PDA

View Full Version : Help! please look at the log!



arctree
2007-06-24, 12:01
Hello
I have what seems to be multiple viruses hiding in my system and my browser keeps getting hijacked. I have tried Hikack this and working through a few examples but I may be missing something so I have done a Hijack this log and posted in the hope that someone will help me out of the maze. I am pretty competant (those famous last words) and can follow instructions.
info: ce-land.com is my own forum


------------------------< begin Hijack this log file >----------------------------

Logfile of HijackThis v1.99.1
Scan saved at 09:23:58, on 24/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\TBPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\Program Files\GPSoftware\Directory Opus\DOpus.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\SPY-WARE-SOLUTIONS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ce-land.com/forum
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ce883ecf-56b3-4d55-938d-5d5bb56d18db} - C:\WINDOWS\system32\insdne.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [EnGraph QuickTimeKiller] C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: Eudora.lnk = C:\Program Files\Qualcomm\Eudora\Eudora.exe
O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe
O4 - Startup: ubisoft register.lnk = C:\Program Files\Ubi Soft\Register\schedule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: c:\windows\system32\awvtqop.dll
O20 - Winlogon Notify: insdne - C:\WINDOWS\SYSTEM32\insdne.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

------------------------< end Hijack this log file >----------------------------

Shaba
2007-06-24, 13:10
Hi arctree

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report

arctree
2007-06-24, 17:36
Hi and thanks for taking the time to answer.
I ran Vundofix and it didn't find anything!

Here are the latest combofix and HijackThis logs.

------------------<start Combofix log>----------------------

"Sean" - 2007-06-24 15:22:25 - ComboFix 07-06-23.5 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awvtqop.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Sean\APPLIC~1\tmp15.tmp.exe
C:\DOCUME~1\Sean\APPLIC~1\tmp39.tmp.exe
C:\DOCUME~1\Sean\APPLIC~1\tmp44.tmp.exe
C:\Program Files\inetget2
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-24 15:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 15:16 <DIR> d-------- C:\VundoFix Backups
2007-06-24 10:22 <DIR> d-------- C:\!KillBox
2007-06-24 10:06 59,435 --a------ C:\WINDOWS\system32\tmp44.tmp.dll
2007-06-23 20:47 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-23 20:47 <DIR> d-------- C:\Program Files\AVG Anti-Spyware 7.5
2007-06-23 20:42 <DIR> d-------- C:\SPY-WARE-SOLUTIONS
2007-06-22 20:28 <DIR> d-------- C:\Program Files\Ebay Countdown
2007-06-22 20:22 139,087 --a------ C:\WINDOWS\system32\dn442c5629.dat
2007-06-22 20:21 92,554 --a------ C:\WINDOWS\system32\insdne.dll
2007-06-19 19:30 89,360 -ra------ C:\WINDOWS\system32\VB5DB.DLL
2007-06-19 19:30 69,632 -ra------ C:\WINDOWS\system32\xmltok.dll
2007-06-19 19:30 36,864 -ra------ C:\WINDOWS\system32\xmlparse.dll
2007-06-19 19:30 26,096 -ra------ C:\WINDOWS\system32\xmlinst.exe
2007-06-19 19:30 <DIR> d-------- C:\Program Files\Ubi Soft
2007-06-17 10:40 <DIR> d-------- C:\eBay-sell
2007-06-16 10:09 5,120 --a------ C:\WINDOWS\TBManage.dll
2007-06-16 10:09 36,864 --a------ C:\WINDOWS\GWLib.dll
2007-06-16 10:09 33,280 --a------ C:\WINDOWS\DXTool.exe
2007-06-16 10:09 32,768 --a------ C:\WINDOWS\TBPanelExt.dll
2007-06-16 10:09 26,624 --a------ C:\WINDOWS\TBZoom.exe
2007-06-16 10:09 2,173,744 --a------ C:\WINDOWS\TBPanel.exe
2007-06-16 10:09 12,256 --a------ C:\WINDOWS\system32\drivers\TBPanel.sys
2007-06-16 10:09 <DIR> d-------- C:\WINDOWS\UI
2007-06-16 10:01 81,920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-16 10:01 745,472 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-16 10:01 6,668,288 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-16 10:01 466,944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-16 10:01 442,368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-16 10:01 425,984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-16 10:01 335,872 --a------ C:\WINDOWS\system32\nvwrses.dll
2007-06-16 10:01 335,872 --a------ C:\WINDOWS\system32\nvwrsel.dll
2007-06-16 10:01 327,680 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2007-06-16 10:01 327,680 --a------ C:\WINDOWS\system32\nvwrsesm.dll
2007-06-16 10:01 327,680 --a------ C:\WINDOWS\system32\nvrshe.dll
2007-06-16 10:01 327,680 --a------ C:\WINDOWS\system32\nvrsar.dll
2007-06-16 10:01 323,584 --a------ C:\WINDOWS\system32\nvwrspt.dll
2007-06-16 10:01 323,584 --a------ C:\WINDOWS\system32\nvwrsit.dll
2007-06-16 10:01 319,488 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2007-06-16 10:01 319,488 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2007-06-16 10:01 315,392 --a------ C:\WINDOWS\system32\nvwrsru.dll
2007-06-16 10:01 315,392 --a------ C:\WINDOWS\system32\nvwrshu.dll
2007-06-16 10:01 311,296 --a------ C:\WINDOWS\system32\nvwrsde.dll
2007-06-16 10:01 303,104 --a------ C:\WINDOWS\system32\nvwrstr.dll
2007-06-16 10:01 303,104 --a------ C:\WINDOWS\system32\nvwrssl.dll
2007-06-16 10:01 303,104 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2007-06-16 10:01 3,645,440 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-16 10:01 3,538,944 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-16 10:01 299,008 --a------ C:\WINDOWS\system32\nvwrssk.dll
2007-06-16 10:01 299,008 --a------ C:\WINDOWS\system32\nvwrsno.dll
2007-06-16 10:01 294,912 --a------ C:\WINDOWS\system32\nvwrssv.dll
2007-06-16 10:01 294,912 --a------ C:\WINDOWS\system32\nvwrspl.dll
2007-06-16 10:01 294,912 --a------ C:\WINDOWS\system32\nvwrsda.dll
2007-06-16 10:01 286,720 --a------ C:\WINDOWS\system32\nvwrseng.dll
2007-06-16 10:01 286,720 --a------ C:\WINDOWS\system32\nvwrscs.dll
2007-06-16 10:01 286,720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-16 10:01 282,624 --a------ C:\WINDOWS\system32\nvwrsar.dll
2007-06-16 10:01 282,624 --a------ C:\WINDOWS\system32\nvrsfr.dll
2007-06-16 10:01 282,624 --a------ C:\WINDOWS\system32\nvrses.dll
2007-06-16 10:01 282,624 --a------ C:\WINDOWS\system32\nvrsel.dll
2007-06-16 10:01 278,528 --a------ C:\WINDOWS\system32\nvwrshe.dll
2007-06-16 10:01 278,528 --a------ C:\WINDOWS\system32\nvrsit.dll
2007-06-16 10:01 274,432 --a------ C:\WINDOWS\system32\nvrsnl.dll
2007-06-16 10:01 274,432 --a------ C:\WINDOWS\system32\nvrsesm.dll
2007-06-16 10:01 274,432 --a------ C:\WINDOWS\system32\nvrsde.dll
2007-06-16 10:01 270,336 --a------ C:\WINDOWS\system32\nvrspt.dll
2007-06-16 10:01 266,240 --a------ C:\WINDOWS\system32\nvrsru.dll
2007-06-16 10:01 266,240 --a------ C:\WINDOWS\system32\nvrsptb.dll
2007-06-16 10:01 266,240 --a------ C:\WINDOWS\system32\nvrsja.dll
2007-06-16 10:01 258,048 --a------ C:\WINDOWS\system32\nvrssk.dll
2007-06-16 10:01 258,048 --a------ C:\WINDOWS\system32\nvrsko.dll
2007-06-16 10:01 258,048 --a------ C:\WINDOWS\system32\nvrshu.dll
2007-06-16 10:01 253,952 --a------ C:\WINDOWS\system32\nvrstr.dll
2007-06-16 10:01 253,952 --a------ C:\WINDOWS\system32\nvrssv.dll
2007-06-16 10:01 253,952 --a------ C:\WINDOWS\system32\nvrssl.dll
2007-06-16 10:01 253,952 --a------ C:\WINDOWS\system32\nvrspl.dll
2007-06-16 10:01 253,952 --a------ C:\WINDOWS\system32\nvrsno.dll
2007-06-16 10:01 253,952 --a------ C:\WINDOWS\system32\nvrsda.dll
2007-06-16 10:01 245,760 --a------ C:\WINDOWS\system32\nvrsfi.dll
2007-06-16 10:01 245,760 --a------ C:\WINDOWS\system32\nvrseng.dll
2007-06-16 10:01 245,760 --a------ C:\WINDOWS\system32\nvrscs.dll
2007-06-16 10:01 225,280 --a------ C:\WINDOWS\system32\nvrszhc.dll
2007-06-16 10:01 212,992 --a------ C:\WINDOWS\system32\nvwrsja.dll
2007-06-16 10:01 2,854,912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-16 10:01 2,387,968 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-16 10:01 2,273,280 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-16 10:01 196,608 --a------ C:\WINDOWS\system32\nvwrsko.dll
2007-06-16 10:01 167,936 --a------ C:\WINDOWS\system32\nvwrszht.dll
2007-06-16 10:01 163,908 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-16 10:01 163,840 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2007-06-16 10:01 143,360 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-16 10:01 122,880 --a------ C:\WINDOWS\system32\nvrszht.dll
2007-06-16 10:01 1,703,936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-16 10:01 1,626,112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-16 10:01 1,339,392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-16 10:01 1,019,904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-16 10:00 929,744 --a------ C:\WINDOWS\system32\nvucode.bin
2007-06-16 10:00 81,920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-16 10:00 8,429,568 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-16 10:00 6,217,728 --a------ C:\WINDOWS\system32\nvdisps.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 14:26:30 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-23 14:30:38 -------- d-----w C:\Program Files\Norton SystemWorks
2007-06-21 17:46:03 -------- d-----w C:\Program Files\UltraEdit-32
2007-06-19 18:35:01 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-19 18:31:42 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-16 09:23:39 -------- d-----w C:\Program Files\viewsonic
2007-05-27 21:37:24 -------- d-----w C:\Program Files\LimeWire
2007-05-13 08:37:22 -------- d-----w C:\Program Files\Advanced Clipboard Manager
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-12 23:51:24 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-04-12 23:51:24 356,352 ----a-w C:\WINDOWS\system32\nvunrm.exe
2007-04-12 23:51:24 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-04-12 23:51:24 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-04-12 23:51:24 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-04-12 15:44:00 5,433,216 ----a-w C:\WINDOWS\system32\nv4_disp.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{00C6482D-C502-44C8-8409-FCE54AD9C208}=C:\Program Files\SnagIt 7\SnagItBHO.dll [2004-01-26 07:03]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\tmp44.tmp.dll [2007-06-24 10:06]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll [2002-08-20 01:50]
{ce883ecf-56b3-4d55-938d-5d5bb56d18db}=C:\WINDOWS\system32\insdne.dll [2007-06-22 20:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-24 17:10]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 C:\WINDOWS\system32\ptipbmf.dll]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"EnGraph QuickTimeKiller"="C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe" [2005-03-20 12:31]
"Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-11-25 10:53]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2006-08-11 18:37]
"SideWinderTrayV4"="C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 16:41]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 23:22]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 23:23]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-12-31 16:26]
"CmUsbSound"="cmcnfgu.cpl" []
"nwiz"="nwiz.exe" [2007-04-12 16:44 C:\WINDOWS\system32\nwiz.exe]
"!AVG Anti-Spyware"="C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"QD FastAndSafe"="C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe" [2002-08-13 18:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"="C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll" [2007-05-07 10:43]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2005-06-07 17:04]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 13:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\insdne]
insdne.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\awvtqop.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BGNewsAgent]
"C:\Program Files\BullGuard Software\BullGuard\BgNewsUI.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\CyberLink\PowerCinema\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
C:\Program Files\CyberLink\PowerBackup\PBKScheduler.EXE


Contents of the 'Scheduled Tasks' folder
2007-06-22 19:00:04 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-05-25 16:30:04 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-06-24 14:26:37 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 15:26:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 15:28:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-24 15:28

--- E O F ---

arctree
2007-06-24, 17:37
----------------------<hijack this log follows>-------------------------

Logfile of HijackThis v1.99.1
Scan saved at 15:31:11, on 24/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\SPY-WARE-SOLUTIONS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ce-land.com/forum
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmp44.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ce883ecf-56b3-4d55-938d-5d5bb56d18db} - C:\WINDOWS\system32\insdne.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [EnGraph QuickTimeKiller] C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Eudora.lnk = C:\Program Files\Qualcomm\Eudora\Eudora.exe
O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\insdne.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\insdne.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: c:\windows\system32\awvtqop.dll
O20 - Winlogon Notify: insdne - C:\WINDOWS\SYSTEM32\insdne.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

Shaba
2007-06-24, 19:40
Hi

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes

C:\WINDOWS\system32\tmp44.tmp.dll
C:\WINDOWS\system32\insdne.dll



Click Add Files and Click Close Window
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Shaba
2007-07-01, 12:05
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.