Page 1 of 5 12345 LastLast
Results 1 to 10 of 42

Thread: Command Service and other stuff

  1. 2007-06-24, 20:49 #1
    jzaza
    jzaza is offline
    Junior Member
    Join Date
    Jun 2007
    Posts
    29

    Default Command Service and other stuff

    Hi - I've been using spybot, vundo.exe and adaware and i can't completely clear my machine. Can someone please help? Here's my latest HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:53:16 PM, on 6/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\ggnsifki.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\svhost.exe
    C:\WINDOWS\qndddsnA.exe
    C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\s?stem\m?iexec.exe
    C:\PROGRA~1\FNTS~1\javaw.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\retadpu77.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by TMP Worldwide
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {08EEC37C-DD2E-4482-9968-6B794F206B1A} - C:\Program Files\Windows Media Player\hopew43855.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {58FE4633-3D0A-4464-BD5B-939C19B57011} - C:\WINDOWS\system32\drivern.dll
    O2 - BHO: (no name) - {661A6EFE-A418-ACEB-4B11-F98DBF2C82CB} - C:\WINDOWS\system32\zafal.dll (file missing)
    O2 - BHO: (no name) - {6D1964D8-A038-DDBA-1A15-F88DBA518392} - C:\WINDOWS\system32\rnxpgrr.dll
    O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
    O2 - BHO: (no name) - {9E47F351-889C-4FC4-A8BE-2AD9C1EBFBAC} - C:\Program Files\Windows Media Player\hopew83122.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
    O2 - BHO: (no name) - {F3FE5A45-2202-42FB-BCB5-EB28C6EDC5DF} - C:\WINDOWS\system32\oppoo.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Microsoft Visual Studio .NET Components] msvcr61.exe /setup /all
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [qndddsnA] C:\WINDOWS\qndddsnA.exe
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
    O4 - HKLM\..\Run: [SecureWeb] C:\WINDOWS\system32\3MytCS68.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\RunOnce: [checkregistry] C:\WINDOWS\system32\monterreyn_ingen.exe driverm.dll driverm.exe r
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Xhol] "C:\Program Files\s?stem\m?iexec.exe"
    O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\FNTS~1\javaw.exe" -vt ndrv
    O4 - HKCU\..\RunOnce: [checkregistry] C:\WINDOWS\system32\monterreyn_ingen.exe driverm.dll driverm.exe r
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {1230921A-10E7-44F9-A31F-DA7E811FB3A6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://crm.beacon.tmp.com/sales_enu/...Bound_mail.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1C1DE932-8D89-4C07-BF9C-D8627EDB4849} (Siebel High Interactivity Framework) - http://crm.beacon.tmp.com/sales_enu/..._HI_Client.cab
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172111006824
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O17 - HKLM\Software\..\Telephony: DomainName = prod.corp.ad
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: DomainService - - C:\WINDOWS\system32\ggnsifki.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  2. 2007-06-25, 11:42 #2
    Shaba
    Shaba is offline
    Emeritus Shaba's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi jzaza

    1. Download combofix from one of these links:
    Link1
    Link2
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Post:

    - a fresh HijackThis log
    - combofix report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  3. 2007-06-25, 22:03 #3
    jzaza
    jzaza is offline
    Junior Member
    Join Date
    Jun 2007
    Posts
    29

    Default combo and HJT logs

    Thank you for your help.

    Combo Log:
    "JZeinieh" - 2007-06-25 14:56:11 - ComboFix 07-06-23.5 - Service Pack 2 NTFS

    /wow section not completed

    ((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


    2007-06-25 09:56 1,156 --a------ C:\WINDOWS\mozver.dat
    2007-06-25 09:23 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-25 09:00 60,928 --a------ C:\WINDOWS\system32\daqawhdb.dll
    2007-06-23 19:50 <DIR> d-------- C:\WINDOWS\pss
    2007-06-23 10:44 <DIR> d-------- C:\WINDOWS\zfff
    2007-06-23 10:44 <DIR> d-------- C:\Program Files\Common Files\zfff
    2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yapta
    2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
    2007-06-23 10:29 <DIR> d--hs---- C:\WINDOWS\VE1QIFdvcmxkd2lkZQ
    2007-06-22 13:22 <DIR> d-------- C:\VundoFix Backups
    2007-06-22 13:18 107,520 --a------ C:\VundoFix.exe
    2007-06-21 22:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-06-21 21:18 122,880 --a------ C:\WINDOWS\xmlhelper2.dll
    2007-06-21 21:07 20,544 --a------ C:\WINDOWS\system32\3MytCS68.exe
    2007-06-21 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-06-21 19:53 <DIR> d-------- C:\hjt
    2007-06-21 19:33 122,900 --a------ C:\WINDOWS\system32\dreadavk.exe
    2007-06-21 10:04 122,900 --a------ C:\WINDOWS\system32\ggnsifki.exe
    2007-06-21 09:41 79,872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys
    2007-06-21 09:41 501,920 -r-hs---- C:\WINDOWS\qndddsnA.exe
    2007-06-21 09:41 46,592 --a------ C:\WINDOWS\qndddsn.exe
    2007-06-21 09:40 89,088 --a------ C:\WINDOWS\system32\atl71.dll
    2007-06-21 09:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2007-06-21 09:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2007-06-21 09:40 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
    2007-06-21 09:40 <DIR> d-------- C:\Temp
    2007-06-21 07:21 0 --ah----- C:\WINDOWS\system32\pifpaf.pif
    2007-06-20 08:36 97,280 --a------ C:\WINDOWS\monterreyn_ingen.exe
    2007-06-20 08:35 97,280 --a------ C:\WINDOWS\system32\monterreyn_ingen.exe
    2007-06-19 10:53 22,528 --a------ C:\Program Files\Common Files\winctl.dll
    2007-06-19 10:02 <DIR> d-------- C:\WINDOWS\system32\msvcr61
    2007-06-18 19:26 97,792 --a-s---- C:\WINDOWS\system32\monterreym_ingen.exe
    2007-06-18 16:01 45,056 --a------ C:\syssoit.exe
    2007-06-13 11:43 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2007-05-27 18:41 <DIR> d-------- C:\Program Files\Yapta
    2007-05-27 18:41 <DIR> d-------- C:\DOCUME~1\jzeinieh\APPLIC~1\Yapta
    2007-05-26 17:11 262,144 --ah----- C:\DOCUME~1\TEMP\NTUSER.DAT
    2007-05-26 17:11 <DIR> d--h----- C:\DOCUME~1\TEMP\WLANProfiles


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-25 14:26:13 -------- d-----w C:\Program Files\Messenger
    2007-05-23 19:08:04 -------- d-----w C:\Program Files\Google
    2007-05-09 03:23:35 -------- d-----w C:\DOCUME~1\jzeinieh\APPLIC~1\SecondLife
    2007-05-09 03:23:22 -------- d-----w C:\Program Files\SecondLife
    2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-02 19:10:45 199,751 ----a-w C:\WINDOWS\system32\atasnt40.dll
    2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\VE1QIFdvcmxkd2lkZQ\pHYkKIxSwAU4xZ54tk.vbs


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {08EEC37C-DD2E-4482-9968-6B794F206B1A}=C:\Program Files\Windows Media Player\hopew43855.dll [2007-06-14 06:54]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
    {63196F8F-F73E-8EBD-1A15-F88DBA5181C0}=C:\WINDOWS\system32\daqawhdb.dll [2007-06-20 09:49]
    {661A6EFE-A418-ACEB-4B11-F98DBF2C82CB}=C:\WINDOWS\system32\zafal.dll []
    {85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll [2007-06-21 21:18]
    {9E47F351-889C-4FC4-A8BE-2AD9C1EBFBAC}=C:\Program Files\Windows Media Player\hopew83122.dll [2007-06-18 13:59]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-22 12:05]
    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-05-22 12:05]
    {F3FE5A45-2202-42FB-BCB5-EB28C6EDC5DF}=C:\WINDOWS\system32\oppoo.dll []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Visual Studio .NET Components"="msvcr61.exe" [2007-06-25 14:58 C:\WINDOWS\system32\.]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 18:32]
    "WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 14:49]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 09:00]
    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50]
    "RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\faxctrl.exe" [2002-07-24 18:57]
    "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
    "Aim6"="" []
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 12:05]
    "Xhol"="C:\Program Files\s?stem\m?iexec.exe" []
    "Tair"="C:\PROGRA~1\FNTS~1\javaw.exe" []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWindowsUpdate"=1 (0x1)
    "NoAutoUpdate"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= C:\Program Files\Messenger\prokyfsov.html
    FriendlyName=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "{009541A0-3B00-1F1C-00F3-040224009C02}"="C:\Program Files\Common Files\winctl.dll" [2007-06-18 17:33]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1219070818-4200922009-2982726761-329357\Scripts\Logon\0\0]
    "Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\0\0]
    "Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\1\0]
    "Script"=\\prod.corp.ad\NETLOGON\Logon.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 Pml Driver HPZ12 Net Driver HPZ12


    Contents of the 'Scheduled Tasks' folder
    2007-06-22 05:00:30 C:\WINDOWS\tasks\At1.job
    2007-06-25 14:01:42 C:\WINDOWS\tasks\At10.job
    2007-06-25 15:01:46 C:\WINDOWS\tasks\At11.job
    2007-06-25 16:00:30 C:\WINDOWS\tasks\At12.job
    2007-06-25 17:00:35 C:\WINDOWS\tasks\At13.job
    2007-06-25 18:00:30 C:\WINDOWS\tasks\At14.job
    2007-06-25 19:00:30 C:\WINDOWS\tasks\At15.job
    2007-06-24 20:00:30 C:\WINDOWS\tasks\At16.job
    2007-06-24 21:00:31 C:\WINDOWS\tasks\At17.job
    2007-06-24 22:00:31 C:\WINDOWS\tasks\At18.job
    2007-06-24 23:00:30 C:\WINDOWS\tasks\At19.job
    2007-06-22 02:07:11 C:\WINDOWS\tasks\At2.job
    2007-06-25 00:00:31 C:\WINDOWS\tasks\At20.job
    2007-06-25 01:00:30 C:\WINDOWS\tasks\At21.job
    2007-06-22 02:07:19 C:\WINDOWS\tasks\At22.job
    2007-06-22 03:01:34 C:\WINDOWS\tasks\At23.job
    2007-06-22 04:00:32 C:\WINDOWS\tasks\At24.job
    2007-06-22 02:07:12 C:\WINDOWS\tasks\At3.job
    2007-06-22 02:07:12 C:\WINDOWS\tasks\At4.job
    2007-06-22 02:07:13 C:\WINDOWS\tasks\At5.job
    2007-06-22 02:07:13 C:\WINDOWS\tasks\At6.job
    2007-06-22 02:07:13 C:\WINDOWS\tasks\At7.job
    2007-06-22 02:07:13 C:\WINDOWS\tasks\At8.job
    2007-06-22 02:07:13 C:\WINDOWS\tasks\At9.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-25 14:58:58
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwQueryDirectoryFile, ZwQuerySystemInformation

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\msvcr61
    C:\WINDOWS\system32\msvcr61.dll
    C:\WINDOWS\system32\msvcr61.exe

    scan completed successfully
    hidden files: 3

    **************************************************************************

    Completion time: 2007-06-25 14:59:42
    C:\ComboFix-quarantined-files.txt ... 2007-06-25 14:59

    --- E O F ---



    *******************************************************

    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 15:03, on 2007-06-25
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {08EEC37C-DD2E-4482-9968-6B794F206B1A} - C:\Program Files\Windows Media Player\hopew43855.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {63196F8F-F73E-8EBD-1A15-F88DBA5181C0} - C:\WINDOWS\system32\daqawhdb.dll
    O2 - BHO: (no name) - {661A6EFE-A418-ACEB-4B11-F98DBF2C82CB} - C:\WINDOWS\system32\zafal.dll (file missing)
    O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
    O2 - BHO: (no name) - {9E47F351-889C-4FC4-A8BE-2AD9C1EBFBAC} - C:\Program Files\Windows Media Player\hopew83122.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
    O2 - BHO: (no name) - {F3FE5A45-2202-42FB-BCB5-EB28C6EDC5DF} - C:\WINDOWS\system32\oppoo.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Microsoft Visual Studio .NET Components] msvcr61.exe /setup /all
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Xhol] "C:\Program Files\s?stem\m?iexec.exe"
    O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\FNTS~1\javaw.exe" -vt ndrv
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {1230921A-10E7-44F9-A31F-DA7E811FB3A6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://crm.beacon.tmp.com/sales_enu/...Bound_mail.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1C1DE932-8D89-4C07-BF9C-D8627EDB4849} (Siebel High Interactivity Framework) - http://crm.beacon.tmp.com/sales_enu/..._HI_Client.cab
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172111006824
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O17 - HKLM\Software\..\Telephony: DomainName = prod.corp.ad
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  4. 2007-06-26, 10:54 #4
    Shaba
    Shaba is offline
    Emeritus Shaba's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Please post also contents of C:\ComboFix-quarantined-files.txt
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  5. 2007-06-26, 15:48 #5
    jzaza
    jzaza is offline
    Junior Member
    Join Date
    Jun 2007
    Posts
    29

    Default Quarantined files log

    Here you go:

    Code:
    2007-01-12 15:00      18031    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
2007-03-06 10:59      34494    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\outerinfo.ico.vir
2007-04-24 11:21      9248    --a------    C:\Qoobox\Quarantine\C\Temp\0b9\tmpTF.log.vir
2007-05-21 23:26      212992    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\S1\bk53.exe.vir
2007-06-05 07:51      123544    --a------    C:\Qoobox\Quarantine\C\WINDOWS\b136.exe.vir
2007-06-06 10:35      618496    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe.vir
2007-06-12 02:53      32768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\o02PrEz\o02PrEz1065.exe.vir
2007-06-12 03:01      32768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\o09PrEz\o09PrEz1099.exe.vir
2007-06-12 03:12      99855    --a------    C:\Qoobox\Quarantine\C\WINDOWS\b122.exe.vir
2007-06-16 17:13      86056    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\S4\wen2.exe.vir
2007-06-19 01:00      115606    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\S2\mwspasrt83122.exe.vir
2007-06-19 05:38      143    --a------    C:\Qoobox\Quarantine\C\Program Files\Messenger\prokyfsov.html.vir
2007-06-20 09:50      229888    --a------    C:\Qoobox\Quarantine\C\Program Files\SSTEM~1\m?iexec.exe.vir
2007-06-20 09:51      111640    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir
2007-06-20 09:55      10838    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\S7\wr620.exe.vir
2007-06-21 09:35      36352    --a------    C:\Qoobox\Quarantine\C\WINDOWS\poolsv.exe.vir
2007-06-21 09:39      10828    --a------    C:\Qoobox\Quarantine\C\Program Files\poolsv\wr-1-0000077.exe.vir
2007-06-21 09:39      38400    --a------    C:\Qoobox\Quarantine\C\Program Files\poolsv\svhost.exe.vir
2007-06-21 09:39      38400    --a------    C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir
2007-06-21 09:40      109574    --a------    C:\Qoobox\Quarantine\C\Program Files\poolsv\k11u72.exe.vir
2007-06-21 09:40      186600    --a------    C:\Qoobox\Quarantine\C\Program Files\poolsv\YazzleBundle-1549.exe.vir
2007-06-21 09:40      72704    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\SKS~1\scanregw.exe.vir
2007-06-21 09:41      0    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\err.log.vir
2007-06-21 09:41      34816    --a------    C:\Qoobox\Quarantine\C\WINDOWS\rau001978.exe.vir
2007-06-21 09:41      65536    --a------    C:\Qoobox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir
2007-06-21 20:22      8424    --a------    C:\Qoobox\Quarantine\C\WINDOWS\cs_cache.ini.vir
2007-06-21 21:12      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnoljg.dll.vir
2007-06-21 21:13      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\byxvspp.dll.vir
2007-06-21 21:13      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\iifdcca.dll.vir
2007-06-21 21:13      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkjiij.dll.vir
2007-06-21 21:13      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jkklihf.dll.vir
2007-06-21 21:15      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rqrrppn.dll.vir
2007-06-21 21:15      930    --a------    C:\Qoobox\Quarantine\C\Temp\iee\tmpZTF.log.vir
2007-06-21 21:16      20    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode.vir
2007-06-21 21:16      5    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr.vir
2007-06-23 10:59      32177    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir
2007-06-23 16:35      71680    --a------    C:\Qoobox\Quarantine\C\Program Files\FNTS~1\javaw.exe.vir
2007-06-25 09:00      10828    --a------    C:\Qoobox\Quarantine\C\Program Files\svhost\wr-1-0000077.exe.vir
2007-06-25 09:00      152576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivern.dll.vir
2007-06-25 09:00      1591    --a------    C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-06-25 09:00      2    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wnscpisv32.exe.vir
2007-06-25 09:00      40960    --a------    C:\Qoobox\Quarantine\C\WINDOWS\retadpu77.exe.vir
2007-06-25 09:00      97792    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivern.exe.vir
2007-06-25 09:26      1004    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-06-25 09:26      1098    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
2007-06-25 09:26      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-06-25 09:26      544    --a------    C:\Qoobox\Quarantine\Registry_backups\services_cmdService.reg.cf
2007-06-25 09:26      832    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
2007-06-25 09:26      862    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
2007-06-25 09:26      950    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf


Folder PATH listing
Volume serial number is FCB4-CF60
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOCUME~1
    |   |   \---ALLUSE~1
    |   |       \---APPLIC~1
    |   |           \---WinAntiSpyware 2007
    |   |               \---Data
    |   |                       Abbr.vir
    |   |                       ProductCode.vir
    |   |                       
    |   +---Program Files
    |   |   +---Common Files
    |   |   |   |   Yazzle1122OinUninstaller.exe.vir
    |   |   |   |   
    |   |   |   \---WinAntiSpyware 2007
    |   |   |           err.log.vir
    |   |   |           WAS7Mon.exe.vir
    |   |   |           
    |   |   +---FNTS~1
    |   |   |       javaw.exe.vir
    |   |   |       
    |   |   +---Messenger
    |   |   |       prokyfsov.html.vir
    |   |   |       
    |   |   +---Outerinfo
    |   |   |       OiUninstaller.exe.vir
    |   |   |       outerinfo.ico.vir
    |   |   |       Terms.rtf.vir
    |   |   |       
    |   |   +---poolsv
    |   |   |       k11u72.exe.vir
    |   |   |       svhost.exe.vir
    |   |   |       wr-1-0000077.exe.vir
    |   |   |       YazzleBundle-1549.exe.vir
    |   |   |       
    |   |   +---SSTEM~1
    |   |   |       m?iexec.exe.vir
    |   |   |       
    |   |   \---svhost
    |   |           wr-1-0000077.exe.vir
    |   |           
    |   +---Temp
    |   |   +---0b9
    |   |   |       tmpTF.log.vir
    |   |   |       
    |   |   \---iee
    |   |           tmpZTF.log.vir
    |   |           
    |   \---WINDOWS
    |       |   b122.exe.vir
    |       |   b136.exe.vir
    |       |   cs_cache.ini.vir
    |       |   dls0523pmw.exe.vir
    |       |   poolsv.exe.vir
    |       |   rau001978.exe.vir
    |       |   retadpu77.exe.vir
    |       |   svhost.exe.vir
    |       |   wr.txt.vir
    |       |   
    |       \---system32
    |           |   byxvspp.dll.vir
    |           |   drivern.dll.vir
    |           |   drivern.exe.vir
    |           |   iifdcca.dll.vir
    |           |   jkkjiij.dll.vir
    |           |   jkklihf.dll.vir
    |           |   pmnoljg.dll.vir
    |           |   rqrrppn.dll.vir
    |           |   wnscpisv32.exe.vir
    |           |   
    |           +---o02PrEz
    |           |       o02PrEz1065.exe.vir
    |           |       
    |           +---o09PrEz
    |           |       o09PrEz1099.exe.vir
    |           |       
    |           +---S1
    |           |       bk53.exe.vir
    |           |       
    |           +---S2
    |           |       mwspasrt83122.exe.vir
    |           |       
    |           +---S4
    |           |       wen2.exe.vir
    |           |       
    |           +---S7
    |           |       wr620.exe.vir
    |           |       
    |           \---SKS~1
    |                   scanregw.exe.vir
    |                   
    \---Registry_backups
            LEGACY_CMDSERVICE.reg.cf
            LEGACY_CORE.reg.cf
            LEGACY_DOMAINSERVICE.reg.cf
            LEGACY_NETWORK_MONITOR.reg.cf
            LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
            services_cmdService.reg.cf
            services_DomainService.reg.cf
  6. 2007-06-26, 16:02 #6
    Shaba
    Shaba is offline
    Emeritus Shaba's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Open HijackThis, click do a system scan only and checkmark these:

    O2 - BHO: (no name) - {08EEC37C-DD2E-4482-9968-6B794F206B1A} - C:\Program Files\Windows Media Player\hopew43855.dll
    O2 - BHO: (no name) - {63196F8F-F73E-8EBD-1A15-F88DBA5181C0} - C:\WINDOWS\system32\daqawhdb.dll
    O2 - BHO: (no name) - {661A6EFE-A418-ACEB-4B11-F98DBF2C82CB} - C:\WINDOWS\system32\zafal.dll (file missing)
    O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
    O2 - BHO: (no name) - {9E47F351-889C-4FC4-A8BE-2AD9C1EBFBAC} - C:\Program Files\Windows Media Player\hopew83122.dll
    O2 - BHO: (no name) - {F3FE5A45-2202-42FB-BCB5-EB28C6EDC5DF} - C:\WINDOWS\system32\oppoo.dll (file missing)
    O4 - HKCU\..\Run: [Xhol] "C:\Program Files\s?stem\m?iexec.exe"
    O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\FNTS~1\javaw.exe" -vt ndrv

    Close all windows including browser and press fix checked.

    Reboot.

    Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\WINDOWS\system32\daqawhdb.dll
    C:\WINDOWS\system32\3MytCS68.exe
    C:\WINDOWS\system32\dreadavk.exe
    C:\WINDOWS\system32\ggnsifki.exe
    C:\WINDOWS\system32\drivers\FOPN.sys
    C:\WINDOWS\qndddsnA.exe
    C:\WINDOWS\qndddsn.exe
    C:\WINDOWS\system32\pifpaf.pif
    C:\WINDOWS\monterreyn_ingen.exe
    C:\WINDOWS\system32\monterreyn_ingen.exe
    C:\Program Files\Common Files\winctl.dll
    C:\WINDOWS\system32\monterreym_ingen.exe
    C:\syssoit.exe
    C:\WINDOWS\xmlhelper2.dll
    C:\Program Files\Windows Media Player\hopew43855.dll
    C:\Program Files\Windows Media Player\hopew83122.dll

    Folder::
    C:\WINDOWS\zfff
    C:\Program Files\Common Files\zfff
    C:\WINDOWS\VE1QIFdvcmxkd2lkZQ
    C:\WINDOWS\system32\msvcr61

    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Save this as ComboFix-Do.txt

    Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
    Last edited by Shaba; 2007-06-26 at 16:05.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  7. 2007-06-26, 17:35 #7
    jzaza
    jzaza is offline
    Junior Member
    Join Date
    Jun 2007
    Posts
    29

    Default updated logs

    "JZeinieh" - 2007-06-26 10:12:36 - ComboFix 07-06-26.8 - Service Pack 2 NTFS
    Command switches used :: C:\Documents and Settings\jzeinieh\Desktop\ComboFix-Do.txt

    /wow section not completed

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\winctl.dll
    C:\Program Files\Common Files\zfff
    C:\Program Files\Common Files\zfff\zfffa.lck
    C:\Program Files\Common Files\zfff\zfffd\class-barrel
    C:\Program Files\Common Files\zfff\zfffd\vocabulary
    C:\Program Files\Common Files\zfff\zfffh
    C:\Program Files\Common Files\zfff\zfffl.lck
    C:\Program Files\Common Files\zfff\zfffm.lck
    C:\Program Files\Windows Media Player\hopew43855.dll
    C:\Program Files\Windows Media Player\hopew83122.dll
    C:\syssoit.exe
    C:\WINDOWS\qndddsn.exe
    C:\WINDOWS\qndddsnA.exe
    C:\WINDOWS\system32\daqawhdb.dll
    C:\WINDOWS\system32\msvcr61
    C:\WINDOWS\system32\msvcr61\cfg.ini
    C:\WINDOWS\system32\msvcr61\in
    C:\WINDOWS\system32\msvcr61\perflibs__
    C:\WINDOWS\system32\msvcr61\red
    C:\WINDOWS\system32\pifpaf.pif
    C:\WINDOWS\VE1QIFdvcmxkd2lkZQ
    C:\WINDOWS\VE1QIFdvcmxkd2lkZQ\pHYkKIxSwAU4xZ54tk.vbs
    C:\WINDOWS\zfff
    C:\WINDOWS\zfff\wu
    C:\WINDOWS\zfff\zfff.dat


    ((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))




    HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:35, on 2007-06-26
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\ComboFix\catchme.cfexe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Microsoft Visual Studio .NET Components] msvcr61.exe /setup /all
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {1230921A-10E7-44F9-A31F-DA7E811FB3A6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://crm.beacon.tmp.com/sales_enu/...Bound_mail.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1C1DE932-8D89-4C07-BF9C-D8627EDB4849} (Siebel High Interactivity Framework) - http://crm.beacon.tmp.com/sales_enu/..._HI_Client.cab
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172111006824
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O17 - HKLM\Software\..\Telephony: DomainName = prod.corp.ad
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.corp.ad
    O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  8. 2007-06-26, 18:33 #8
    Shaba
    Shaba is offline
    Emeritus Shaba's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Combofix log isn't complete. Please re-send it
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  9. 2007-06-26, 20:08 #9
    jzaza
    jzaza is offline
    Junior Member
    Join Date
    Jun 2007
    Posts
    29

    Default complete log

    sorry about that

    "JZeinieh" - 2007-06-26 13:04:48 - ComboFix 07-06-26.8 - Service Pack 2 NTFS
    Command switches used :: C:\Documents and Settings\jzeinieh\Desktop\ComboFix-Do.txt


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\Common Files\winctl.dll
    C:\WINDOWS\system32\msvcr61
    C:\WINDOWS\system32\msvcr61\cfg.ini
    C:\WINDOWS\system32\msvcr61\in
    C:\WINDOWS\system32\msvcr61\l.dat
    C:\WINDOWS\system32\msvcr61\perflibs__
    C:\WINDOWS\system32\msvcr61\red


    ((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


    2007-06-26 10:37 23,552 --a------ C:\op.dll
    2007-06-25 09:56 1,156 --a------ C:\WINDOWS\mozver.dat
    2007-06-25 09:23 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-23 19:50 <DIR> d-------- C:\WINDOWS\pss
    2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yapta
    2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
    2007-06-22 13:22 <DIR> d-------- C:\VundoFix Backups
    2007-06-22 13:18 107,520 --a------ C:\VundoFix.exe
    2007-06-21 22:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-06-21 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-06-21 19:53 <DIR> d-------- C:\hjt
    2007-06-21 09:40 89,088 --a------ C:\WINDOWS\system32\atl71.dll
    2007-06-21 09:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2007-06-21 09:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2007-06-21 09:40 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
    2007-06-21 09:40 <DIR> d-------- C:\Temp
    2007-06-13 11:43 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2007-05-27 18:41 <DIR> d-------- C:\Program Files\Yapta
    2007-05-27 18:41 <DIR> d-------- C:\DOCUME~1\jzeinieh\APPLIC~1\Yapta
    2007-05-26 17:11 262,144 --ah----- C:\DOCUME~1\TEMP\NTUSER.DAT
    2007-05-26 17:11 <DIR> d--h----- C:\DOCUME~1\TEMP\WLANProfiles


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-25 14:26:13 -------- d-----w C:\Program Files\Messenger
    2007-05-23 19:08:04 -------- d-----w C:\Program Files\Google
    2007-05-09 03:23:35 -------- d-----w C:\DOCUME~1\jzeinieh\APPLIC~1\SecondLife
    2007-05-09 03:23:22 -------- d-----w C:\Program Files\SecondLife
    2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-02 19:10:45 199,751 ----a-w C:\WINDOWS\system32\atasnt40.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-22 12:05]
    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-05-22 12:05]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Visual Studio .NET Components"="msvcr61.exe" [2007-06-26 13:06 C:\WINDOWS\system32\.]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 18:32]
    "WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 14:49]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 09:00]
    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50]
    "RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\faxctrl.exe" [2002-07-24 18:57]
    "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
    "Aim6"="" []
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 12:05]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoWindowsUpdate"=1 (0x1)
    "NoAutoUpdate"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "{009541A0-3B00-1F1C-00F3-040224009C02}"="C:\Program Files\Common Files\winctl.dll" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1219070818-4200922009-2982726761-329357\Scripts\Logon\0\0]
    "Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\0\0]
    "Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\1\0]
    "Script"=\\prod.corp.ad\NETLOGON\Logon.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 Pml Driver HPZ12 Net Driver HPZ12


    Contents of the 'Scheduled Tasks' folder
    2007-06-26 14:01:34 C:\WINDOWS\tasks\At10.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-26 13:06:39
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwQueryDirectoryFile, ZwQuerySystemInformation

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\msvcr61.dll
    C:\WINDOWS\system32\msvcr61.exe

    scan completed successfully
    hidden files: 2

    **************************************************************************

    Completion time: 2007-06-26 13:07:15
    C:\ComboFix-quarantined-files.txt ... 2007-06-26 13:07
    C:\ComboFix2.txt ... 2007-06-26 09:45
    C:\ComboFix3.txt ... 2007-06-25 14:59

    --- E O F ---
  10. 2007-06-27, 11:19 #10
    Shaba
    Shaba is offline
    Emeritus Shaba's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Have you installed this by yourself?

    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

    Open HijackThis, click do a system scan only and checkmark this:

    O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll (file missing)

    Close all windows including browser and press fix checked.

    Reboot.

    * Download GMER from
    here:
    Unzip it and start GMER.exe
    Click the rootkit-tab and click scan.

    Once done, click the Copy button.
    This will copy the results to clipboard.
    Paste the results in your next reply along with a fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules