PDA

View Full Version : Problems



ElloMate
2007-08-07, 06:04
I can't fix it, tried many times.

http://img234.imageshack.us/img234/2958/untitlednv1.png (http://imageshack.us)
Shot at 2007-08-06

ElloMate
2007-08-07, 21:08
Help pleaase :heart:

Blade81
2007-08-07, 21:37
Hi

Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

ElloMate
2007-08-07, 23:55
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:55:06 PM, on 07/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\IVAN\My Documents\Spyware programs\hijackthis\HiJackThis_v2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8E9089E1-0461-4F60-8150-1E334629ABB7} (CNeopleInstallAXCtlJap6 Object) - http://down.hangame.co.jp/jp/pudn/pubarad/Installer/arad_dis.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

--
End of file - 1614 bytes

Blade81
2007-08-08, 07:11
Hi

Rename HijackThis.exe file -> anything.exe and post a fresh hjt log, please :)

ElloMate
2007-08-08, 23:07
Hi

Rename HijackThis.exe file -> anything.exe and post a fresh hjt log, please :)

Which Hijack File do I rename? I renamed the Trend micro version one.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:07:06 PM, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\IVAN\My Documents\Spyware programs\hijackthis\Dunno.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8E9089E1-0461-4F60-8150-1E334629ABB7} (CNeopleInstallAXCtlJap6 Object) - http://down.hangame.co.jp/jp/pudn/pubarad/Installer/arad_dis.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 2434 bytes

Blade81
2007-08-08, 23:14
Yeah, you renamed right file :) Let's see what Combofix finds.

1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

PS. You seem to have both AVG Anti virus 7 and Avast running. It's not recommended to have more than one AV product active in same system.

ElloMate
2007-08-08, 23:37
ComboFix 07-08-07.6 - "IVAN" 2007-08-08 16:23:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.41 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\IVAN\Desktop.\internet explorer.lnk
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-07 22:11 <DIR> d-------- C:\Program Files\MSBuild
2007-08-07 22:03 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-07 22:01 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-08-07 22:01 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-06 21:56 <DIR> d----c--- C:\kav
2007-08-06 21:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-06 21:09 <DIR> d-------- C:\Program Files\Flagship Studios
2007-08-03 20:07 311,488 --a------ C:\WINDOWS\system32\GHSEngine.dll
2007-08-03 20:07 190,144 --a------ C:\WINDOWS\system32\GHScanLoad.dll
2007-08-03 20:07 136,896 --a------ C:\WINDOWS\system32\GHService.dll
2007-08-03 18:16 41,648 --a------ C:\WINDOWS\system32\HanGamePlugin19.dll
2007-08-03 16:36 <DIR> d-------- C:\WINDOWS\system32\tr-tr
2007-08-03 16:36 <DIR> d-------- C:\WINDOWS\system32\th-th
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\sv-se
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\sl-si
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\sk-sk
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\ru-ru
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\ro-ro
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\pt-pt
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\pt-br
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\pl-pl
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\nl-nl
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\nb-no
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\lv-lv
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\lt-lt
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\ko-kr
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\ja-jp
2007-08-03 16:35 <DIR> d-------- C:\WINDOWS\system32\it-it
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\zh-tw
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\zh-cn
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\hu-hu
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\hr-hr
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\he-il
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\fr-fr
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\fi-fi
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\et-ee
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\es-es
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\el-gr
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\de-de
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\da-dk
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\cs-cz
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\bg-bg
2007-08-03 16:34 <DIR> d-------- C:\WINDOWS\system32\ar-sa
2007-08-02 21:09 128,488 --a------ C:\WINDOWS\system32\HGReport.dll
2007-08-02 21:09 124,616 --a------ C:\WINDOWS\system32\PubPlugin.dll
2007-08-02 20:22 <DIR> d-------- C:\Program Files\DNF
2007-08-02 19:19 <DIR> d-------- C:\Program Files\Neffy
2007-08-02 19:11 <DIR> d-------- C:\Program Files\Softrun
2007-08-02 19:09 898,848 --a------ C:\WINDOWS\system32\SCSKAppLink.dll
2007-08-02 19:09 164,373 --a------ C:\WINDOWS\system32\drivers\scskusbs.sys
2007-08-02 19:09 11,385 --a------ C:\WINDOWS\system32\drivers\scskusbf.sys
2007-08-02 19:05 956,112 --a------ C:\WINDOWS\system32\HanWebMsg1050.dll
2007-08-02 14:41 <DIR> d----c--- C:\Hangame
2007-08-01 22:37 <DIR> d-------- C:\Program Files\MetaStream
2007-08-01 20:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-01 18:54 <DIR> d-------- C:\DOCUME~1\IVAN\APPLIC~1\NHN Corporation
2007-08-01 09:37 <DIR> d-------- C:\Program Files\VentSrv
2007-07-31 10:12 <DIR> d-------- C:\Program Files\Trillian
2007-07-27 22:41 <DIR> d-------- C:\Program Files\Executive Software
2007-07-26 14:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-25 15:44 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-07-25 14:30 <DIR> d-------- C:\DOCUME~1\IVAN\APPLIC~1\GetRightToGo
2007-07-24 15:46 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-07-24 08:12 <DIR> d-------- C:\Program Files\uTorrent
2007-07-23 13:22 <DIR> d-------- C:\DOCUME~1\IVAN\APPLIC~1\Hamachi
2007-07-23 13:18 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-07-14 03:05 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-14 03:05 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-14 03:05 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-14 03:04 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-14 03:04 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-14 03:04 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-14 03:04 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-14 03:04 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-11 11:07 <DIR> d----c--- C:\ijji
2007-07-11 11:06 <DIR> d--h----- C:\DOCUME~1\IVAN\APPLIC~1\IJJIGame
2007-07-11 10:43 <DIR> d-------- C:\Program Files\LimeWire
2007-07-10 09:22 <DIR> d---s---- C:\Program Files\Xfire
2007-07-08 07:29 <DIR> d-------- C:\Program Files\Ventrilo


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-03 16:14 --------- d-------- C:\DOCUME~1\IVAN\APPLIC~1\gtk-2.0
2007-08-02 20:22 65536 --a--c--- C:\WINDOWS\IFinst27.exe
2007-08-02 19:09 34496 --a--c--- C:\WINDOWS\system32\UnSCSK.exe
2007-08-01 19:58 --------- d-------- C:\Program Files\SpywareBlaster
2007-08-01 10:10 --------- d-------- C:\DOCUME~1\IVAN\APPLIC~1\Ventrilo
2007-08-01 09:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 20:07 --------- d-------- C:\DOCUME~1\IVAN\APPLIC~1\Xfire
2007-07-27 17:01 --------- d-------- C:\DOCUME~1\IVAN\APPLIC~1\uTorrent
2007-07-26 14:45 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-20 01:49 --------- d-------- C:\Program Files\Wise Registry Cleaner
2007-07-19 13:54 --------- d-------- C:\Program Files\Google
2007-07-18 17:15 644552 --a------ C:\WINDOWS\system32\HanSetup.exe
2007-07-09 12:00 --------- d-------- C:\Program Files\DivX
2007-07-04 09:54 --------- d-------- C:\Program Files\SystemRequirementsLab
2007-07-04 09:54 --------- d-------- C:\DOCUME~1\IVAN\APPLIC~1\SystemRequirementsLab
2007-07-04 07:31 152576 --a------ C:\WINDOWS\system32\bnts.dll
2007-07-02 15:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 15:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-01 10:39 4 -r-hs---- C:\MSDOS.BIN
2007-06-23 00:09 --------- d-------- C:\Program Files\Winamp
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-06-04 05:56 335 --a--c--- C:\WINDOWS\nsreg.dat
2007-05-31 22:30 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-05-31 22:29 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-05-26 10:18 1092 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-22 20:12 22016 --a------ C:\WINDOWS\system32\winsys32.dll
2007-05-20 15:38 0 -ra------ C:\logwmemory.bin
2007-05-16 20:14 1548 --a--c--- C:\WINDOWS\mozver.dat
2007-05-16 19:45 443752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-05-16 19:45 3497832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-05-16 19:45 1124720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-05-16 11:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-01-10 23:07 94 --a--c--- C:\Program Files\clean.bat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-31 11:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"RestrictCpl"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoInstrumentation"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"C:\Program Files\Alwil Software\Avast4\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys
R1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\system32\drivers\cpuidlep.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 NWCWorkstation;Client Service for NetWare;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 ltmodem5;LT Modem Driver;C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
R3 NWRDR;NetWare Rdr;C:\WINDOWS\system32\DRIVERS\nwrdr.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys
S3 AdWatchDrv;AW Realtime Driver;\??\C:\WINDOWS\system32\drivers\AWRTPD.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\Hangame\JAPANESE\pubarad\GameGuard\dump_wmimmc.sys
S3 EagleNT;EagleNT;\??\C:\WINDOWS\system32\drivers\EagleNT.sys
S3 FileObjInfo;STFileDriver;\??\C:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys
S3 scsk4;SCSK4 Driver Service;C:\WINDOWS\system32\drivers\scsk4.sys
S3 XDva002;XDva002;\??\C:\WINDOWS\system32\XDva002.sys
S3 XDva007;XDva007;\??\C:\WINDOWS\system32\XDva007.sys
S3 XDva008;XDva008;\??\C:\WINDOWS\system32\XDva008.sys
S3 XTrapD12;XTrapD12;\??\C:\WINDOWS\system32\XTrapD12.sys
S4 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
S4 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR


Contents of the 'Scheduled Tasks' folder
2007-07-26 18:39:56 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 16:29:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\\n0\x152[\x17d\26NLuMQ9\x8dHr\v0]
"Order"=hex:08,00,00,00,02,00,00,00,28,01,00,00,01,00,00,00,02,00,00,00,8a,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D70A4986-6884-AC22-F464-E9E0F7DF29C3}]
"bbdpogipcceglapofdalafamlahmjkdncnpe"=hex:6a,61,69,63,61,61,65,6f,69,6e,64,66,6c,64,6c,6d,65,63,69,69,00,..
"abfokcniidlhicjdomndclimciboaniico"=hex:6a,61,69,63,6a,6f,68,6f,68,63,69,69,6e,69,6e,6e,6f,6d,6e,63,00,..
"iadpogipcceglapofd"=hex:61,61,00,01
"hafokcniidlhicjd"=hex:61,61,00,01
"iapminkfpjnijndhgh"=hex:61,61,00,01
"bbdpogipcceglapofdalafamlahmkkadkpmm"=hex:6a,61,69,63,61,61,65,6f,69,6e,64,66,6c,64,6c,6d,65,63,69,69,00,..
"abfokcniidlhicjdomndclimcimojjghad"=hex:6a,61,69,63,61,61,65,6f,69,6e,64,66,6c,64,6c,6d,65,63,69,69,00,..
"bbdpogipcceglapofdalgfckjaffemfnoaab"=hex:6a,61,69,63,61,61,65,6f,69,6e,64,66,6c,64,6c,6d,65,63,69,69,00,..
"abfokcniidlhicjdomldmkblhjjajojidl"=hex:6a,61,69,63,61,61,65,6f,69,6e,64,66,6c,64,6c,6d,65,63,69,69,00,..
"bbdpogipcceglapofdalgfcknaagnnakebkg"=hex:6a,61,69,63,61,61,65,6f,69,6e,64,66,6c,64,6c,6d,65,63,69,69,00,..
"abfokcniidlhicjdomldmknkjmohpkjcfg"=hex:6a,61,69,63,61,61,65,6f,69,6e,64,66,6c,64,6c,6d,65,63,69,69,00,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 16:34:42
C:\ComboFix-quarantined-files.txt ... 2007-08-08 16:33

--- E O F ---

ElloMate
2007-08-08, 23:38
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:37:32 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\IVAN\My Documents\Spyware programs\hijackthis\Dunno.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8E9089E1-0461-4F60-8150-1E334629ABB7} (CNeopleInstallAXCtlJap6 Object) - http://down.hangame.co.jp/jp/pudn/pubarad/Installer/arad_dis.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 2483 bytes

ElloMate
2007-08-09, 06:04
*Bumps* :oops:

Blade81
2007-08-09, 21:02
Didn't find anything. So is those virtumonde entries in screenshot main problem? Maybe you could post Spybot log. :)

ElloMate
2007-08-10, 01:01
Didn't find anything. So is those virtumonde entries in screenshot main problem? Maybe you could post Spybot log. :)

How do you post an Spybot log?

ElloMate
2007-08-10, 16:54
How do you post an Spybot log?

Nevermind found out.



--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Common Dialogs: History (2 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-861567501-413027322-725345543-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS DirectInput: Last mapped application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-861567501-413027322-725345543-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\ID!=

MS DirectInput: Last mapped application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-861567501-413027322-725345543-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\Name!=

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-861567501-413027322-725345543-1003\Software\Microsoft\Search Assistant\ACMru

Windows Explorer: Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-861567501-413027322-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-861567501-413027322-725345543-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-861567501-413027322-725345543-1003\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-861567501-413027322-725345543-1003\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: Cookie (7) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-01-13 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-08 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-08 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-08 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-08 Includes\MalwareC.sbi (*)
2007-08-08 Includes\PUPS.sbi (*)
2007-08-08 Includes\PUPSC.sbi (*)
2007-08-08 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-08 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-08 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-08-01 Includes\Trojans.sbi (*)
2007-08-08 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/917283
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/922770
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/928365
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP0: Windows Internet Explorer 7 Multilingual User Interface (MUI)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888240
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0

ElloMate
2007-08-10, 22:36
*Bump* I need help~:red:

Blade81
2007-08-11, 02:08
Hi

I'll get back to you after getting someone to help me with this. Meanwhile I've got a couple of questions for you.

It looks like you've disabled some services and startup items thru msconfig. Any reason for this?

Did you run Spybot in safe mode as instructed in BEFORE you POST (http://forums.spybot.info/showthread.php?t=288) sticky?

ElloMate
2007-08-11, 03:31
Hi

I'll get back to you after getting someone to help me with this. Meanwhile I've got a couple of questions for you.

It looks like you've disabled some services and startup items thru msconfig. Any reason for this?

Did you run Spybot in safe mode as instructed in BEFORE you POST (http://forums.spybot.info/showthread.php?t=288) sticky?

Oops sorry, forgot to run in Safe mode. I'll post an report tomorrow/:angel:

tashi
2007-08-21, 20:09
Due to lack of feedback this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.