Persistent Problem

W

wares

New member
I have a problem with DriveCleaner & Smitfraud C Core Service malware. They have been in my computer for a month. I tried using Spybot, Ad-Ware and Windows Defender to remove the problems. Spybot was the most effective but the two type of malware mentioned above still remain. I read a post from someone who has a similiar problem. I downloaded HJT and here log of the file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:23 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\winntify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\sruuenuu.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\svchost.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1183527342288
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183527337982
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe

--
End of file - 6149 bytes

I would appreciate any assistance anyone can provide to rid me of this problem.
 
Last edited by a moderator:
Hi, welcome to Safer Networking Forums!

I edited the red out of your HijackThis log, it's hurting my eyes a bit..

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
__________

Download combofix.exe

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
___________

HJT Uninstall list
  • Open HijackThis > Click "Misc Tools Section"
  • Click "Open Uninstall Manager".
  • Click "Save List".
  • Save it to your Desktop.
  • Copy the contents of the file to your next reply.
 
SDFix & Combofix reports

Angelfire

Sorry it took so long for the response. Here are the logfiles you wanted.

SDFix

SDFix: Version 1.96

Run by Administrator on Wed 08/08/2007 at 09:15 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\3742351 - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\Web\PRINTERS\caccp.dll
C:\WINDOWS\SYSTEM32\180axp.exe
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG

Finished
Combofix
ComboFix 07-08-09.4 - "Administrator" 2007-08-08 21:31:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.237 [GMT -6:00]


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-08 21:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-08 20:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 00:29 <DIR> d-------- C:\Program Files\RegScrubXP
2007-07-28 16:47 <DIR> d-------- C:\Program Files\Setup NetZero
2007-07-28 16:36 <DIR> d-------- C:\Program Files\Cosmi
2007-07-28 12:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-28 10:49 126,016 --a------ C:\WINDOWS\SYSTEM32\qqcqrrhd.dll
2007-07-28 10:49 109 --ahs---- C:\WINDOWS\SYSTEM32\3367116517.dat
2007-07-28 10:48 46,913 -rahs---- C:\WINDOWS\SYSTEM32\180axp.exe
2007-07-23 21:29 174,121 --a------ C:\WINDOWS\SYSTEM32\dnc8b21ee5.dat
2007-07-21 12:59 6,489 --ahs---- C:\WINDOWS\SYSTEM32\nnnmp.bak1
2007-07-19 22:36 5,730,304 --a------ C:\WINDOWS\ToolkitPro1112vc80U.dll
2007-07-19 22:26 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-07-19 22:26 1,053,184 --a------ C:\WINDOWS\SYSTEM32\MFC71u.dll
2007-07-19 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MediaComplete
2007-07-19 22:02 68,888 --a------ C:\WINDOWS\SYSTEM32\xinput1_3.dll
2007-07-19 22:02 62,744 --a------ C:\WINDOWS\SYSTEM32\xinput1_2.dll
2007-07-19 22:02 3,426,072 --a------ C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2007-07-19 22:02 255,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_6.dll
2007-07-19 22:02 251,672 --a------ C:\WINDOWS\SYSTEM32\xactengine2_5.dll
2007-07-19 22:02 237,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_4.dll
2007-07-19 22:02 236,824 --a------ C:\WINDOWS\SYSTEM32\xactengine2_3.dll
2007-07-19 22:02 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2007-07-19 22:02 15,128 --a------ C:\WINDOWS\SYSTEM32\x3daudio1_1.dll
2007-07-19 22:01 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2007-07-19 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-07-19 21:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-07-16 00:17 <DIR> d-------- C:\Program Files\QuickTime
2007-07-16 00:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-16 00:15 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-16 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-15 04:01 <DIR> d-------- C:\spoolerlogs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 20:12 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-03 17:48 37440 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-19 23:32 --------- d-------- C:\Program Files\Google
2007-07-19 22:36 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-07 14:00 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-07 13:03 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-07 13:00 --------- d-------- C:\Program Files\Messenger
2007-07-07 09:09 --------- d-------- C:\Program Files\Windows Defender
2007-07-07 00:58 --------- d-------- C:\Program Files\Movie Maker
2007-07-07 00:51 --------- d-------- C:\Program Files\Windows NT
2007-07-06 22:21 11665 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-03 23:34 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-03 19:38 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-07-03 15:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-03 13:12 384 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb6334.dat
2007-07-03 13:12 212 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb8467.dat
2007-07-03 13:12 18432 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb41.dat
2007-07-03 12:06 --------- d-------- C:\Program Files\Lavasoft
2007-07-02 17:25 --------- d-------- C:\Program Files\LimeWire
2007-07-02 17:03 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\LimeWire
2007-07-02 13:36 841 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
2007-07-02 13:36 801 --a------ C:\WINDOWS\system32\drivers\system_stable_header_small.gif
2007-07-02 13:36 6533 --a------ C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
2007-07-02 13:36 579 --a------ C:\WINDOWS\system32\drivers\spy_away_header_small.gif
2007-07-02 13:36 567 --a------ C:\WINDOWS\system32\drivers\users_rating.gif
2007-07-02 13:36 5097 --a------ C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-07-02 13:36 291 --a------ C:\WINDOWS\system32\drivers\v.gif
2007-07-02 13:36 283 --a------ C:\WINDOWS\system32\drivers\x.gif
2007-07-02 13:36 1636 --a------ C:\WINDOWS\system32\drivers\system_stable_header.gif
2007-07-02 13:36 15075 --a------ C:\WINDOWS\system32\drivers\system_stable_box.jpg
2007-07-02 13:36 14484 --a------ C:\WINDOWS\system32\drivers\protect.gif
2007-07-02 13:36 13618 --a------ C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-07-02 13:36 1139 --a------ C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-07-02 13:35 945 --a------ C:\WINDOWS\system32\drivers\s_detect.htm
2007-07-02 13:35 811 --a------ C:\WINDOWS\system32\drivers\download_btn.gif
2007-07-02 13:35 746 --a------ C:\WINDOWS\system32\drivers\buy_btn.gif
2007-07-02 13:35 737 --a------ C:\WINDOWS\system32\drivers\logo_bg.gif
2007-07-02 13:35 6575 --a------ C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-07-02 13:35 64 --a------ C:\WINDOWS\system32\drivers\close_icon.gif
2007-07-02 13:35 6373 --a------ C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-07-02 13:35 580 --a------ C:\WINDOWS\system32\drivers\features.gif
2007-07-02 13:35 50169 --a------ C:\WINDOWS\system32\drivers\pt.htm
2007-07-02 13:35 4825 --a------ C:\WINDOWS\system32\drivers\detect.htm
2007-07-02 13:35 4557 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
2007-07-02 13:35 427 --a------ C:\WINDOWS\system32\drivers\4_stars.gif
2007-07-02 13:35 365 --a------ C:\WINDOWS\system32\drivers\5_stars.gif
2007-07-02 13:35 360 --a------ C:\WINDOWS\system32\drivers\header_bg.gif
2007-07-02 13:35 3099 --a------ C:\WINDOWS\system32\drivers\logo.gif
2007-07-02 13:35 2186 --a------ C:\WINDOWS\system32\drivers\alert_icon.gif
2007-07-02 13:35 1804 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
2007-07-02 13:35 10260 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-07-02 13:35 1014 --a------ C:\WINDOWS\system32\drivers\icon_warning.gif
2007-07-02 13:22 2624 --a------ C:\WINDOWS\system32\kwsmqdjn.exe
2007-07-02 00:57 --------- d-------- C:\Program Files\Apoint
2007-07-02 00:56 22592 --a------ C:\WINDOWS\system32\byv0hdmb.exe
2007-06-22 20:27 --------- d-------- C:\Program Files\Memorex exPressit Label Design Studio
2007-06-22 20:27 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-21 21:55 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-05-16 09:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 09:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 09:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 09:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 09:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2004-09-23 12:24 168 --a------ C:\Program Files\INSTALL.LOG
2004-09-23 15:19:25 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0431009B-E58F-43CE-BD77-4012E8748EAC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
2007-07-22 21:26 593920 ---hs---- C:\WINDOWS\Web\PRINTERS\caccp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7960907-53C8-40C2-BB80-259057434C3C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-26 12:01]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 14:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 19:59]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe [2005-08-18 17:09:58]
DESKTOP.INI [2002-09-03 12:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-24 14:01:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caccp]
C:\WINDOWS\Web\PRINTERS\caccp.dll 2007-07-22 21:26 593920 C:\WINDOWS\Web\PRINTERS\caccp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljhhg]
C:\WINDOWS\system32\ljhhg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrs]
C:\WINDOWS\System32\rqrrs.dll

R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S2 SCardSvrgusvc;Smart Card SCardSvrgusvc;C:\WINDOWS\system32\180axp.exe srv
S3 BEFCMV3XP;Linksys BEFCMU10 EtherFast Cable Modem;C:\WINDOWS\system32\DRIVERS\BEFCM3XP.sys
S3 BLKWGN;Belkin Wireless G Notebook Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGN.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tni3DC.tmp
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\wlanndi5.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c2c9231-c854-11da-9c41-000bdb1cbb75}]
AutoRun\command- E:\wd_windows_tools\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}]
C:\WINDOWS\system32\tmrsrv32.exe

Contents of the 'Scheduled Tasks' folder
2007-08-04 20:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-08 06:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 20:59:59 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 07:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At21.job
2007-08-09 03:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 05:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 06:00:00 C:\WINDOWS\Tasks\At25.job
2007-08-08 07:00:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 08:00:00 C:\WINDOWS\Tasks\At27.job
2007-08-08 09:00:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 10:00:00 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 08:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 11:00:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 12:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 13:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 14:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At35.job
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 09:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 21:00:00 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-09 03:00:00 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 05:00:00 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 10:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 11:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 12:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 13:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 14:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-09 03:28:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 21:36:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 21:40:13
C:\ComboFix-quarantined-files.txt ... 2007-08-08 21:39
C:\ComboFix2.txt ... 2007-08-08 20:55

--- E O F ---
 
Problems Part 2 HJT

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:53 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1183527342288
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183527337982
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe

--
End of file - 5437 bytes
 
Sorry but i didnt see what you were looking for. I did find it but the uninstall button didnt create a report that would save to the desktop. I restarted the computer but now it will not move from BIOS to Windows logo. I have restarted it numerous times but it hangs on the BIOS screen. I've tried using both the F2 (Setup) & the F12 (Boot Menu) BIOS functions. The BIOS meter shows that it almost will boot into Windows but whatever it doesn not for whatever reason. I await your reply
 
Can you boot to safe mode..?

Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

Can you please provide a detailed description on how this happened (ie. What you were doing, did you install/uninstall a software, did you receive an error of some sort, etc..)
 
I cannot boot to safe mode.

After realizing how to find the uninstall list, I did the following actions:
  • I clicked on the Misc Tools button to open the uninstall list.
  • It opened but it did not open dialog box to save to desktop.
  • I closed the uninstall list.
  • I dbl clicked on HJT again to open pgm
  • Received msg saying that HJT was already running but didnt see pgm
  • Opened task mgr to see if was running in background but it was not
  • Restarted computer
  • Computer logged off
  • Rebooted into BIOS scr with about 95% on meter
  • Computer hangs on BIOS scr with no further response

This is everything that led me to this point
 
Hello..I'm not sure what happened, I'm currently asking for some experts' advice...

I'll have something for you soon.
 
Let's try this:

Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to "Last known configuration"> Hit enter.

If it still won't, try to boot from DOS prompt then type these in:

C:\Windows\System32\restore\rstrui.exe

See if you can get system restore to work..

Tell me how it goes.
 
Last edited:
Found the problem, my son hooked his IPod into the computer. It probably was looking for the "extra" drive and didnt know what to do with it.

Here is what you asked for the HJT uninstall list. It doesn't save to a report so I had to zip it. You should see 4 files which show the uninstall list from HJT.

Thank you for your assistance. Look to hearing from you now that the boot problem is taken care of.
 
Hi,

Found the problem, my son hooked his IPod into the computer. It probably was looking for the "extra" drive and didnt know what to do with it.

Here is what you asked for the HJT uninstall list. It doesn't save to a report so I had to zip it. You should see 4 files which show the uninstall list from HJT.

Thank you for your assistance. Look to hearing from you now that the boot problem is taken care of.
Click to expand...

Good to know that it was only that! :D
_________

*Uninstall the items in bold if found:

J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03

*An optional that I would recommend be uninstalled.

LimeWire
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

Delete the following folders if you uninstalled LimeWire..

C:\Program Files\LimeWire
C:\DOCUMEnts and settings\ADMINIstrator\APPLICation data\LimeWire

Empty your recycle bin.
_________

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm028YYUS

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.

Combofix Deletions
  • Open notepad."
  • Copy and paste the text inside the code box below to notepad
Code: 
http://forums.spybot.info/showthread.php?t=16660

File::
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\System32\CqW5k0OS.exe
C:\WINDOWS\SYSTEM32\3367116517.dat
C:\WINDOWS\system32\ljhhg.dll
C:\WINDOWS\System32\rqrrs.dll
C:\WINDOWS\Web\PRINTERS\caccp.dll
C:\WINDOWS\SYSTEM32\nnnmp.bak1
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\system_stable_header_small.gif
C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\system_stable_header.gif
C:\WINDOWS\system32\drivers\system_stable_box.jpg
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\logo.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\kwsmqdjn.exe
C:\WINDOWS\system32\byv0hdmb.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tni3DC.tmp
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job 
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job 
C:\WINDOWS\Tasks\At38.job 
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job 
C:\WINDOWS\Tasks\At40.job 
C:\WINDOWS\Tasks\At41.job 
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job 
C:\WINDOWS\Tasks\At44.job 
C:\WINDOWS\Tasks\At45.job 
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job 
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job 
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job 
C:\WINDOWS\Tasks\At9.job 

Folder::
C:\Program Files\Cosmi

Driver::
TnIDriver

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0431009B-E58F-43CE-BD77-4012E8748EAC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7960907-53C8-40C2-BB80-259057434C3C}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caccp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljhhg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrs]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}]

Collect::
C:\WINDOWS\SYSTEM32\qqcqrrhd.dll

Dirlook::
C:\spoolerlogs
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
    cfscriptno0.gif
  • Combofix wil restart your machine then it will produce a log afterwards.
  • Please post the contents of that log along with a fresh HijackThis log.
  • Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.
________

I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

C:\WINDOWS\SYSTEM32\180axp.exe

Then click submit.

Do the same for this file:

C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.
__________

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
__________

On your next reply, please include a
  • Fresh HijackThis log.
  • Kaskersky scan log.
  • Jotti scan log.
  • combofix log.
 
Last edited:
Ok I followed your instructions and here are the results:

Uninstalled both of the Java programs

Uninstalled the Limewire and the program folder

Emptied Recycle Bin

Deleted both items in HJT

Cut & pasted code into Combofix & submitted to bleeping computer and received the following:

Submit malware to Bleeping Computer for analysis.

Copy/Paste the filepath below into the box above and click Send.

C:\DOCUME~1\ADMINI~1\Desktop.\[4]-Submit_2007-08-11_ 23127.66.zip

Malware Submission
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

As you asked, the following files were not found on my system.

C:\WINDOWS\SYSTEM32\180axp.exe
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

I manually looked for the files and when I didnt find them I used the search feature. So there is not a Jotti log for these files.

The Kaspersky, Combofix and HJT logs are attached.
________

ComboFix 07-08-09.4 - "Administrator" 2007-08-11 22:11:58.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.313 [GMT -6:00]


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-11 22:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-08-11 03:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-11 03:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-11 03:03 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-11 02:36 109 --a------ C:\WINDOWS\SYSTEM32\3367116517.dat
2007-08-08 21:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-08 20:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 00:29 <DIR> d-------- C:\Program Files\RegScrubXP
2007-07-28 16:47 <DIR> d-------- C:\Program Files\Setup NetZero
2007-07-28 12:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-28 10:48 46,913 -rahs---- C:\WINDOWS\SYSTEM32\180axp.exe
2007-07-23 21:29 174,121 --a------ C:\WINDOWS\SYSTEM32\dnc8b21ee5.dat
2007-07-19 22:36 5,730,304 --a------ C:\WINDOWS\ToolkitPro1112vc80U.dll
2007-07-19 22:26 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-07-19 22:26 1,053,184 --a------ C:\WINDOWS\SYSTEM32\MFC71u.dll
2007-07-19 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MediaComplete
2007-07-19 22:02 68,888 --a------ C:\WINDOWS\SYSTEM32\xinput1_3.dll
2007-07-19 22:02 62,744 --a------ C:\WINDOWS\SYSTEM32\xinput1_2.dll
2007-07-19 22:02 3,426,072 --a------ C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2007-07-19 22:02 255,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_6.dll
2007-07-19 22:02 251,672 --a------ C:\WINDOWS\SYSTEM32\xactengine2_5.dll
2007-07-19 22:02 237,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_4.dll
2007-07-19 22:02 236,824 --a------ C:\WINDOWS\SYSTEM32\xactengine2_3.dll
2007-07-19 22:02 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2007-07-19 22:02 15,128 --a------ C:\WINDOWS\SYSTEM32\x3daudio1_1.dll
2007-07-19 22:01 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2007-07-19 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-07-19 21:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-07-16 00:17 <DIR> d-------- C:\Program Files\QuickTime
2007-07-16 00:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-16 00:15 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-16 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-15 04:01 <DIR> d-------- C:\spoolerlogs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 02:08 --------- d-------- C:\Program Files\ELPLink3
2007-08-08 20:12 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-03 17:48 37440 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-19 23:32 --------- d-------- C:\Program Files\Google
2007-07-19 22:36 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-07 14:00 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-07 13:03 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-07 13:00 --------- d-------- C:\Program Files\Messenger
2007-07-07 09:09 --------- d-------- C:\Program Files\Windows Defender
2007-07-07 00:58 --------- d-------- C:\Program Files\Movie Maker
2007-07-07 00:51 --------- d-------- C:\Program Files\Windows NT
2007-07-06 22:21 11665 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-03 23:34 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-03 19:38 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-07-03 15:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-03 13:12 384 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb6334.dat
2007-07-03 13:12 212 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb8467.dat
2007-07-03 13:12 18432 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb41.dat
2007-07-03 12:06 --------- d-------- C:\Program Files\Lavasoft
2007-07-02 00:57 --------- d-------- C:\Program Files\Apoint
2007-06-22 20:27 --------- d-------- C:\Program Files\Memorex exPressit Label Design Studio
2007-06-22 20:27 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-21 21:55 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-05-16 09:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 09:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 09:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 09:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 09:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2004-09-23 12:24 168 --a------ C:\Program Files\INSTALL.LOG
2004-09-23 15:19:25 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-26 12:01]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 14:32]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 19:59]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe [2005-08-18 17:09:58]
DESKTOP.INI [2002-09-03 12:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-24 14:01:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]

R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S2 SCardSvrgusvc;Smart Card SCardSvrgusvc;C:\WINDOWS\system32\180axp.exe srv
S3 BEFCMV3XP;Linksys BEFCMU10 EtherFast Cable Modem;C:\WINDOWS\system32\DRIVERS\BEFCM3XP.sys
S3 BLKWGN;Belkin Wireless G Notebook Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGN.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\wlanndi5.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c2c9231-c854-11da-9c41-000bdb1cbb75}]
AutoRun\command- E:\wd_windows_tools\setup.exe

*Newly Created Service* - HTTPFILTER

Contents of the 'Scheduled Tasks' folder
2007-08-11 20:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-11 16:00:01 C:\WINDOWS\Tasks\At35.job
2007-08-11 08:39:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 22:13:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 22:14:49
C:\ComboFix-quarantined-files.txt ... 2007-08-11 22:14
C:\ComboFix2.txt ... 2007-08-11 02:39
C:\ComboFix3.txt ... 2007-08-08 21:40

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:24 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1183527342288
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183527337982
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe

--
End of file - 5583 bytes
 
Last edited by a moderator:
Hi,

I posted your logs because it's very hard to take a look at them in notepad. Next time, please do not attach any files. If they don't fit in one post, use seperate posts.

Configure your machine to view hidden files:

Windows XP
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.

Although it seems that combofix worked, it seemed that it had a problem...

Before we continue, do you know what this folder is? C:\spoolerlogs

If not, please double click on the folder then see if you can find a file then right click > properties and tell me what vendor is the file from..

Also, do you know what service this is?: O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe

If not, see if you can scan 180axp.exe again now that you can see hidden files and folders..
 
I do not know what the spoolerlog folder is. The file in the folder is called spooler which has an extension of xml. I did a used the jotti and virustotal websites to scan the file. Here is the log.

JOTTI

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: spooler.xml
Status: OK
MD5: bcd1394236715fb88903cf871c5609b9
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 12 Aug 2007 22:43:27 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not

necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER

EVER rely on one single product only, not even this service, even though it utilizes

several products. Therefore, We cannot and will not be held responsible for any damage

caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole

thing is by no means scientifically correct, since this is a fully automated service

(although manual correction is possible). We are aware, in spite of efforts to

proactively counter these, false positives might occur, for example. We do not consider

this a very big issue, so please do not e-mail us about it. This is a simple online scan

service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some

scanners use very high levels of (time consuming) heuristics. Scanners used are Linux

versions, differences with Windows scanners may or may not occur. Another note: some

scanners will only report one virus when scanning archives with multiple pieces of

malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain

from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor.

They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded

here will be distributed to antivirus vendors without exception. Read more about this in

our privacy policy. If you do not want your files to be distributed, please do not send

them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV

project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried

Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who

donated in the past, and some people who prefer to remain anonymous... many thanks to

all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: TurboCrack3.0.rar (MD5:

0e447b7435dcf8308ebaee659072ef67, size: 7909058 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir BDS/Bifrose.NU
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Pakes-248
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion.

For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>


VIRUSTOTAL

File spooler.xml received on 08.13.2007 00:33:31 (CET)Antivirus Version Last Update

Result
AhnLab-V3 2007.8.9.2 2007.08.10 -
AntiVir 7.4.0.60 2007.08.12 -
Authentium 4.93.8 2007.08.11 -
Avast 4.7.1029.0 2007.08.12 -
AVG 7.5.0.476 2007.08.12 -
BitDefender 7.2 2007.08.12 -
CAT-QuickHeal 9.00 2007.08.11 -
ClamAV 0.91 2007.08.12 -
DrWeb 4.33 2007.08.13 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5050 2007.08.11 -
Ewido 4.0 2007.08.12 -
FileAdvisor 1 2007.08.13 -
Fortinet 2.91.0.0 2007.08.12 -
F-Prot 4.3.2.48 2007.08.10 -
F-Secure 6.70.13030.0 2007.08.12 -
Ikarus T3.1.1.12 2007.08.12 -
Kaspersky 4.0.2.24 2007.08.13 -
McAfee 5095 2007.08.10 -
Microsoft 1.2704 2007.08.13 -
NOD32v2 2454 2007.08.12 -
Norman 5.80.02 2007.08.10 -
Panda 9.0.0.4 2007.08.12 -
Prevx1 V2 2007.08.13 -
Rising 19.35.62.00 2007.08.12 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.11 -
Symantec 10 2007.08.12 -
TheHacker 6.1.7.167 2007.08.12 -
VBA32 3.12.2.2 2007.08.11 -
VirusBuster 4.3.26:9 2007.08.12 -
Webwasher-Gateway 6.0.1 2007.08.12 -

Additional information
File size: 3701 bytes
MD5: bcd1394236715fb88903cf871c5609b9
SHA1: d198e32ae8c4b8269936d797761a1653355aa0ba
 
Can you see the 180axp.exe now that your system is configured to show hidden files and folders? If so, please scan it at jotti and you need not post the whole page, just the scan logs.
 
Neither Jotti or Virustotal could scan the 180axp.exe file. Here is what I received with both sites:

Jotti:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Virustotal:

0 bytes size received / Se ha recibido un archivo vacio

I attempted to disable the Windows Firewall and that still not let the sites scan the file. Do you have any other suggestions?
 
Hi,

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
________

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type movefile.bat in the File name and save it to your desktop.

Code: 
@echo off
Attrib -r -h -s C:\WINDOWS\system32\180axp.exe
copy /y C:\WINDOWS\system32\180axp.exe C:\ 
exit

Go to your Desktop and double-click on movefile.bat, you may see a Window quickly open and close.

Reboot to normal mode.
________

I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

C:\180axp.exe

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.
 
You must log in or register to reply here.
Back
Top