PDA

View Full Version : Does not want to seem to go....



shiftykilla
2007-05-17, 15:42
Well I have a whole bunch of DLL files running that are browser extensions (I think) and when ever i use the remove vundo tool (cos a lot of the names matched up to those associated with it) it just keeps coming back.

Here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:38:27 PM, on 17/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\xampp\filezillaftp\filezillaserver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\program files\valve\steam2\steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\hijack\HJT.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2811FD73-E53C-482D-856C-7DDE3F396D79} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {42E5C12F-7E36-451A-85FF-5ACD6AA2AA71} - C:\WINDOWS\system32\uvdpsamg.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\kqpxnjhh.dll
O2 - BHO: (no name) - {6DB3A333-65F3-6971-AB48-66E33EE0FCCA} - C:\WINDOWS\system32\afyeveh.dll
O2 - BHO: (no name) - {865F1865-DCF2-4337-9CD4-D9BC57725654} - C:\WINDOWS\system32\uvdpsamg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A9405EA9-D07E-4186-9A23-8096957D8D9A} - C:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: (no name) - {BD9BDFCB-8784-496A-A20F-B4A941FA1163} - C:\WINDOWS\system32\ddcya.dll
O2 - BHO: (no name) - {E499607A-AF7C-41E9-828E-3A6B6F2E985B} - C:\WINDOWS\system32\cbxvtss.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\nxjemlki.dll",realset
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam2\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: WinMySQLadmin.lnk = C:\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - http://rockstar.messenger.msn.com/rockstar.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbxvtss - C:\WINDOWS\SYSTEM32\cbxvtss.dll
O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\MODRV.DLL (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

shiftykilla
2007-05-17, 15:43
And my recent Vundo Log


VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 6:51:06 PM 14/05/2007

Listing files found while scanning....


Beginning removal...

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:31:20 PM 14/05/2007

Listing files found while scanning....


VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 8:07:52 PM 14/05/2007

Listing files found while scanning....


VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:33:56 PM 15/05/2007

Listing files found while scanning....


VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 9:00:59 PM 15/05/2007

Listing files found while scanning....


Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:18:50 AM 16/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\MODRV.DLL
C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\yccdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddccy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\yccdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:42:25 AM 16/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\MODRV.DLL

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 4:41:13 PM 16/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\MODRV.DLL

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 6:24:08 PM 16/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\MODRV.DLL

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 11:15:10 PM 16/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\MODRV.DLL
C:\WINDOWS\system32\yccdd.bak2
C:\WINDOWS\system32\yccdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddccy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.bak2
C:\WINDOWS\system32\yccdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:37:22 AM 17/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\MODRV.DLL

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 10:01:57 PM 17/05/2007

Listing files found while scanning....


VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 10:02:28 PM 17/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\MODRV.DLL

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Has been deleted!

Performing Repairs to the registry.
Done!


Also AVG keeps coming up with

Trojan horse Download.Generic3.QFH (more commen)

and

Trojan horse Collected.11.B


Don't know if they have anything to do with it but help would be nice :)

Shaba
2007-05-18, 10:34
Hi shiftykilla

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/
ComboFix.exe)
and save it to your desktop.

2. Go to start -> run.
type this in box and click ok

"%userprofile%\desktop\ComboFix.exe" /v uvdpsamg kqpxnjhh afyeveh ddcya cbxvtss nxjemlk winjyg32

3. When finished, it shall produce a log for you. Post that log in your next reply

4. Reboot

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

shiftykilla
2007-05-18, 15:53
Pretty sure that did it, had to add a couple of more files to the instruction you gave me (because the appeared) but as you requested here is the log:


"Siza_2" - 2007-05-18 22:32:24 Service Pack 2
ComboFix 07-05.17.6.V - Running from: "C:\Documents and Settings\Siza_2\Desktop\"
Command switches used :: "/v uvdpsamg kqpxnjhh afyeveh ddcya cbxvtss nxjemlk eytidhxt winjyg32"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\eytidhxt.dll
C:\WINDOWS\system32\winjyg32.dll
C:\WINDOWS\system32\ehgciecs.dll
C:\WINDOWS\system32\nxjemlki.dll
C:\WINDOWS\system32\oeapvdfn.dll
C:\WINDOWS\system32\qfxtjrna.dll
C:\WINDOWS\system32\sfyprooc.dll
C:\WINDOWS\system32\vsfvepvx.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\cbxvuts.dll
C:\WINDOWS\system32\wvutttt.dll
C:\WINDOWS\system32\yayxutq.dll
C:\WINDOWS\system32\aycdd.bak1
C:\WINDOWS\system32\aycdd.bak2
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\iklmejxn.ini
C:\WINDOWS\system32\nfdvpaeo.ini
C:\WINDOWS\system32\coorpyfs.ini
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\cbxvtss.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\inetget2\Installeur.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\b122.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Siza_2
C:\qoobox\purity\C\DOCUME~1\Siza_2\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Siza_2\MYDOCU~1\DOBE~1
C:\qoobox\purity\C\DOCUME~1\Siza_2\MYDOCU~1\DOBE~1\t?skmgr.exe
C:\qoobox\purity\C\Program Files\Common Files\FNTS~1
C:\qoobox\purity\C\Program Files\Common Files\MCROSO~1
C:\qoobox\purity\C\WINDOWS\APPATC~1
C:\qoobox\purity\C\WINDOWS\APPATC~1\A?pPatch
C:\qoobox\purity\C\WINDOWS\APPATC~1\logonui.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 ))))))))))))))))))))))))))))))))))


2007-05-16 20:47 2 --a------ C:\WINDOWS\SYSTEM32\wnstsisv32.exe
2007-05-15 20:57 2,142 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-05-15 20:56 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-05-15 20:56 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-05-15 20:56 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-05-14 22:54 698,721 ---hs---- C:\WINDOWS\SYSTEM32\fhkmp.bak2
2007-05-14 19:53 <DIR> d-------- C:\DOCUME~1\Siza_2\APPLIC~1\Symantec
2007-05-14 18:51 705,188 ---hs---- C:\WINDOWS\SYSTEM32\fhkmp.ini2
2007-05-14 18:51 <DIR> d-------- C:\VundoFix Backups
2007-05-14 18:36 <DIR> d-------- C:\Program Files\Symantec
2007-05-14 18:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-14 18:35 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-14 07:56 <DIR> d-------- C:\hijack
2007-05-13 22:54 694,196 --ahs---- C:\WINDOWS\SYSTEM32\fhkmp.bak1
2007-05-13 22:46 <DIR> d-------- C:\WINDOWS\çasks
2007-05-13 22:46 <DIR> d-------- C:\Program Files\Common Files\àdobe
2007-05-13 21:04 <DIR> d-------- C:\Program Files\AltoMP3 Gold
2007-05-13 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-12 22:35 <DIR> d-------- C:\Program Files\Railroad Tycoon 3
2007-05-05 14:44 <DIR> d-------- C:\Program Files\SQLyog Community
2007-05-05 14:44 <DIR> d-------- C:\DOCUME~1\Siza_2\APPLIC~1\SQLyog
2007-05-05 14:22 <DIR> d-------- C:\MaNGOS
2007-05-05 13:48 <DIR> d-------- C:\xampp
2007-05-01 15:34 <DIR> d-------- C:\Program Files\FLAC
2007-04-29 11:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-29 11:33 <DIR> d-------- C:\Program Files\Bonjour
2007-04-29 11:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-18 12:39:46 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\Skype
2007-05-18 12:27:00 -------- d-----w C:\Program Files\Security Task Manager
2007-05-18 04:07:10 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\Xfire
2007-05-18 04:06:52 -------- d-s---w C:\Program Files\Xfire
2007-05-13 12:48:20 -------- d-----w C:\Program Files\Common Files\?dobe
2007-05-12 12:42:57 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-08 11:08:21 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\BitTorrent
2007-05-05 09:34:09 -------- d-----w C:\Program Files\World of Warcraft
2007-04-29 11:50:16 -------- d-----w C:\Program Files\Guitar Pro 5
2007-04-12 14:32:50 -------- d-----w C:\Program Files\Guild Wars
2007-04-12 12:50:35 -------- d-----w C:\Program Files\SpeedFan
2007-04-05 12:53:15 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\Screenshot Sender
2007-03-29 10:22:22 140,520 ----a-w C:\WINDOWS\system32\CModule.dll
2007-03-27 08:25:15 -------- d-----w C:\Program Files\BitTorrent
2007-03-22 23:34:50 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-03-21 10:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-21 10:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-21 10:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-20 11:13:37 -------- d-----r C:\DOCUME~1\Siza_2\APPLIC~1\Brother
2007-03-20 11:01:14 50 ----a-w C:\WINDOWS\system32\bridf06a.dat
2007-03-20 11:00:53 -------- d-----w C:\Program Files\Brother
2007-03-20 10:59:28 -------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-03-20 10:59:27 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-20 10:59:25 -------- d-----w C:\Program Files\ScanSoft
2007-03-18 09:18:35 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-03-18 03:34:30 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\Austhink Software
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 05:53:04 -------- d-----w C:\Program Files\Turbine
2007-03-05 05:52:53 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\GetRightToGo
2007-02-13 06:04:22 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{42E5C12F-7E36-451A-85FF-5ACD6AA2AA71}=C:\WINDOWS\system32\uvdpsamg.dll []
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 10:46]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 13:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 13:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 13:45]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 06:46]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 17:02]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 11:18]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-12 13:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam2\steam.exe" [2007-01-09 10:51]
"MessengerPlus3"="C:\Program Files\Messenger Plus! 3\MsgPlus.exe" [2006-04-22 09:43]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 16:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-02 09:11]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\PROGRA~1\Qualcomm\Eudora\EuShlExt.dll" [2002-04-29 15:18]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetCache]
C:\WINDOWS\system32\MODRV.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrge32]
winrge32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Siza_2^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Siza_2\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Siza_2^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Siza_2\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admin Love]
C:\DOCUME~1\Jessica\APPLIC~1\Freeford\defy clock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\system32\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
"C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
c:\\defender25.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\grey sixth bore new]
C:\Documents and Settings\All Users\Application Data\Flaw bib grey sixth\Find Info.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
c:\\keyboard25.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\navapp]
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
c:\\newname25.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PROXYHECKWAYCREATIVE]
C:\Documents and Settings\All Users\Application Data\Balm Junk Proxy Heck\1inter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
C:\Program Files\Registry Mechanic\RegMech.exe /QS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
"C:\Program Files\Shareaza\Shareaza.exe" -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\valve\steam2\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trans Find Comp Joy]
C:\Documents and Settings\All Users\Application Data\Soap nurb trans find\Second Nurb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
C:\Program Files\webHancer\Programs\whsurvey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsService]
rundll32.exe "C:\WINDOWS\system32\oeapvdfn.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsUpdate]
rundll32.exe "C:\WINDOWS\system32\sfyprooc.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zanu]
c:\program files\zangoclient\zanu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Iap"=dword:00000002
"Bonjour Service"=dword:00000002
"XAMPP"=dword:00000002
"FLEXnet Licensing Service"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
Shell\AutoRun\command G:\_AUTORUN\AUTORUN.EXE

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
Shell\AutoRun\command H:\_AUTORUN\AUTORUN.EXE


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\9032CB7C90654590.job
C:\WINDOWS\tasks\A08F2A1E91E0A57A.job
C:\WINDOWS\tasks\A2C1C67290E242E2.job
C:\WINDOWS\tasks\A369FE34918A7B28.job
C:\WINDOWS\tasks\A4E6B8079181330F.job
C:\WINDOWS\tasks\AA270E7C91808344.job
C:\WINDOWS\tasks\AAE124B891EEDF44.job
C:\WINDOWS\tasks\AC76631B90661D3F.job
C:\WINDOWS\tasks\AD31A49E914A214E.job
C:\WINDOWS\tasks\AE6C933A9093079E.job
C:\WINDOWS\tasks\AEC8F3AC91C76AC0.job
C:\WINDOWS\tasks\AFBBFEBB9180703F.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\B30261CE900E113A.job
C:\WINDOWS\tasks\something.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-18 22:44:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

Completion time: 2007-05-18 22:49:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-18 22:49


--- E O F ---

shiftykilla
2007-05-18, 15:54
and the new HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:53:37 PM, on 18/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\xampp\filezillaftp\filezillaserver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\valve\steam2\steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijack\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42E5C12F-7E36-451A-85FF-5ACD6AA2AA71} - C:\WINDOWS\system32\uvdpsamg.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam2\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: WinMySQLadmin.lnk = C:\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - http://rockstar.messenger.msn.com/rockstar.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\MODRV.DLL (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Shaba
2007-05-18, 19:02
Hi

Uninstall via add/remove programs if present:

Zango or similar
webHancer or similar

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {42E5C12F-7E36-451A-85FF-5ACD6AA2AA71} - C:\WINDOWS\system32\uvdpsamg.dll (file missing)
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\MODRV.DLL (file missing)
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)

Close all windows including browser and press fix checked.

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admin Love]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\grey sixth bore new]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PROXYHECKWAYCREATIVE]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trans Find Comp Joy]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsService]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsUpdate]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zanu]

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Boot in safe mode -> http://www.pchell.com/support/safemode.shtml

Delete these if found:

C:\WINDOWS\SYSTEM32\wnstsisv32.exe
C:\WINDOWS\SYSTEM32\fhkmp.bak2
C:\WINDOWS\SYSTEM32\fhkmp.ini2
C:\WINDOWS\SYSTEM32\fhkmp.bak1
C:\WINDOWS\çasks
C:\Program Files\Common Files\àdobe
C:\DOCUME~1\Jessica\APPLIC~1\Freeford\
c:\defender25.exe
C:\Documents and Settings\All Users\Application Data\Flaw bib grey sixth\
c:\keyboard25.exe
c:\newname25.exe
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\smanager.7.exe
C:\Documents and Settings\All Users\Application Data\Soap nurb trans find\
C:\Program Files\webHancer
c:\program files\zangoclient

Empty Recycle Bin

Reboot

Please Download NoLop to your desktop from one of the links below...
Link 1 (http://www.spywareedge.net/nolop/NoLop.exe)
Link 2 (http://www.spywaretimes.com/Tools/Download/Anti-malwareTools/NoLop!/)
Link 3 (http://www.thespykiller.co.uk/index.php?action=tpmod;dl=get16)
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program. --

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report
- nolop log

shiftykilla
2007-05-20, 04:06
new combo fix

"Siza_2" - 2007-05-20 10:39:43 Service Pack 2
ComboFix 07-05.17.6.V - Running from: "C:\Documents and Settings\Siza_2\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Siza_2
C:\qoobox\purity\C\DOCUME~1\Siza_2\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Siza_2\MYDOCU~1\DOBE~1
C:\qoobox\purity\C\DOCUME~1\Siza_2\MYDOCU~1\DOBE~1\t?skmgr.exe
C:\qoobox\purity\C\Program Files\Common Files\FNTS~1
C:\qoobox\purity\C\Program Files\Common Files\MCROSO~1
C:\qoobox\purity\C\WINDOWS\APPATC~1
C:\qoobox\purity\C\WINDOWS\APPATC~1\A?pPatch
C:\qoobox\purity\C\WINDOWS\APPATC~1\logonui.exe


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 ))))))))))))))))))))))))))))))))))


2007-05-20 10:28 <DIR> d-------- C:\NoLopBackups
2007-05-18 22:49 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-15 20:57 2,142 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-05-15 20:56 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-05-15 20:56 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-05-15 20:56 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-05-14 19:53 <DIR> d-------- C:\DOCUME~1\Siza_2\APPLIC~1\Symantec
2007-05-14 18:51 <DIR> d-------- C:\VundoFix Backups
2007-05-14 18:36 <DIR> d-------- C:\Program Files\Symantec
2007-05-14 18:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-14 18:35 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-14 07:56 <DIR> d-------- C:\hijack
2007-05-13 22:46 <DIR> d-------- C:\WINDOWS\çasks
2007-05-13 22:46 <DIR> d-------- C:\Program Files\Common Files\àdobe
2007-05-13 21:04 <DIR> d-------- C:\Program Files\AltoMP3 Gold
2007-05-13 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-12 22:35 <DIR> d-------- C:\Program Files\Railroad Tycoon 3
2007-05-05 14:44 <DIR> d-------- C:\Program Files\SQLyog Community
2007-05-05 14:44 <DIR> d-------- C:\DOCUME~1\Siza_2\APPLIC~1\SQLyog
2007-05-05 14:22 <DIR> d-------- C:\MaNGOS
2007-05-05 13:48 <DIR> d-------- C:\xampp
2007-05-01 15:34 <DIR> d-------- C:\Program Files\FLAC
2007-04-29 11:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-29 11:33 <DIR> d-------- C:\Program Files\Bonjour
2007-04-29 11:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-20 00:33:02 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\Skype
2007-05-20 00:32:03 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\Xfire
2007-05-20 00:31:46 -------- d-s---w C:\Program Files\Xfire
2007-05-19 22:45:05 -------- d-----w C:\Program Files\Security Task Manager
2007-05-13 12:48:20 -------- d-----w C:\Program Files\Common Files\?dobe
2007-05-12 12:42:57 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-08 11:08:21 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\BitTorrent
2007-05-05 09:34:09 -------- d-----w C:\Program Files\World of Warcraft
2007-04-29 11:50:16 -------- d-----w C:\Program Files\Guitar Pro 5
2007-04-12 14:32:50 -------- d-----w C:\Program Files\Guild Wars
2007-04-12 12:50:35 -------- d-----w C:\Program Files\SpeedFan
2007-04-05 12:53:15 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\Screenshot Sender
2007-03-29 10:22:22 140,520 ----a-w C:\WINDOWS\system32\CModule.dll
2007-03-27 08:25:15 -------- d-----w C:\Program Files\BitTorrent
2007-03-22 23:34:50 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-03-21 10:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-21 10:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-21 10:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-20 11:13:37 -------- d-----r C:\DOCUME~1\Siza_2\APPLIC~1\Brother
2007-03-20 11:01:14 50 ----a-w C:\WINDOWS\system32\bridf06a.dat
2007-03-20 11:00:53 -------- d-----w C:\Program Files\Brother
2007-03-20 10:59:28 -------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-03-20 10:59:27 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-20 10:59:25 -------- d-----w C:\Program Files\ScanSoft
2007-03-18 09:18:35 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-03-18 03:34:30 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\Austhink Software
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 05:53:04 -------- d-----w C:\Program Files\Turbine
2007-03-05 05:52:53 -------- d-----w C:\DOCUME~1\Siza_2\APPLIC~1\GetRightToGo
2007-02-13 06:04:22 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 10:46]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 13:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 13:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 13:45]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 06:46]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 17:02]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 11:18]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-12 13:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam2\steam.exe" [2007-01-09 10:51]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 16:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-02 09:11]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\PROGRA~1\Qualcomm\Eudora\EuShlExt.dll" [2002-04-29 15:18]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Siza_2^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Siza_2\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Siza_2^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Siza_2\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\system32\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
"C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\navapp]
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
C:\Program Files\Registry Mechanic\RegMech.exe /QS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
"C:\Program Files\Shareaza\Shareaza.exe" -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\valve\steam2\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Iap"=dword:00000002
"Bonjour Service"=dword:00000002
"XAMPP"=dword:00000002
"FLEXnet Licensing Service"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
Shell\AutoRun\command G:\_AUTORUN\AUTORUN.EXE

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
Shell\AutoRun\command H:\_AUTORUN\AUTORUN.EXE


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\something.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-20 10:45:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

Completion time: 2007-05-20 10:46:42
C:\ComboFix-quarantined-files.txt ... 2007-05-20 10:46
C:\ComboFix2.txt ... 2007-05-18 22:49


--- E O F ---

shiftykilla
2007-05-20, 04:07
new HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:06:48 AM, on 20/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\xampp\filezillaftp\filezillaserver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\valve\steam2\steam.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Last.fm\LastFM.exe
C:\hijack\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam2\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: WinMySQLadmin.lnk = C:\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - http://rockstar.messenger.msn.com/rockstar.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

shiftykilla
2007-05-20, 04:08
And the NoLop log

NoLop! Log by Skate_Punk_21

Fix running from: C:\Program Files\Mozilla Firefox
[20/05/2007]
[10:24:47 AM]

---Infection Files Found/Removed---
C:\Documents and Settings\All Users\Application Data\Balm Junk Proxy Heck\Bait balm.exe
C:\Documents and Settings\All Users\Application Data\Balm Junk Proxy Heck\live byte.exe
C:\Documents and Settings\All Users\Application Data\Balm Junk Proxy Heck\locks barb.exe
C:\Documents and Settings\All Users\Application Data\Balm Junk Proxy Heck\Mess ping.exe
C:\Documents and Settings\All Users\Application Data\Balm Junk Proxy Heck\SCR BALM.exe
C:\Documents and Settings\All Users\Application Data\Balm Junk Proxy Heck\send pop.exe
C:\Documents and Settings\All Users\Application Data\Balm Junk Proxy Heck\way inter.exe
C:\WINDOWS\tasks\9032CB7C90654590.job
C:\WINDOWS\tasks\A08F2A1E91E0A57A.job
C:\WINDOWS\tasks\A2C1C67290E242E2.job
C:\WINDOWS\tasks\A369FE34918A7B28.job
C:\WINDOWS\tasks\A4E6B8079181330F.job
C:\WINDOWS\tasks\AA270E7C91808344.job
C:\WINDOWS\tasks\AAE124B891EEDF44.job
C:\WINDOWS\tasks\AC76631B90661D3F.job
C:\WINDOWS\tasks\AD31A49E914A214E.job
C:\WINDOWS\tasks\AE6C933A9093079E.job
C:\WINDOWS\tasks\AEC8F3AC91C76AC0.job
C:\WINDOWS\tasks\AFBBFEBB9180703F.job
C:\WINDOWS\tasks\B30261CE900E113A.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Freeford -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Broderbund Software
C:\Documents and Settings\All Users\Application Data\Brother
C:\Documents and Settings\All Users\Application Data\Flexnet
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Macromedia
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Network Associates
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Roboform
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Scansoft
C:\Documents and Settings\All Users\Application Data\Sectaskman
C:\Documents and Settings\All Users\Application Data\Skype
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Chris\Application Data\Adobe
C:\Documents and Settings\Chris\Application Data\Adobeum
C:\Documents and Settings\Chris\Application Data\Apple Computer
C:\Documents and Settings\Chris\Application Data\Austhink Software
C:\Documents and Settings\Chris\Application Data\Avant Browser
C:\Documents and Settings\Chris\Application Data\Avg7
C:\Documents and Settings\Chris\Application Data\Canon
C:\Documents and Settings\Chris\Application Data\Gen_ff V1.07
C:\Documents and Settings\Chris\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Chris\Application Data\Identities
C:\Documents and Settings\Chris\Application Data\Lavasoft
C:\Documents and Settings\Chris\Application Data\Macromedia
C:\Documents and Settings\Chris\Application Data\Microsoft
C:\Documents and Settings\Chris\Application Data\Mozilla
C:\Documents and Settings\Chris\Application Data\Panasonic
C:\Documents and Settings\Chris\Application Data\Pc-fax Tx
C:\Documents and Settings\Chris\Application Data\Real
C:\Documents and Settings\Chris\Application Data\Sun
C:\Documents and Settings\Chris\Application Data\Talkback
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Guest\Application Data\Microsoft
C:\Documents and Settings\Jessica\Application Data\Adobe
C:\Documents and Settings\Jessica\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Jessica\Application Data\Ahead
C:\Documents and Settings\Jessica\Application Data\Apple Computer
C:\Documents and Settings\Jessica\Application Data\Avant Browser
C:\Documents and Settings\Jessica\Application Data\Avg7
C:\Documents and Settings\Jessica\Application Data\Canon -- EMPTY Directory
C:\Documents and Settings\Jessica\Application Data\Cyberlink
C:\Documents and Settings\Jessica\Application Data\Gen_ff V1.03a
C:\Documents and Settings\Jessica\Application Data\Gen_ff V1.05
C:\Documents and Settings\Jessica\Application Data\Gen_ff V1.07
C:\Documents and Settings\Jessica\Application Data\Google
C:\Documents and Settings\Jessica\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Jessica\Application Data\Identities
C:\Documents and Settings\Jessica\Application Data\Lavasoft
C:\Documents and Settings\Jessica\Application Data\Macromedia
C:\Documents and Settings\Jessica\Application Data\Microsoft
C:\Documents and Settings\Jessica\Application Data\Mozilla
C:\Documents and Settings\Jessica\Application Data\Rdr Site -- EMPTY Directory
C:\Documents and Settings\Jessica\Application Data\Real
C:\Documents and Settings\Jessica\Application Data\Roxio
C:\Documents and Settings\Jessica\Application Data\Skype
C:\Documents and Settings\Jessica\Application Data\Sun
C:\Documents and Settings\Jessica\Application Data\Talkback
C:\Documents and Settings\Localservice\Application Data\Avg7
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Phodgson\Application Data\Adobe
C:\Documents and Settings\Phodgson\Application Data\Adobeum
C:\Documents and Settings\Phodgson\Application Data\Ahead
C:\Documents and Settings\Phodgson\Application Data\Apple Computer
C:\Documents and Settings\Phodgson\Application Data\Avant Browser
C:\Documents and Settings\Phodgson\Application Data\Avg7
C:\Documents and Settings\Phodgson\Application Data\Cyberlink
C:\Documents and Settings\Phodgson\Application Data\Freeford
C:\Documents and Settings\Phodgson\Application Data\Gen_ff V1.03a
C:\Documents and Settings\Phodgson\Application Data\Gen_ff V1.07
C:\Documents and Settings\Phodgson\Application Data\Google
C:\Documents and Settings\Phodgson\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Phodgson\Application Data\Identities
C:\Documents and Settings\Phodgson\Application Data\Leadertech
C:\Documents and Settings\Phodgson\Application Data\Macromedia
C:\Documents and Settings\Phodgson\Application Data\Microsoft
C:\Documents and Settings\Phodgson\Application Data\Mozilla
C:\Documents and Settings\Phodgson\Application Data\Msn6 -- EMPTY Directory
C:\Documents and Settings\Phodgson\Application Data\Real
C:\Documents and Settings\Phodgson\Application Data\Skype
C:\Documents and Settings\Phodgson\Application Data\Sun
C:\Documents and Settings\Phodgson\Application Data\Talkback
C:\Documents and Settings\Siza_2\Application Data\.abc
C:\Documents and Settings\Siza_2\Application Data\.mudmagic
C:\Documents and Settings\Siza_2\Application Data\Adobe
C:\Documents and Settings\Siza_2\Application Data\Adobeum
C:\Documents and Settings\Siza_2\Application Data\Ahead
C:\Documents and Settings\Siza_2\Application Data\Alien Skin
C:\Documents and Settings\Siza_2\Application Data\Apple Computer
C:\Documents and Settings\Siza_2\Application Data\Atari
C:\Documents and Settings\Siza_2\Application Data\Austhink Software
C:\Documents and Settings\Siza_2\Application Data\Avant Browser
C:\Documents and Settings\Siza_2\Application Data\Avg7
C:\Documents and Settings\Siza_2\Application Data\Bittorrent
C:\Documents and Settings\Siza_2\Application Data\Brother
C:\Documents and Settings\Siza_2\Application Data\Canon
C:\Documents and Settings\Siza_2\Application Data\Cyberlink
C:\Documents and Settings\Siza_2\Application Data\Desktop Sidebar
C:\Documents and Settings\Siza_2\Application Data\Eltima Software
C:\Documents and Settings\Siza_2\Application Data\Free Download Manager
C:\Documents and Settings\Siza_2\Application Data\Gen_ff V1.03a
C:\Documents and Settings\Siza_2\Application Data\Gen_ff V1.05
C:\Documents and Settings\Siza_2\Application Data\Gen_ff V1.07
C:\Documents and Settings\Siza_2\Application Data\Getrighttogo
C:\Documents and Settings\Siza_2\Application Data\Globalscape
C:\Documents and Settings\Siza_2\Application Data\Google
C:\Documents and Settings\Siza_2\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Siza_2\Application Data\Identities
C:\Documents and Settings\Siza_2\Application Data\Ign_dlm
C:\Documents and Settings\Siza_2\Application Data\Lavasoft
C:\Documents and Settings\Siza_2\Application Data\Leadertech
C:\Documents and Settings\Siza_2\Application Data\Macromedia
C:\Documents and Settings\Siza_2\Application Data\Microsoft
C:\Documents and Settings\Siza_2\Application Data\Microsoft Games
C:\Documents and Settings\Siza_2\Application Data\Mozilla
C:\Documents and Settings\Siza_2\Application Data\Msn6
C:\Documents and Settings\Siza_2\Application Data\Opera
C:\Documents and Settings\Siza_2\Application Data\Panasonic
C:\Documents and Settings\Siza_2\Application Data\Pe Explorer
C:\Documents and Settings\Siza_2\Application Data\Real
C:\Documents and Settings\Siza_2\Application Data\Roxio
C:\Documents and Settings\Siza_2\Application Data\Screenshot Sender
C:\Documents and Settings\Siza_2\Application Data\Skype
C:\Documents and Settings\Siza_2\Application Data\Smartftp
C:\Documents and Settings\Siza_2\Application Data\Sqlyog
C:\Documents and Settings\Siza_2\Application Data\Sun
C:\Documents and Settings\Siza_2\Application Data\Symantec
C:\Documents and Settings\Siza_2\Application Data\Talkback
C:\Documents and Settings\Siza_2\Application Data\Teamspeak2
C:\Documents and Settings\Siza_2\Application Data\Ventrilo
C:\Documents and Settings\Siza_2\Application Data\Xfire
C:\Documents and Settings\Siza_2\Application Data\Xfire Plus

I think it did it, if you can spot anything else out of those logs please tell me :D

Shaba
2007-05-20, 12:25
Hi

Yes, still something left.

Copy text below to Notepad and save it as delpurity.bat (save it as all files, *.*)

@ECHO OFF
attrib -r -h C:\WINDOWS\çasks\*.*
del /a /f /q C:\WINDOWS\çasks\*.*
RD /s /q "C:\WINDOWS\çasks"
attrib -r -h C:\Program Files\Common Files\àdobe\*.*
del /a /f /q C:\Program Files\Common Files\àdobe\*.*
RD /s /q "C:\Program Files\Common Files\àdobe"
attrib -r -h C:\Program Files\Common Files\?dobeo\*.*
del /a /f /q C:\Program Files\Common Files\?dobe\*.*
RD /s /q "C:\Program Files\Common Files\?dobe"

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG

Doubleclick delpurity.bat; black dos windows will flash, that's normal.

(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)

Re-run combofix

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Please click this link-->Jotti (http://virusscan.jotti.org/)

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\nircmd.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html

Post:

- a fresh HijackThis log
- combofix report
- jotti/virustotal results

tashi
2007-05-26, 09:26
How is it going shiftykilla.

tashi
2007-05-31, 04:18
This topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.