View Full Version : Virtumonde and Smitfraud?
I've been going through hell and back installing several programs on this computer trying to clean out the mass amounts of spyware/maelware it's accumulated. These two are the only left on the list. Smitfraud is questionable because Spybot S&D claims to remove it, but reappears on the next scan.
Virtumonde has been juggled between Spybot S&D and Windows Defender trying to get it removed, no good. I come here asking for help.
----
Logfile of HijackThis v1.99.1
Scan saved at 2:48:28 AM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\nprxfmjA.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\My Backup -- 16-06-07 2201\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\opnlkig.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\yjmausam.dll",forkonce
O4 - HKLM\..\Run: [nprxfmjA] C:\WINDOWS\nprxfmjA.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O20 - Winlogon Notify: opnlkig - C:\WINDOWS\SYSTEM32\opnlkig.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
Also, this is my family computer so I'm also looking for suggestions on how to "idiot-proof" this computer as much as possible (I've already asked them to read the stickied thread, "How did I get infected in the first place?").
Hi
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
"Owner" - 2007-07-23 17:59:06 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\knpwyfng.dll
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\yjmausam.dll
C:\WINDOWS\system32\xyadd.bak1
C:\WINDOWS\system32\xyadd.ini
C:\WINDOWS\system32\gnfywpnk.ini
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\masuamjy.ini
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.bak2
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\opnlkig.dll
C:\WINDOWS\system32\opnlkig.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Owner\APPLIC~1.\icroso~1
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\WMGVT8XZ\www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\WMGVT8XZ\www.broadcaster.com\played_list.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\WMGVT8XZ\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Owner.\err.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Internet Explorer\vikoziwui.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\system32\aomrdbqr.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\dlyhfmvx.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\ibvmltxu.exe
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\jstajees.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z1\mwspasrt83122.exe
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z3\w0716.exe
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z5\st2.exe
C:\WINDOWS\system32\Z7
C:\WINDOWS\system32\Z9
C:\WINDOWS\system32\Z9\bw73.exe
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))
2007-07-23 17:57 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 15:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\APPLIC~1\TMPGEncDVDAuthor3
2007-07-23 11:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\LEAPS
2007-07-23 11:27 53,248 --a------ C:\WINDOWS\system32\GenSvcInst.exe
2007-07-23 11:27 33,408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2007-07-23 11:27 118,784 --a------ C:\WINDOWS\system32\bgsvcgen.exe
2007-07-23 11:24 <DIR> d-------- C:\Program Files\Pegasys Inc
2007-07-23 11:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pegasys Inc
2007-07-23 11:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Pegasys Inc
2007-07-23 10:50 6,471 --ahs---- C:\WINDOWS\system32\ijkmp.bak1
2007-07-23 08:13 6,471 --ahs---- C:\WINDOWS\system32\ihkmp.bak1
2007-07-23 06:31 6,511 --ahs---- C:\WINDOWS\system32\ghhkj.bak1
2007-07-23 03:46 6,489 --ahs---- C:\WINDOWS\system32\sttss.bak1
2007-07-23 03:32 <DIR> d-------- C:\DOCUME~1\Owner\p
2007-07-23 02:34 6,488 --ahs---- C:\WINDOWS\system32\nqstv.bak1
2007-07-22 21:31 6,489 --ahs---- C:\WINDOWS\system32\svvwa.bak1
2007-07-22 19:41 6,529 --ahs---- C:\WINDOWS\system32\vycdd.bak1
2007-07-22 16:58 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-22 16:30 6,489 --ahs---- C:\WINDOWS\system32\cbadd.bak1
2007-07-22 15:18 6,529 --ahs---- C:\WINDOWS\system32\vvvwa.bak1
2007-07-22 14:06 <DIR> d-------- C:\Program Files\SpywareGuard
2007-07-22 13:57 6,488 --ahs---- C:\WINDOWS\system32\vyadd.bak1
2007-07-22 13:20 1,004 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-22 13:15 <DIR> d-------- C:\DOCUME~1\Owner\SmitfraudFix
2007-07-22 11:50 6,489 --ahs---- C:\WINDOWS\system32\hjkkj.bak1
2007-07-22 10:57 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-07-22 10:42 6,488 --ahs---- C:\WINDOWS\system32\oqtwa.bak1
2007-07-22 10:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-22 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-20 07:08 57,344 --a------ C:\WINDOWS\system32\CGZipLibrary.DLL
2007-07-20 07:08 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2007-07-20 07:08 <DIR> d-------- C:\Program Files\RegDoctor
2007-07-20 04:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-20 04:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-20 04:02 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-19 19:26 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-07-19 19:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-07-19 14:29 986,352 -r-hs---- C:\WINDOWS\nprxfmjA.exe
2007-07-19 14:29 54,784 --a------ C:\WINDOWS\nprxfmj.exe
2007-07-19 14:29 <DIR> d-------- C:\TEMP\brr
2007-07-19 14:29 <DIR> d-------- C:\TEMP\0c2
2007-07-17 15:55 <DIR> d-------- C:\WINDOWS\SpaceForce - Rogue Universe
2007-07-17 15:55 <DIR> d-------- C:\Program Files\DreamCatcher
2007-07-17 15:44 <DIR> d-------- C:\Program Files\spaceforce
2007-07-16 15:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-07-13 04:02 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-13 04:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-12 20:18 672 --a------ C:\WINDOWS\mozver.dat
2007-07-12 20:18 <DIR> d-------- C:\Program Files\DivX
2007-07-10 05:12 786,432 --ah----- C:\DOCUME~1\ADMINI~1.LIV\NTUSER.DAT
2007-07-10 05:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\WINDOWS
2007-07-10 05:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\APPLIC~1\SampleView
2007-07-10 05:08 <DIR> d-------- C:\VundoFix Backups
2007-07-10 04:57 6,369 --ahs---- C:\WINDOWS\system32\hhkmp.bak1
2007-07-07 22:51 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-07 22:51 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-07 22:51 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-07 22:51 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-07 22:50 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-07 22:50 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-07 22:50 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-06 05:19 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-05 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-05 11:50 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-07-05 11:50 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-07-05 11:50 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-03 04:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-02 15:47 740,442 --a------ C:\WINDOWS\system32\divx.dll
2007-07-02 15:47 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:47 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-07-02 15:47 593,920 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-02 15:47 564,224 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-07-02 15:47 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-07-02 15:47 39,936 --a------ C:\WINDOWS\system32\huffyuv.dll
2007-07-02 15:47 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:47 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-02 15:47 217,088 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-02 15:47 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-02 15:47 144,384 --a------ C:\WINDOWS\system32\Iacenc.dll
2007-07-02 15:47 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-07-02 15:14 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2007-07-02 14:41 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 14:41 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 14:39 <DIR> d-------- C:\Program Files\uTorrent
2007-07-02 14:17 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-07-02 07:06 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-07-02 07:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-02 06:32 <DIR> d-------- C:\WINDOWS\system32\QuickTime
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-23 16:27:36 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-07-23 14:33:18 330 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-07-21 10:16:45 -------- d-----w C:\Program Files\PowerISO
2007-07-20 00:19:01 -------- d-----w C:\Program Files\Yahoo!
2007-07-19 19:29:26 -------- d-----w C:\Program Files\Windows NT
2007-07-13 09:03:53 -------- d-----w C:\Program Files\QuickTime
2007-07-06 00:01:24 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-05 23:46:57 -------- d-----w C:\Program Files\Symantec
2007-07-05 23:46:47 -------- d-----w C:\Program Files\Norton Internet Security
2007-07-05 23:26:27 -------- d-----w C:\Program Files\Messenger
2007-07-02 20:47:07 -------- d-----w C:\Program Files\K-Lite Codec Pack
2007-07-02 12:14:49 -------- d-----w C:\Program Files\BigFix
2007-07-02 11:32:17 -------- d-----w C:\Program Files\Kodak
2007-07-02 11:31:50 -------- d-----w C:\Program Files\Starcraft
2007-06-19 23:21:23 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Viewpoint
2007-06-19 21:15:12 34,580 ----a-w C:\WINDOWS\scunin.dat
2007-06-19 15:51:32 -------- d-----w C:\Program Files\AOL Toolbar
2007-06-19 05:53:23 -------- d-----w C:\Program Files\Bonjour
2007-06-18 19:41:51 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
2007-06-18 18:13:58 -------- d-----w C:\Program Files\Alwil Software
2007-06-18 04:42:24 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-06-17 22:06:47 -------- d-----w C:\Program Files\Google
2007-06-17 10:15:54 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-06-17 09:13:05 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Google
2007-06-17 09:11:32 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Aim
2007-06-17 09:07:12 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SmartFTP
2007-06-17 08:43:44 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Ventrilo
2007-06-17 08:09:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SampleView
2007-06-17 05:36:05 -------- d-----w C:\Program Files\Ahead
2007-06-17 05:35:22 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-17 05:35:15 -------- d-----w C:\Program Files\America Online 9.0
2007-06-17 05:35:11 -------- d-----w C:\Program Files\AOL Companion
2007-06-17 05:35:07 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-17 05:35:05 -------- d-----w C:\Program Files\Pure Networks
2007-06-17 05:35:04 -------- d-----w C:\Program Files\Viewpoint
2007-06-17 05:35:04 -------- d-----w C:\Program Files\Learn2.com
2007-06-17 05:35:03 -------- d-----w C:\Program Files\Common Files\aolshare
2007-06-17 05:34:46 -------- d-----w C:\Program Files\Common Files\Nullsoft
2007-06-17 05:34:24 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-06-17 05:34:24 -------- d-----w C:\Program Files\Common Files\Real
2007-06-17 05:34:22 -------- d-----w C:\Program Files\Real
2007-06-17 05:33:31 335 ----a-w C:\WINDOWS\nsreg.dat
2007-06-17 05:33:21 -------- d-----w C:\Program Files\Microsoft Picture It! 10
2007-06-17 05:32:49 -------- d-----w C:\Program Files\Intel
2007-06-17 05:31:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 05:31:06 -------- d-----w C:\Program Files\Realtek
2007-06-17 05:31:05 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 05:30:12 -------- d-----w C:\Program Files\Digital Media Reader
2007-06-17 05:29:27 -------- d-----w C:\Program Files\Microsoft Works
2007-06-17 05:26:53 -------- d-----w C:\Program Files\Common Files\New Boundary
2007-06-17 05:18:57 -------- d-----w C:\Program Files\CONEXANT
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-17 21:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2007-06-17 00:36:19]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\vikoziwui.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe" -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nprxfmjA]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
"C:\Program Files\Outerinfo\Outerinfo.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
"C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
"C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\WINDOWS\TISKY009.exe SKY009
R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 SunkFilt;Alcor Micro Corp Reader;\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys
Contents of the 'Scheduled Tasks' folder
2007-07-23 16:32:05 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 18:11:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\system32\cmd.exe [2880] 0x8505F478
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-23 18:13:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-23 18:12
--- E O F ---
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\sttss.bak1
C:\WINDOWS\system32\nqstv.bak1
C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\nprxfmjA.exe
C:\WINDOWS\nprxfmj.exe
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\scunin.dat
Folder::
C:\Temp
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nprxfmjA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
Save this as
CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a fresh hjt log.
Logfile of HijackThis v1.99.1
Scan saved at 3:19:34 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
Hi
How about that resultant log of Combofix? :)
Terribly sorry for the big delay, I had a brief vacation.
"Owner" - 2007-07-24 15:11:38 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))
2007-07-23 17:57 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 15:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\APPLIC~1\TMPGEncDVDAuthor3
2007-07-23 11:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\LEAPS
2007-07-23 11:27 53,248 --a------ C:\WINDOWS\system32\GenSvcInst.exe
2007-07-23 11:27 33,408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2007-07-23 11:27 118,784 --a------ C:\WINDOWS\system32\bgsvcgen.exe
2007-07-23 11:24 <DIR> d-------- C:\Program Files\Pegasys Inc
2007-07-23 11:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pegasys Inc
2007-07-23 11:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Pegasys Inc
2007-07-23 10:50 6,471 --ahs---- C:\WINDOWS\system32\ijkmp.bak1
2007-07-23 08:13 6,471 --ahs---- C:\WINDOWS\system32\ihkmp.bak1
2007-07-23 06:31 6,511 --ahs---- C:\WINDOWS\system32\ghhkj.bak1
2007-07-23 03:46 6,489 --ahs---- C:\WINDOWS\system32\sttss.bak1
2007-07-23 03:32 <DIR> d-------- C:\DOCUME~1\Owner\p
2007-07-23 02:34 6,488 --ahs---- C:\WINDOWS\system32\nqstv.bak1
2007-07-22 21:31 6,489 --ahs---- C:\WINDOWS\system32\svvwa.bak1
2007-07-22 19:41 6,529 --ahs---- C:\WINDOWS\system32\vycdd.bak1
2007-07-22 16:58 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-22 16:30 6,489 --ahs---- C:\WINDOWS\system32\cbadd.bak1
2007-07-22 15:18 6,529 --ahs---- C:\WINDOWS\system32\vvvwa.bak1
2007-07-22 14:06 <DIR> d-------- C:\Program Files\SpywareGuard
2007-07-22 13:57 6,488 --ahs---- C:\WINDOWS\system32\vyadd.bak1
2007-07-22 13:20 1,004 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-22 13:15 <DIR> d-------- C:\DOCUME~1\Owner\SmitfraudFix
2007-07-22 11:50 6,489 --ahs---- C:\WINDOWS\system32\hjkkj.bak1
2007-07-22 10:57 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-07-22 10:42 6,488 --ahs---- C:\WINDOWS\system32\oqtwa.bak1
2007-07-22 10:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-22 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-20 07:08 57,344 --a------ C:\WINDOWS\system32\CGZipLibrary.DLL
2007-07-20 07:08 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2007-07-20 07:08 <DIR> d-------- C:\Program Files\RegDoctor
2007-07-20 04:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-20 04:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-20 04:02 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-19 19:26 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-07-19 19:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-07-19 14:29 986,352 -r-hs---- C:\WINDOWS\nprxfmjA.exe
2007-07-19 14:29 54,784 --a------ C:\WINDOWS\nprxfmj.exe
2007-07-19 14:29 <DIR> d-------- C:\TEMP\brr
2007-07-19 14:29 <DIR> d-------- C:\TEMP\0c2
2007-07-17 15:55 <DIR> d-------- C:\WINDOWS\SpaceForce - Rogue Universe
2007-07-17 15:55 <DIR> d-------- C:\Program Files\DreamCatcher
2007-07-17 15:44 <DIR> d-------- C:\Program Files\spaceforce
2007-07-16 15:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-07-13 04:02 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-13 04:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-12 20:18 672 --a------ C:\WINDOWS\mozver.dat
2007-07-12 20:18 <DIR> d-------- C:\Program Files\DivX
2007-07-10 05:12 786,432 --ah----- C:\DOCUME~1\ADMINI~1.LIV\NTUSER.DAT
2007-07-10 05:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\WINDOWS
2007-07-10 05:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\APPLIC~1\SampleView
2007-07-10 05:08 <DIR> d-------- C:\VundoFix Backups
2007-07-10 04:57 6,369 --ahs---- C:\WINDOWS\system32\hhkmp.bak1
2007-07-07 22:51 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-07 22:51 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-07 22:51 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-07 22:51 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-07 22:50 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-07 22:50 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-07 22:50 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-06 05:19 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-05 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-05 11:50 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-07-05 11:50 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-07-05 11:50 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-03 04:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-02 15:47 740,442 --a------ C:\WINDOWS\system32\divx.dll
2007-07-02 15:47 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:47 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-07-02 15:47 593,920 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-02 15:47 564,224 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-07-02 15:47 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-07-02 15:47 39,936 --a------ C:\WINDOWS\system32\huffyuv.dll
2007-07-02 15:47 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:47 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-02 15:47 217,088 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-02 15:47 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-02 15:47 144,384 --a------ C:\WINDOWS\system32\Iacenc.dll
2007-07-02 15:47 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-07-02 15:14 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2007-07-02 14:41 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 14:41 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 14:39 <DIR> d-------- C:\Program Files\uTorrent
2007-07-02 14:17 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-07-02 07:06 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-07-02 07:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-02 06:32 <DIR> d-------- C:\WINDOWS\system32\QuickTime
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-24 19:30:41 -------- d-----w C:\Program Files\Starcraft
2007-07-24 18:07:25 720 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-07-23 16:27:36 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-07-21 10:16:45 -------- d-----w C:\Program Files\PowerISO
2007-07-20 00:19:01 -------- d-----w C:\Program Files\Yahoo!
2007-07-19 19:29:26 -------- d-----w C:\Program Files\Windows NT
2007-07-13 09:03:53 -------- d-----w C:\Program Files\QuickTime
2007-07-06 00:01:24 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-05 23:46:57 -------- d-----w C:\Program Files\Symantec
2007-07-05 23:46:47 -------- d-----w C:\Program Files\Norton Internet Security
2007-07-05 23:26:27 -------- d-----w C:\Program Files\Messenger
2007-07-02 20:47:07 -------- d-----w C:\Program Files\K-Lite Codec Pack
2007-07-02 12:14:49 -------- d-----w C:\Program Files\BigFix
2007-07-02 11:32:17 -------- d-----w C:\Program Files\Kodak
2007-06-19 23:21:23 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Viewpoint
2007-06-19 21:15:12 34,580 ----a-w C:\WINDOWS\scunin.dat
2007-06-19 15:51:32 -------- d-----w C:\Program Files\AOL Toolbar
2007-06-19 05:53:23 -------- d-----w C:\Program Files\Bonjour
2007-06-18 19:41:51 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
2007-06-18 18:13:58 -------- d-----w C:\Program Files\Alwil Software
2007-06-18 04:42:24 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-06-17 22:06:47 -------- d-----w C:\Program Files\Google
2007-06-17 10:15:54 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-06-17 09:13:05 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Google
2007-06-17 09:11:32 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Aim
2007-06-17 09:07:12 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SmartFTP
2007-06-17 08:43:44 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Ventrilo
2007-06-17 08:09:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SampleView
2007-06-17 05:36:05 -------- d-----w C:\Program Files\Ahead
2007-06-17 05:35:22 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-17 05:35:15 -------- d-----w C:\Program Files\America Online 9.0
2007-06-17 05:35:11 -------- d-----w C:\Program Files\AOL Companion
2007-06-17 05:35:07 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-17 05:35:05 -------- d-----w C:\Program Files\Pure Networks
2007-06-17 05:35:04 -------- d-----w C:\Program Files\Viewpoint
2007-06-17 05:35:04 -------- d-----w C:\Program Files\Learn2.com
2007-06-17 05:35:03 -------- d-----w C:\Program Files\Common Files\aolshare
2007-06-17 05:34:46 -------- d-----w C:\Program Files\Common Files\Nullsoft
2007-06-17 05:34:24 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-06-17 05:34:24 -------- d-----w C:\Program Files\Common Files\Real
2007-06-17 05:34:22 -------- d-----w C:\Program Files\Real
2007-06-17 05:33:31 335 ----a-w C:\WINDOWS\nsreg.dat
2007-06-17 05:33:21 -------- d-----w C:\Program Files\Microsoft Picture It! 10
2007-06-17 05:32:49 -------- d-----w C:\Program Files\Intel
2007-06-17 05:31:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 05:31:06 -------- d-----w C:\Program Files\Realtek
2007-06-17 05:31:05 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 05:30:12 -------- d-----w C:\Program Files\Digital Media Reader
2007-06-17 05:29:27 -------- d-----w C:\Program Files\Microsoft Works
2007-06-17 05:26:53 -------- d-----w C:\Program Files\Common Files\New Boundary
2007-06-17 05:18:57 -------- d-----w C:\Program Files\CONEXANT
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-17 21:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2007-06-17 00:36:19]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\vikoziwui.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe" -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nprxfmjA]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
"C:\Program Files\Outerinfo\Outerinfo.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
"C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
"C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\WINDOWS\TISKY009.exe SKY009
R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 SunkFilt;Alcor Micro Corp Reader;\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\SETUP.EXE
*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder
2007-07-24 07:22:28 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 15:17:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-24 15:18:41
C:\ComboFix-quarantined-files.txt ... 2007-07-24 15:18
C:\ComboFix2.txt ... 2007-07-23 18:13
--- E O F ---
Hi
Looks like bad files and registry entries are still there. Let's try other method.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nprxfmjA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
* Open OTMoveIt.exe.
In the left pane where it says:
Paste List of Files/Folders to be Moved
, copy and paste next part:
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\sttss.bak1
C:\WINDOWS\system32\nqstv.bak1
C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\nprxfmjA.exe
C:\WINDOWS\nprxfmj.exe
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\scunin.dat
C:\Temp
C:\VundoFix Backups
Then click the MoveIt button below.
In case you get a
Bad Image
error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply with a new hijackthis log. Re-run also Combofix and post its log.
OTMoveIt Log:
C:\WINDOWS\system32\ijkmp.bak1 moved successfully.
C:\WINDOWS\system32\ihkmp.bak1 moved successfully.
C:\WINDOWS\system32\ghhkj.bak1 moved successfully.
C:\WINDOWS\system32\sttss.bak1 moved successfully.
C:\WINDOWS\system32\nqstv.bak1 moved successfully.
C:\WINDOWS\system32\svvwa.bak1 moved successfully.
C:\WINDOWS\system32\vycdd.bak1 moved successfully.
C:\WINDOWS\system32\cbadd.bak1 moved successfully.
C:\WINDOWS\system32\vvvwa.bak1 moved successfully.
C:\WINDOWS\system32\vyadd.bak1 moved successfully.
C:\WINDOWS\system32\hjkkj.bak1 moved successfully.
C:\WINDOWS\system32\oqtwa.bak1 moved successfully.
C:\WINDOWS\nprxfmjA.exe moved successfully.
C:\WINDOWS\nprxfmj.exe moved successfully.
C:\WINDOWS\system32\hhkmp.bak1 moved successfully.
C:\WINDOWS\scunin.dat moved successfully.
C:\Temp\brr moved successfully.
C:\Temp\0c2 moved successfully.
C:\Temp moved successfully.
C:\VundoFix Backups moved successfully.
Created on 07/30/2007 08:54:11
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:56:30 AM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{2151426D-7399-47B4-B6A0-0A3856B52225}: NameServer = 71.15.32.8,24.196.215.8
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
ComboFix Log:
ComboFix log:
"Owner" - 2007-07-30 8:57:40 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))
2007-07-29 07:50 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Hamachi
2007-07-29 07:49 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-07-29 07:49 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-29 07:49 <DIR> d-------- C:\Program Files\Hamachi
2007-07-29 07:28 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Creative
2007-07-29 07:27 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-07-29 07:24 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-29 07:23 <DIR> d-------- C:\Program Files\winMd5Sum
2007-07-29 07:08 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-29 07:00 <DIR> d-------- C:\Program Files\LucasArts
2007-07-27 19:48 <DIR> dr-h----- C:\MSOCache
2007-07-26 10:46 <DIR> d-------- C:\Program Files\Creative
2007-07-23 17:57 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 15:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\APPLIC~1\TMPGEncDVDAuthor3
2007-07-23 11:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\LEAPS
2007-07-23 11:27 53,248 --a------ C:\WINDOWS\system32\GenSvcInst.exe
2007-07-23 11:27 33,408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2007-07-23 11:27 118,784 --a------ C:\WINDOWS\system32\bgsvcgen.exe
2007-07-23 11:24 <DIR> d-------- C:\Program Files\Pegasys Inc
2007-07-23 11:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pegasys Inc
2007-07-23 11:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Pegasys Inc
2007-07-23 03:32 <DIR> d-------- C:\DOCUME~1\Owner\p
2007-07-22 16:58 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-22 14:06 <DIR> d-------- C:\Program Files\SpywareGuard
2007-07-22 13:20 1,004 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-22 13:15 <DIR> d-------- C:\DOCUME~1\Owner\SmitfraudFix
2007-07-22 10:57 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-07-22 10:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-22 10:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-20 07:08 57,344 --a------ C:\WINDOWS\system32\CGZipLibrary.DLL
2007-07-20 07:08 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2007-07-20 07:08 <DIR> d-------- C:\Program Files\RegDoctor
2007-07-20 04:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-20 04:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-20 04:02 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-19 19:26 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-07-19 19:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-07-17 15:55 <DIR> d-------- C:\WINDOWS\SpaceForce - Rogue Universe
2007-07-17 15:55 <DIR> d-------- C:\Program Files\DreamCatcher
2007-07-17 15:44 <DIR> d-------- C:\Program Files\spaceforce
2007-07-16 15:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-07-13 04:02 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-13 04:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-12 20:18 672 --a------ C:\WINDOWS\mozver.dat
2007-07-12 20:18 <DIR> d-------- C:\Program Files\DivX
2007-07-10 05:12 786,432 --ah----- C:\DOCUME~1\ADMINI~1.LIV\NTUSER.DAT
2007-07-10 05:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\WINDOWS
2007-07-10 05:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1.LIV\APPLIC~1\SampleView
2007-07-07 22:51 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-07 22:51 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-07 22:51 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-07 22:51 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-07 22:50 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-07 22:50 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-07 22:50 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-06 05:19 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-05 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-05 11:50 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-07-05 11:50 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-07-05 11:50 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-03 04:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-02 15:47 740,442 --a------ C:\WINDOWS\system32\divx.dll
2007-07-02 15:47 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:47 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-07-02 15:47 593,920 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-02 15:47 564,224 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-07-02 15:47 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-07-02 15:47 39,936 --a------ C:\WINDOWS\system32\huffyuv.dll
2007-07-02 15:47 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:47 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-07-02 15:47 217,088 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-07-02 15:47 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-02 15:47 144,384 --a------ C:\WINDOWS\system32\Iacenc.dll
2007-07-02 15:47 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-07-02 15:14 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2007-07-02 14:41 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 14:41 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 14:39 <DIR> d-------- C:\Program Files\uTorrent
2007-07-02 14:17 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-07-02 07:06 28,672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-07-02 07:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-02 06:44 <DIR> d-------- C:\mIRC
2007-07-02 06:32 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-06-19 18:21 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Viewpoint
2007-06-19 16:04 <DIR> d-------- C:\Program Files\PowerISO
2007-06-19 13:00 <DIR> d-------- C:\Zsnes
2007-06-19 11:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-19 00:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-19 00:51 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2007-06-19 00:50 <DIR> d-------- C:\WINDOWS\system32\color
2007-06-19 00:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-06-19 00:46 <DIR> d-------- C:\Program Files\Kodak
2007-06-18 14:47 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-06-18 14:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
2007-06-18 13:36 <DIR> d-------- C:\Ventrilo
2007-06-18 13:22 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-06-18 13:16 <DIR> d-------- C:\WINDOWS\pss
2007-06-18 13:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-18 03:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-18 03:37 <DIR> d-------- C:\Program Files\Yahoo!
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-30 13:55:18 2,184 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-07-19 19:29:26 -------- d-----w C:\Program Files\Windows NT
2007-07-05 23:26:27 -------- d-----w C:\Program Files\Messenger
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-17 21:24]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 18:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 17:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ypagerps"=cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2007-07-29 07:49:27]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2007-06-17 00:36:19]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\vikoziwui.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 SunkFilt;Alcor Micro Corp Reader;\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\LaunchBFII.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d208a90-3dcf-11dc-bef3-00038a000015}]
AutoRun\command- M:\LaunchBFII.exe
*Newly Created Service* - SPTD
*Newly Created Service* - UDFS
Contents of the 'Scheduled Tasks' folder
2007-07-30 07:02:09 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 09:03:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\system32\cmd.exe [2808] 0x84796B80
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-30 9:05:05
C:\ComboFix-quarantined-files.txt ... 2007-07-30 09:04
C:\ComboFix2.txt ... 2007-07-24 15:18
C:\ComboFix3.txt ... 2007-07-23 18:13
--- E O F ---
Good. :) Let's run Kaspersky online scanner to check if there's still something other that needs to be removed.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please do an online scan with
Kaspersky
WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest
definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise
Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been
infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post with a fresh hjt log.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
:scratch:
Due to lack of a response to helper this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.