1-5-21-4218083719-531290239-989602821-1131\SOFTWARE\PARTYGAMING\PARTYPOKER


Trojan.Unclassified.gen Trojan more information...
Details: Trojan.Unclassified.gen is a group of various malicious applications that have not been fully categorized. Detection has been added as Trojan.Unclassified.gen until such applications can be further classified.
Status: Deleted

Files detected
W:\Programs\Pop Cap Games\Dynomite 2.01\eatdy201ck.exe

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\AuxUserType
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\AuxUserType\2
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\AuxUserType\2
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\AuxUserType\3
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\AuxUserType\3
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Conversion
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Conversion\Readable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Conversion\Readable\Main
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Conversion\Readable\Main
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Conversion\Readwritable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Conversion\Readwritable\Main
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Conversion\Readwritable\Main
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\DefaultFile
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\DefaultFile
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\DelayRenderFormats
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\DelayRenderFormats\0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\DelayRenderFormats\0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\1
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\1
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\2
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\2
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\3
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\3
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\4
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\4
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\5
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\GetSet\5
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\PriorityCacheFormats
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\PriorityCacheFormats\0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DataFormats\PriorityCacheFormats\0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DefaultExtension
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DefaultExtension
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DocObject
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\DocObject
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Implemented Categories
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Insertable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Insertable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\MiscStatus
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\MiscStatus
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\MiscStatus\1
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\MiscStatus\1
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\OfficeCompliant
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\OfficeCompliant
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\PersistentHandler
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\PersistentHandler
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Printable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Printable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Verb
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Verb\0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Verb\0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Verb\1
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Verb\1
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Version
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\Version
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3571969E-C383-C239-1526-065215260652}

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 10 July 2007 - 01:13 PM

Restart your pc,post a new Hijackthis log into your next reply.
Posted Image
Posted Image

#14 Belizean

Belizean
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 10 July 2007 - 04:47 PM

Logfile of HijackThis v1.99.1
Scan saved at 15:39, on 2007-07-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Perception\Secura Backup\securasvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Documents and Settings\Axel.BHCSERVER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {527996C1-34AD-4421-AE98-D39B82B535BA} (SonySncMMDetection Control) - http://10.10.1.156:9001/adm/SonySncMMDetection.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1180665725573
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bennys.bz
O17 - HKLM\Software\..\Telephony: DomainName = bennys.bz
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5E540B7-2C33-4179-8C10-556C7576DDDA}: NameServer = 10.10.1.1,200.32.248.1,200.32.218.132
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bennys.bz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bennys.bz
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SecuraService - Unknown owner - C:\Program Files\Perception\Secura Backup\securasvc.exe

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 10 July 2007 - 05:52 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Combofix.exe
Killbox

C:\QOOBOX
C:\!KillBox

------------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

------------------------------

Enable Spybot S&Dís protection.

------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users