View Full Version : Smitfraud-C Toolbar.888 and virtumonde
Glen Stevens
2007-06-20, 14:43
Hello There,
I am unable to get rid of these two. Spybot says that its fixed toolbar.888 but it shows up again on subsequent scans as does virtumonde. I ran HJT but the save log button didn't ask me where I wanted to save it. I searched on HJT and *.log but couldnt find anything. Similarly the etrust anti virus web scanner threw up 3 infections, Win32\Chisyne!generic in c:\winnt\system32\vtuutsq.dll, Win32\Chisyne!generic in c:\winnt\system32\yayaawu.dll and Win32\Vundo!generic in c:\winnt\system32\geedd.dll, but gave me no option to save the log.
Hi Glen Stevens
Use this (http://downloads.malwareremoval.com/hijackthis_sfx.exe) link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Browse to that location with windows explorer, and double click on the HijackThis.exe program to run. Choose the 'Do a system scan and save a logfile'
That will allow you to save the log to the desktop (or some other place) and leave open a notepad file with the HijackThis log in it.
Now post your HijackThis log into this topic.
Glen Stevens
2007-06-21, 23:25
Thats better, thankyou Shaba, ok, whats next?
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:26:28 PM, on 6/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\PSIService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\JAM KT v3\JAMktv3.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINNT\system32\mrvphnvls\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4B3E07BB-7747-4B5F-8CB0-0344C0EC95CF} - C:\WINNT\system32\geedd.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINNT\system32\hyvftoyu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINNT\system32\vtuutsq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [JAMktV3] C:\Program Files\JAM KT v3\JAMktv3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINNT\system32\akquwdtq.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Security\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Glen\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000005-0000-0000-0000-100009000004} - http://c.imputati.com/l/1df9616eb741327703d97f307814ee85_35.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152213321387
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170694084148
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: geedd - C:\WINNT\system32\geedd.dll
O20 - Winlogon Notify: vtuutsq - C:\WINNT\SYSTEM32\vtuutsq.dll
O20 - Winlogon Notify: winjcr32 - winjcr32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINNT\system32\PSIService.exe
--
End of file - 9144 bytes
Hi
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report
Glen Stevens
2007-06-26, 19:40
Thankyou Shaba, I have done all that.
The only odd thing that happened, is that vundo reported "Cannot import C:\vundofix.reg. Error opening the file. There may be a disk or filesystem error" just before it prompted me to reboot.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:35:52 PM, on 6/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\PSIService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\JAM KT v3\JAMktv3.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HiJackThis_v2.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {18C0CC02-C7F6-4F89-B419-B0E56B57A37E} - C:\WINNT\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [JAMktV3] C:\Program Files\JAM KT v3\JAMktv3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Glen\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000005-0000-0000-0000-100009000004} - http://c.imputati.com/l/1df9616eb741327703d97f307814ee85_35.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152213321387
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170694084148
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: winjcr32 - winjcr32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINNT\system32\PSIService.exe
--
End of file - 8516 bytes
"Glen" - 06/26/2007 18:26:53 - ComboFix 07-06-26.8 - Service Pack 4
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINNT\system32\frffmwxx.dll
C:\WINNT\system32\iitmfnos.dll
C:\WINNT\system32\yayaawu.dll
C:\WINNT\system32\xxwmffrf.ini
C:\WINNT\system32\sonfmtii.ini
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINNT\system32\mrvphnvls\winlogon.ini
((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))
2007-06-26 18:29 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4cc.dat
2007-06-26 18:26 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-26 18:17 <DIR> d-------- C:\VundoFix Backups
2007-06-26 18:12 19,728 --a------ C:\WINNT\system32\hidserv.exe
2007-06-26 18:12 13,744 --a------ C:\WINNT\system32\drivers\kbdhid.sys
2007-06-26 16:52 4,628 --a------ C:\WINNT\system32\ntmhjfgj.exe
2007-06-25 16:53 4,628 --a------ C:\WINNT\system32\pghiimxf.exe
2007-06-24 18:17 4,628 --a------ C:\WINNT\system32\kohywejt.exe
2007-06-23 16:50 4,628 --a------ C:\WINNT\system32\snwqxlgu.exe
2007-06-21 21:00 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-20 10:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-20 10:14 2,114 --a------ C:\WINNT\system32\tmp.reg
2007-06-17 16:51 <DIR> d-------- C:\Program Files\VUGames
2007-06-17 11:50 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-06-17 11:10 <DIR> d-------- C:\Program Files\Google
2007-06-17 10:34 <DIR> d-------- C:\Program Files\LucasArts
2007-06-16 13:56 <DIR> d-------- C:\Program Files\Fraps
2007-06-16 12:53 43,520 --a------ C:\WINNT\system32\CmdLineExt03.dll
2007-06-12 21:35 21,840 --a------ C:\WINNT\system32\SIntfNT.dll
2007-06-12 21:35 17,212 --a------ C:\WINNT\system32\SIntf32.dll
2007-06-12 21:35 12,067 --a------ C:\WINNT\system32\SIntf16.dll
2007-06-12 21:32 4,096 --a------ C:\WINNT\d3dx.dat
2007-06-12 19:59 <DIR> d-------- C:\Program Files\BroadJump
2007-06-12 19:58 11,037,188 --a------ C:\back_up.reg
2007-05-31 20:23 <DIR> d-------- C:\WINNT\tagsxtreme
2007-05-31 17:59 <DIR> d-------- C:\WINNT\ninjanarutov2
2007-05-31 11:26 <DIR> d-------- C:\FOUND.001
2007-05-29 16:15 <DIR> d-------- C:\Program Files\MSN Messenger
2007-05-26 19:20 <DIR> d-------- C:\FOUND.000
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2018-06-03 23:00:00 16 ----a-w C:\WINNT\system32\user32.dat
2007-05-09 17:45:14 -------- d-----w C:\DOCUME~1\Glen\APPLIC~1\MilkShape 3D 1.x.x
2007-05-09 17:15:06 -------- d-----w C:\DOCUME~1\Glen\APPLIC~1\SmartDraw
2007-04-28 22:29:30 -------- d-----w C:\Program Files\QuickTime
2007-04-28 22:14:28 -------- d-----w C:\DOCUME~1\Glen\APPLIC~1\AVS4YOU
2007-04-28 22:11:44 -------- d-----w C:\Program Files\Common Files\AVSMedia
2007-04-28 20:54:20 356,352 ----a-w C:\WINNT\eSellerateEngine.dll
2007-04-28 20:54:00 -------- d-----w C:\Program Files\Common Files\DeskShare Shared
2007-04-26 21:13:12 -------- d-----w C:\DOCUME~1\Glen\APPLIC~1\Apple Computer
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-24 14:54:18 429,568 ----a-w C:\WINNT\system32\fmod64.dll
2007-04-24 14:54:18 161,280 ----a-w C:\WINNT\system32\fmod.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-05 07:17:40 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2001-12-31 23:56:28 6,686 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2001-12-31 23:56:26 168 --sh--r C:\WINNT\system32\6872BA538C.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [01-03-02 12:02 ]
{18C0CC02-C7F6-4F89-B419-B0E56B57A37E}=C:\WINNT\system32\geedd.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll [05-05-31 01:04 ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [06-11-09 15:21 ]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [07-01-19 23:55 ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 20:05 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [03-08-05 06:59 C:\WINNT\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [06-10-22 12:22 C:\WINNT\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [07-04-20 18:12 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [06-11-09 15:07 ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [05-01-18 17:47 ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [05-01-18 17:37 ]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [07-03-30 18:36 ]
"JAMktV3"="C:\Program Files\JAM KT v3\JAMktv3.exe" [07-04-24 15:54 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-02-16 10:54 ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [02-09-10 21:26 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 05:00 C:\WINNT\system32\internat.exe]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [05-06-14 10:05 ]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [07-02-16 17:19 ]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [05-01-18 17:07 ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [07-04-03 23:29 ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [07-06-17 11:11 ]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjcr32]
winjcr32.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
Contents of the 'Scheduled Tasks' folder
2007-06-24 21:49:02 C:\WINNT\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 18:29:43
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-26 18:32:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-26 18:31
--- E O F ---
VundoFix V6.5.1
Checking Java version...
Java version is 1.5.0.10
Scan started at 6:17:04 PM 6/26/2007
Listing files found while scanning....
C:\WINNT\system32\ddeeg.bak1
C:\WINNT\system32\ddeeg.bak2
C:\WINNT\system32\ddeeg.ini
C:\WINNT\system32\geedd.dll
C:\WINNT\system32\hyvftoyu.dll
C:\WINNT\system32\otgbnfqd.dll
C:\WINNT\system32\vtuutsq.dll
Beginning removal...
Attempting to delete C:\WINNT\system32\ddeeg.bak1
C:\WINNT\system32\ddeeg.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\ddeeg.bak2
C:\WINNT\system32\ddeeg.bak2 Has been deleted!
Attempting to delete C:\WINNT\system32\ddeeg.ini
C:\WINNT\system32\ddeeg.ini Has been deleted!
Attempting to delete C:\WINNT\system32\geedd.dll
C:\WINNT\system32\geedd.dll Has been deleted!
Attempting to delete C:\WINNT\system32\otgbnfqd.dll
C:\WINNT\system32\otgbnfqd.dll Has been deleted!
Attempting to delete C:\WINNT\system32\vtuutsq.dll
C:\WINNT\system32\vtuutsq.dll Has been deleted!
Performing Repairs to the registry.
Done!
Hi
Do you recognize this program?
O4 - HKLM\..\Run: [JAMktV3] C:\Program Files\JAM KT v3\JAMktv3.exe
Glen Stevens
2007-06-30, 10:55
Hello Shaba,
Yes its a bespoke add on for Jedi Knight III (for changing skins, playing custom music etc)
Hi
Ok :)
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {18C0CC02-C7F6-4F89-B419-B0E56B57A37E} - C:\WINNT\system32\geedd.dll (file missing)
O16 - DPF: {00000005-0000-0000-0000-100009000004} - http://c.imputati.com/l/1df9616eb741...814ee85_35.exe
O20 - Winlogon Notify: winjcr32 - winjcr32.dll (file missing)
Close all windows including browser and press fix checked.
Reboot.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINNT\system32\ntmhjfgj.exe
C:\WINNT\system32\pghiimxf.exe
C:\WINNT\system32\kohywejt.exe
C:\WINNT\system32\snwqxlgu.exe
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Glen Stevens
2007-07-10, 13:11
Thanks Shaba,
Please find attached combofix + Hijackthis logs
Regards
Glen
"Glen" - 07/10/2007 9:25:42 - ComboFix 07-06-26.8 - Service Pack 4
Command switches used :: C:\Documents and Settings\Glen\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINNT\system32\kohywejt.exe
C:\WINNT\system32\ntmhjfgj.exe
C:\WINNT\system32\pghiimxf.exe
C:\WINNT\system32\snwqxlgu.exe
((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))
2007-07-09 17:32 <DIR> d-------- C:\Program Files\Messenger
2007-07-08 10:12 <DIR> d-------- C:\Program Files\Gpotato
2007-07-08 01:17 <DIR> d-------- C:\Program Files\directx
2007-07-08 01:12 <DIR> d-------- C:\Program Files\Managed DirectX (0901)
2007-07-06 20:54 <DIR> d-------- C:\Program Files\MindArk
2007-07-02 07:55 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_398.dat
2007-07-01 09:57 <DIR> d-------- C:\Program Files\Games-Masters.com
2007-06-28 19:56 <DIR> d--h----- C:\DOCUME~1\Glen\APPLIC~1\ijjigame
2007-06-28 19:31 <DIR> d-------- C:\ijji
2007-06-27 22:14 <DIR> d-------- C:\Program Files\QuickTime
2007-06-27 22:14 <DIR> d-------- C:\Program Files\Apple Software Update
2007-06-26 18:26 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-26 18:17 <DIR> d-------- C:\VundoFix Backups
2007-06-26 18:12 19,728 --a------ C:\WINNT\system32\hidserv.exe
2007-06-26 18:12 13,744 --a------ C:\WINNT\system32\drivers\kbdhid.sys
2007-06-21 21:00 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-20 10:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-20 10:14 2,114 --a------ C:\WINNT\system32\tmp.reg
2007-06-17 16:51 <DIR> d-------- C:\Program Files\VUGames
2007-06-17 11:50 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-06-17 11:10 <DIR> d-------- C:\Program Files\Google
2007-06-16 13:56 <DIR> d-------- C:\Program Files\Fraps
2007-06-16 12:53 43,520 --a------ C:\WINNT\system32\CmdLineExt03.dll
2007-06-12 21:35 21,840 --a------ C:\WINNT\system32\SIntfNT.dll
2007-06-12 21:35 17,212 --a------ C:\WINNT\system32\SIntf32.dll
2007-06-12 21:35 12,067 --a------ C:\WINNT\system32\SIntf16.dll
2007-06-12 21:32 4,096 --a------ C:\WINNT\d3dx.dat
2007-06-12 19:59 <DIR> d-------- C:\Program Files\BroadJump
2007-06-12 19:58 11,037,188 --a------ C:\back_up.reg
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2018-06-03 23:00:00 16 ----a-w C:\WINNT\system32\user32.dat
2007-05-29 15:16:00 -------- d-----w C:\Program Files\MSN Messenger
2007-04-28 20:54:20 356,352 ----a-w C:\WINNT\eSellerateEngine.dll
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-24 14:54:18 429,568 ----a-w C:\WINNT\system32\fmod64.dll
2007-04-24 14:54:18 161,280 ----a-w C:\WINNT\system32\fmod.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2001-12-31 23:56:28 6,686 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2001-12-31 23:56:26 168 --sh--r C:\WINNT\system32\6872BA538C.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [03/02/01 12:02p]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll [05/31/05 01:04a]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [11/09/06 03:21p]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [01/19/07 11:55p]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 08:05p C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [08/05/03 06:59a C:\WINNT\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [10/22/06 12:22p C:\WINNT\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/20/07 06:12p]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/06 03:07p]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [01/18/05 05:47p]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [01/18/05 05:37p]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [03/30/07 06:36p]
"JAMktV3"="C:\Program Files\JAM KT v3\JAMktv3.exe" [04/24/07 03:54p]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/02 09:26p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [12/07/99 05:00a C:\WINNT\system32\internat.exe]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [06/14/05 10:05a]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [02/16/07 05:19p]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [01/18/05 05:07p]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [06/17/07 11:11a]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN
Contents of the 'Scheduled Tasks' folder
2007-07-03 16:47:16 C:\WINNT\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 09:26:39
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 07/10/2007 9:27:34
C:\ComboFix2.txt ... 06/26/07 06:32p
C:\ComboFix-quarantined-files.txt ... 07/10/07 09:27a
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:16:04 PM, on 7/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\PSIService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\JAM KT v3\JAMktv3.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [JAMktV3] C:\Program Files\JAM KT v3\JAMktv3.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Glen\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152213321387
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170694084148
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINNT\system32\PSIService.exe
--
End of file - 8344 bytes
Hi
Do you know what is inside this folder?
C:\ijji
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.