View Full Version : Persistent Problem
I have a problem with DriveCleaner & Smitfraud C Core Service malware. They have been in my computer for a month. I tried using Spybot, Ad-Ware and Windows Defender to remove the problems. Spybot was the most effective but the two type of malware mentioned above still remain. I read a post from someone who has a similiar problem. I downloaded HJT and here log of the file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:23 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\winntify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\sruuenuu.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\svchost.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183527342288
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183527337982
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe
--
End of file - 6149 bytes
I would appreciate any assistance anyone can provide to rid me of this problem.
Angelfire777
2007-08-07, 13:10
Hi, welcome to Safer Networking Forums!
I edited the red out of your HijackThis log, it's hurting my eyes a bit..
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.
__________
Download combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)
1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
___________
HJT Uninstall list
Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.
Angelfire
Sorry it took so long for the response. Here are the logfiles you wanted.
SDFix
SDFix: Version 1.96
Run by Administrator on Wed 08/08/2007 at 09:15 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\3742351 - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
C:\WINDOWS\Web\PRINTERS\caccp.dll
C:\WINDOWS\SYSTEM32\180axp.exe
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG
Finished
Combofix
ComboFix 07-08-09.4 - "Administrator" 2007-08-08 21:31:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.237 [GMT -6:00]
((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))
2007-08-08 21:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-08 20:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 00:29 <DIR> d-------- C:\Program Files\RegScrubXP
2007-07-28 16:47 <DIR> d-------- C:\Program Files\Setup NetZero
2007-07-28 16:36 <DIR> d-------- C:\Program Files\Cosmi
2007-07-28 12:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-28 10:49 126,016 --a------ C:\WINDOWS\SYSTEM32\qqcqrrhd.dll
2007-07-28 10:49 109 --ahs---- C:\WINDOWS\SYSTEM32\3367116517.dat
2007-07-28 10:48 46,913 -rahs---- C:\WINDOWS\SYSTEM32\180axp.exe
2007-07-23 21:29 174,121 --a------ C:\WINDOWS\SYSTEM32\dnc8b21ee5.dat
2007-07-21 12:59 6,489 --ahs---- C:\WINDOWS\SYSTEM32\nnnmp.bak1
2007-07-19 22:36 5,730,304 --a------ C:\WINDOWS\ToolkitPro1112vc80U.dll
2007-07-19 22:26 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-07-19 22:26 1,053,184 --a------ C:\WINDOWS\SYSTEM32\MFC71u.dll
2007-07-19 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MediaComplete
2007-07-19 22:02 68,888 --a------ C:\WINDOWS\SYSTEM32\xinput1_3.dll
2007-07-19 22:02 62,744 --a------ C:\WINDOWS\SYSTEM32\xinput1_2.dll
2007-07-19 22:02 3,426,072 --a------ C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2007-07-19 22:02 255,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_6.dll
2007-07-19 22:02 251,672 --a------ C:\WINDOWS\SYSTEM32\xactengine2_5.dll
2007-07-19 22:02 237,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_4.dll
2007-07-19 22:02 236,824 --a------ C:\WINDOWS\SYSTEM32\xactengine2_3.dll
2007-07-19 22:02 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2007-07-19 22:02 15,128 --a------ C:\WINDOWS\SYSTEM32\x3daudio1_1.dll
2007-07-19 22:01 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2007-07-19 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-07-19 21:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-07-16 00:17 <DIR> d-------- C:\Program Files\QuickTime
2007-07-16 00:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-16 00:15 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-16 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-15 04:01 <DIR> d-------- C:\spoolerlogs
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-08 20:12 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-03 17:48 37440 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-19 23:32 --------- d-------- C:\Program Files\Google
2007-07-19 22:36 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-07 14:00 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-07 13:03 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-07 13:00 --------- d-------- C:\Program Files\Messenger
2007-07-07 09:09 --------- d-------- C:\Program Files\Windows Defender
2007-07-07 00:58 --------- d-------- C:\Program Files\Movie Maker
2007-07-07 00:51 --------- d-------- C:\Program Files\Windows NT
2007-07-06 22:21 11665 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-03 23:34 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-03 19:38 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-07-03 15:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-03 13:12 384 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb6334.dat
2007-07-03 13:12 212 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb8467.dat
2007-07-03 13:12 18432 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb41.dat
2007-07-03 12:06 --------- d-------- C:\Program Files\Lavasoft
2007-07-02 17:25 --------- d-------- C:\Program Files\LimeWire
2007-07-02 17:03 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\LimeWire
2007-07-02 13:36 841 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
2007-07-02 13:36 801 --a------ C:\WINDOWS\system32\drivers\system_stable_header_small.gif
2007-07-02 13:36 6533 --a------ C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
2007-07-02 13:36 579 --a------ C:\WINDOWS\system32\drivers\spy_away_header_small.gif
2007-07-02 13:36 567 --a------ C:\WINDOWS\system32\drivers\users_rating.gif
2007-07-02 13:36 5097 --a------ C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-07-02 13:36 291 --a------ C:\WINDOWS\system32\drivers\v.gif
2007-07-02 13:36 283 --a------ C:\WINDOWS\system32\drivers\x.gif
2007-07-02 13:36 1636 --a------ C:\WINDOWS\system32\drivers\system_stable_header.gif
2007-07-02 13:36 15075 --a------ C:\WINDOWS\system32\drivers\system_stable_box.jpg
2007-07-02 13:36 14484 --a------ C:\WINDOWS\system32\drivers\protect.gif
2007-07-02 13:36 13618 --a------ C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-07-02 13:36 1139 --a------ C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-07-02 13:35 945 --a------ C:\WINDOWS\system32\drivers\s_detect.htm
2007-07-02 13:35 811 --a------ C:\WINDOWS\system32\drivers\download_btn.gif
2007-07-02 13:35 746 --a------ C:\WINDOWS\system32\drivers\buy_btn.gif
2007-07-02 13:35 737 --a------ C:\WINDOWS\system32\drivers\logo_bg.gif
2007-07-02 13:35 6575 --a------ C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-07-02 13:35 64 --a------ C:\WINDOWS\system32\drivers\close_icon.gif
2007-07-02 13:35 6373 --a------ C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-07-02 13:35 580 --a------ C:\WINDOWS\system32\drivers\features.gif
2007-07-02 13:35 50169 --a------ C:\WINDOWS\system32\drivers\pt.htm
2007-07-02 13:35 4825 --a------ C:\WINDOWS\system32\drivers\detect.htm
2007-07-02 13:35 4557 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
2007-07-02 13:35 427 --a------ C:\WINDOWS\system32\drivers\4_stars.gif
2007-07-02 13:35 365 --a------ C:\WINDOWS\system32\drivers\5_stars.gif
2007-07-02 13:35 360 --a------ C:\WINDOWS\system32\drivers\header_bg.gif
2007-07-02 13:35 3099 --a------ C:\WINDOWS\system32\drivers\logo.gif
2007-07-02 13:35 2186 --a------ C:\WINDOWS\system32\drivers\alert_icon.gif
2007-07-02 13:35 1804 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
2007-07-02 13:35 10260 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-07-02 13:35 1014 --a------ C:\WINDOWS\system32\drivers\icon_warning.gif
2007-07-02 13:22 2624 --a------ C:\WINDOWS\system32\kwsmqdjn.exe
2007-07-02 00:57 --------- d-------- C:\Program Files\Apoint
2007-07-02 00:56 22592 --a------ C:\WINDOWS\system32\byv0hdmb.exe
2007-06-22 20:27 --------- d-------- C:\Program Files\Memorex exPressit Label Design Studio
2007-06-22 20:27 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-21 21:55 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-05-16 09:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 09:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 09:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 09:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 09:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2004-09-23 12:24 168 --a------ C:\Program Files\INSTALL.LOG
2004-09-23 15:19:25 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0431009B-E58F-43CE-BD77-4012E8748EAC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
2007-07-22 21:26 593920 ---hs---- C:\WINDOWS\Web\PRINTERS\caccp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7960907-53C8-40C2-BB80-259057434C3C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-26 12:01]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 14:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 19:59]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe [2005-08-18 17:09:58]
DESKTOP.INI [2002-09-03 12:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-24 14:01:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caccp]
C:\WINDOWS\Web\PRINTERS\caccp.dll 2007-07-22 21:26 593920 C:\WINDOWS\Web\PRINTERS\caccp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljhhg]
C:\WINDOWS\system32\ljhhg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrs]
C:\WINDOWS\System32\rqrrs.dll
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S2 SCardSvrgusvc;Smart Card SCardSvrgusvc;C:\WINDOWS\system32\180axp.exe srv
S3 BEFCMV3XP;Linksys BEFCMU10 EtherFast Cable Modem;C:\WINDOWS\system32\DRIVERS\BEFCM3XP.sys
S3 BLKWGN;Belkin Wireless G Notebook Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGN.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tni3DC.tmp
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\wlanndi5.SYS
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c2c9231-c854-11da-9c41-000bdb1cbb75}]
AutoRun\command- E:\wd_windows_tools\setup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}]
C:\WINDOWS\system32\tmrsrv32.exe
Contents of the 'Scheduled Tasks' folder
2007-08-04 20:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-08 06:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 20:59:59 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 07:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At21.job
2007-08-09 03:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 05:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 06:00:00 C:\WINDOWS\Tasks\At25.job
2007-08-08 07:00:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 08:00:00 C:\WINDOWS\Tasks\At27.job
2007-08-08 09:00:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 10:00:00 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 08:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 11:00:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 12:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 13:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 14:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At35.job
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 09:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 21:00:00 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-09 03:00:00 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 05:00:00 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\byv0hdmb.exe
2007-08-08 10:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 11:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 12:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 13:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-08 14:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\System32\CqW5k0OS.exe
2007-08-09 03:28:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 21:36:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-08 21:40:13
C:\ComboFix-quarantined-files.txt ... 2007-08-08 21:39
C:\ComboFix2.txt ... 2007-08-08 20:55
--- E O F ---
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:53 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183527342288
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183527337982
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe
--
End of file - 5437 bytes
Angelfire777
2007-08-09, 14:04
Before we continue, please include the HJT uninstall list that I asked for.
Sorry but i didnt see what you were looking for. I did find it but the uninstall button didnt create a report that would save to the desktop. I restarted the computer but now it will not move from BIOS to Windows logo. I have restarted it numerous times but it hangs on the BIOS screen. I've tried using both the F2 (Setup) & the F12 (Boot Menu) BIOS functions. The BIOS meter shows that it almost will boot into Windows but whatever it doesn not for whatever reason. I await your reply
Angelfire777
2007-08-10, 07:40
Can you boot to safe mode..?
Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
Can you please provide a detailed description on how this happened (ie. What you were doing, did you install/uninstall a software, did you receive an error of some sort, etc..)
I cannot boot to safe mode.
After realizing how to find the uninstall list, I did the following actions:
I clicked on the Misc Tools button to open the uninstall list.
It opened but it did not open dialog box to save to desktop.
I closed the uninstall list.
I dbl clicked on HJT again to open pgm
Received msg saying that HJT was already running but didnt see pgm
Opened task mgr to see if was running in background but it was not
Restarted computer
Computer logged off
Rebooted into BIOS scr with about 95% on meter
Computer hangs on BIOS scr with no further response
This is everything that led me to this point
Angelfire777
2007-08-10, 17:04
Hello..I'm not sure what happened, I'm currently asking for some experts' advice...
I'll have something for you soon.
Angelfire777
2007-08-10, 17:46
Let's try this:
Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to "Last known configuration"> Hit enter.
If it still won't, try to boot from DOS prompt then type these in:
C:\Windows\System32\restore\rstrui.exe
See if you can get system restore to work..
Tell me how it goes.
Found the problem, my son hooked his IPod into the computer. It probably was looking for the "extra" drive and didnt know what to do with it.
Here is what you asked for the HJT uninstall list. It doesn't save to a report so I had to zip it. You should see 4 files which show the uninstall list from HJT.
Thank you for your assistance. Look to hearing from you now that the boot problem is taken care of.
Angelfire777
2007-08-11, 10:32
Hi,
Found the problem, my son hooked his IPod into the computer. It probably was looking for the "extra" drive and didnt know what to do with it.
Here is what you asked for the HJT uninstall list. It doesn't save to a report so I had to zip it. You should see 4 files which show the uninstall list from HJT.
Thank you for your assistance. Look to hearing from you now that the boot problem is taken care of.
Good to know that it was only that! :D
_________
*Uninstall the items in bold if found:
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
*An optional that I would recommend be uninstalled.
LimeWire
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.
*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.
Delete the following folders if you uninstalled LimeWire..
C:\Program Files\LimeWire
C:\DOCUMEnts and settings\ADMINIstrator\APPLICation data\LimeWire
Empty your recycle bin.
_________
Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm028YYUS
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
Combofix Deletions
Open notepad."
Copy and paste the text inside the code box below to notepad
http://forums.spybot.info/showthread.php?t=16660
File::
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\System32\CqW5k0OS.exe
C:\WINDOWS\SYSTEM32\3367116517.dat
C:\WINDOWS\system32\ljhhg.dll
C:\WINDOWS\System32\rqrrs.dll
C:\WINDOWS\Web\PRINTERS\caccp.dll
C:\WINDOWS\SYSTEM32\nnnmp.bak1
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\system_stable_header_small.gif
C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\system_stable_header.gif
C:\WINDOWS\system32\drivers\system_stable_box.jpg
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\logo.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\kwsmqdjn.exe
C:\WINDOWS\system32\byv0hdmb.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tni3DC.tmp
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Folder::
C:\Program Files\Cosmi
Driver::
TnIDriver
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0431009B-E58F-43CE-BD77-4012E8748EAC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7960907-53C8-40C2-BB80-259057434C3C}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caccp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljhhg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrs]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}]
Collect::
C:\WINDOWS\SYSTEM32\qqcqrrhd.dll
Dirlook::
C:\spoolerlogs
Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img263.imageshack.us/img263/9894/cfscriptno0.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.
Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.
________
I would like you to scan a file for me.
Please go HERE (http://virusscan.jotti.org/). Copy and paste the following file path in to the box.
C:\WINDOWS\SYSTEM32\180axp.exe
Then click submit.
Do the same for this file:
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
__________
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
__________
On your next reply, please include a
Fresh HijackThis log.
Kaskersky scan log.
Jotti scan log.
combofix log.
Ok I followed your instructions and here are the results:
Uninstalled both of the Java programs
Uninstalled the Limewire and the program folder
Emptied Recycle Bin
Deleted both items in HJT
Cut & pasted code into Combofix & submitted to bleeping computer and received the following:
Submit malware to Bleeping Computer for analysis.
Copy/Paste the filepath below into the box above and click Send.
C:\DOCUME~1\ADMINI~1\Desktop.\[4]-Submit_2007-08-11_ 23127.66.zip
Malware Submission
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
As you asked, the following files were not found on my system.
C:\WINDOWS\SYSTEM32\180axp.exe
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
I manually looked for the files and when I didnt find them I used the search feature. So there is not a Jotti log for these files.
The Kaspersky, Combofix and HJT logs are attached.
________
ComboFix 07-08-09.4 - "Administrator" 2007-08-11 22:11:58.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.313 [GMT -6:00]
((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))
2007-08-11 22:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-08-11 03:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-11 03:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-11 03:03 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-11 02:36 109 --a------ C:\WINDOWS\SYSTEM32\3367116517.dat
2007-08-08 21:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-08 20:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 00:29 <DIR> d-------- C:\Program Files\RegScrubXP
2007-07-28 16:47 <DIR> d-------- C:\Program Files\Setup NetZero
2007-07-28 12:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-28 10:48 46,913 -rahs---- C:\WINDOWS\SYSTEM32\180axp.exe
2007-07-23 21:29 174,121 --a------ C:\WINDOWS\SYSTEM32\dnc8b21ee5.dat
2007-07-19 22:36 5,730,304 --a------ C:\WINDOWS\ToolkitPro1112vc80U.dll
2007-07-19 22:26 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-07-19 22:26 1,053,184 --a------ C:\WINDOWS\SYSTEM32\MFC71u.dll
2007-07-19 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MediaComplete
2007-07-19 22:02 68,888 --a------ C:\WINDOWS\SYSTEM32\xinput1_3.dll
2007-07-19 22:02 62,744 --a------ C:\WINDOWS\SYSTEM32\xinput1_2.dll
2007-07-19 22:02 3,426,072 --a------ C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2007-07-19 22:02 255,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_6.dll
2007-07-19 22:02 251,672 --a------ C:\WINDOWS\SYSTEM32\xactengine2_5.dll
2007-07-19 22:02 237,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_4.dll
2007-07-19 22:02 236,824 --a------ C:\WINDOWS\SYSTEM32\xactengine2_3.dll
2007-07-19 22:02 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2007-07-19 22:02 15,128 --a------ C:\WINDOWS\SYSTEM32\x3daudio1_1.dll
2007-07-19 22:01 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2007-07-19 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-07-19 21:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-07-16 00:17 <DIR> d-------- C:\Program Files\QuickTime
2007-07-16 00:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-16 00:15 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-16 00:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-15 04:01 <DIR> d-------- C:\spoolerlogs
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-11 02:08 --------- d-------- C:\Program Files\ELPLink3
2007-08-08 20:12 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-03 17:48 37440 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-19 23:32 --------- d-------- C:\Program Files\Google
2007-07-19 22:36 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-07 14:00 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-07 13:03 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-07 13:00 --------- d-------- C:\Program Files\Messenger
2007-07-07 09:09 --------- d-------- C:\Program Files\Windows Defender
2007-07-07 00:58 --------- d-------- C:\Program Files\Movie Maker
2007-07-07 00:51 --------- d-------- C:\Program Files\Windows NT
2007-07-06 22:21 11665 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-03 23:34 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-03 19:38 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-07-03 15:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-03 13:12 384 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb6334.dat
2007-07-03 13:12 212 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb8467.dat
2007-07-03 13:12 18432 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\internaldb41.dat
2007-07-03 12:06 --------- d-------- C:\Program Files\Lavasoft
2007-07-02 00:57 --------- d-------- C:\Program Files\Apoint
2007-06-22 20:27 --------- d-------- C:\Program Files\Memorex exPressit Label Design Studio
2007-06-22 20:27 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-21 21:55 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-05-16 09:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 09:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 09:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 09:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 09:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2004-09-23 12:24 168 --a------ C:\Program Files\INSTALL.LOG
2004-09-23 15:19:25 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-26 12:01]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 14:32]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 19:59]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe [2005-08-18 17:09:58]
DESKTOP.INI [2002-09-03 12:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-24 14:01:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]
R0 DevUpper;TI UltraMedia CardBus Controller Filter Driver;C:\WINDOWS\system32\DRIVERS\tiumflt.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 tiumfwl;tiumfwl;C:\WINDOWS\system32\drivers\tiumfwl.sys
S2 SCardSvrgusvc;Smart Card SCardSvrgusvc;C:\WINDOWS\system32\180axp.exe srv
S3 BEFCMV3XP;Linksys BEFCMU10 EtherFast Cable Modem;C:\WINDOWS\system32\DRIVERS\BEFCM3XP.sys
S3 BLKWGN;Belkin Wireless G Notebook Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGN.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NAVAP;NAVAP;\??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\wlanndi5.SYS
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c2c9231-c854-11da-9c41-000bdb1cbb75}]
AutoRun\command- E:\wd_windows_tools\setup.exe
*Newly Created Service* - HTTPFILTER
Contents of the 'Scheduled Tasks' folder
2007-08-11 20:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-11 16:00:01 C:\WINDOWS\Tasks\At35.job
2007-08-11 08:39:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 22:13:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-11 22:14:49
C:\ComboFix-quarantined-files.txt ... 2007-08-11 22:14
C:\ComboFix2.txt ... 2007-08-11 02:39
C:\ComboFix3.txt ... 2007-08-08 21:40
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:24 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183527342288
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183527337982
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe
--
End of file - 5583 bytes
Angelfire777
2007-08-12, 13:35
Hi,
I posted your logs because it's very hard to take a look at them in notepad. Next time, please do not attach any files. If they don't fit in one post, use seperate posts.
Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
Although it seems that combofix worked, it seemed that it had a problem...
Before we continue, do you know what this folder is? C:\spoolerlogs
If not, please double click on the folder then see if you can find a file then right click > properties and tell me what vendor is the file from..
Also, do you know what service this is?: O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe
If not, see if you can scan 180axp.exe again now that you can see hidden files and folders..
I do not know what the spoolerlog folder is. The file in the folder is called spooler which has an extension of xml. I did a used the jotti and virustotal websites to scan the file. Here is the log.
JOTTI
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan:
Service
Service load: 0% 100%
File: spooler.xml
Status: OK
MD5: bcd1394236715fb88903cf871c5609b9
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 12 Aug 2007 22:43:27 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Powered by
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not
necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER
EVER rely on one single product only, not even this service, even though it utilizes
several products. Therefore, We cannot and will not be held responsible for any damage
caused by results presented by this non-profit online service.
Also, we are aware of the implications of a setup like this. We are sure this whole
thing is by no means scientifically correct, since this is a fully automated service
(although manual correction is possible). We are aware, in spite of efforts to
proactively counter these, false positives might occur, for example. We do not consider
this a very big issue, so please do not e-mail us about it. This is a simple online scan
service, not the university of Wichita.
Scanning can take a while, since several scanners are being used, plus the fact some
scanners use very high levels of (time consuming) heuristics. Scanners used are Linux
versions, differences with Windows scanners may or may not occur. Another note: some
scanners will only report one virus when scanning archives with multiple pieces of
malware.
Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain
from uploading tons of hex-edited or repacked variants of the same sample.
Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor.
They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded
here will be distributed to antivirus vendors without exception. Read more about this in
our privacy policy. If you do not want your files to be distributed, please do not send
them at all.
Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV
project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried
Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who
donated in the past, and some people who prefer to remain anonymous... many thanks to
all!
--------------------------------------------------------------------------------
Statistics
Last file scanned at least one scanner reported something about: TurboCrack3.0.rar (MD5:
0e447b7435dcf8308ebaee659072ef67, size: 7909058 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir BDS/Bifrose.NU
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Pakes-248
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X
You're free to (mis)interpret these automated, flawed statistics at your own discretion.
For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.
Frequently asked questions - Feedback - Privacy policy
Page generated by JTPL
Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>
VIRUSTOTAL
File spooler.xml received on 08.13.2007 00:33:31 (CET)Antivirus Version Last Update
Result
AhnLab-V3 2007.8.9.2 2007.08.10 -
AntiVir 7.4.0.60 2007.08.12 -
Authentium 4.93.8 2007.08.11 -
Avast 4.7.1029.0 2007.08.12 -
AVG 7.5.0.476 2007.08.12 -
BitDefender 7.2 2007.08.12 -
CAT-QuickHeal 9.00 2007.08.11 -
ClamAV 0.91 2007.08.12 -
DrWeb 4.33 2007.08.13 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5050 2007.08.11 -
Ewido 4.0 2007.08.12 -
FileAdvisor 1 2007.08.13 -
Fortinet 2.91.0.0 2007.08.12 -
F-Prot 4.3.2.48 2007.08.10 -
F-Secure 6.70.13030.0 2007.08.12 -
Ikarus T3.1.1.12 2007.08.12 -
Kaspersky 4.0.2.24 2007.08.13 -
McAfee 5095 2007.08.10 -
Microsoft 1.2704 2007.08.13 -
NOD32v2 2454 2007.08.12 -
Norman 5.80.02 2007.08.10 -
Panda 9.0.0.4 2007.08.12 -
Prevx1 V2 2007.08.13 -
Rising 19.35.62.00 2007.08.12 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.11 -
Symantec 10 2007.08.12 -
TheHacker 6.1.7.167 2007.08.12 -
VBA32 3.12.2.2 2007.08.11 -
VirusBuster 4.3.26:9 2007.08.12 -
Webwasher-Gateway 6.0.1 2007.08.12 -
Additional information
File size: 3701 bytes
MD5: bcd1394236715fb88903cf871c5609b9
SHA1: d198e32ae8c4b8269936d797761a1653355aa0ba
I also do not know what the 180axp.exe file is. I'm sorry I can't give you any more help
Angelfire777
2007-08-13, 06:35
Can you see the 180axp.exe now that your system is configured to show hidden files and folders? If so, please scan it at jotti and you need not post the whole page, just the scan logs.
Neither Jotti or Virustotal could scan the 180axp.exe file. Here is what I received with both sites:
Jotti:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
Virustotal:
0 bytes size received / Se ha recibido un archivo vacio
I attempted to disable the Windows Firewall and that still not let the sites scan the file. Do you have any other suggestions?
Angelfire777
2007-08-13, 12:08
Hi,
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
________
Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type movefile.bat in the File name and save it to your desktop.
@echo off
Attrib -r -h -s C:\WINDOWS\system32\180axp.exe
copy /y C:\WINDOWS\system32\180axp.exe C:\
exit
Go to your Desktop and double-click on movefile.bat, you may see a Window quickly open and close.
Reboot to normal mode.
________
I would like you to scan a file for me.
Please go HERE (http://virusscan.jotti.org/). Copy and paste the following file path in to the box.
C:\180axp.exe
Then click submit.
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
Angelfire777
2007-08-16, 05:32
Wares..?
still here...couldn't get time to work on computer...thanks for waiting
Angelfire777
2007-08-16, 08:46
Ok. Waiting is not a problem. I just wanted to check if you're still there.
I'll be here when you're ready :bigthumb:
Here is the JOTTI scan
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan:
Service
Service load: 0% 100%
File: 180axp.exe
Status: INFECTED/MALWARE
MD5: c5b43cb06c64b0e013d418d9e7578e73
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 16 Aug 2007 06:07:02 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found Trojan.Pakes.Z
Avast Found nothing
AVG Antivirus Found Win32/PolyCrypt
BitDefender Found Trojan.PWS.LDPinch.TAW
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Pakes
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Pakes
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Basine-C
VirusBuster Found Trojan.DR.Cimuz.Gen.1
VBA32 Found nothing
Powered by
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.
Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.
Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.
Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.
Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.
Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------
Statistics
Last file scanned at least one scanner reported something about: GGK_2.rar (MD5: ea899fcf677c51bddfaa70667632fc62, size: 132925 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus Generic5.JLK
BitDefender X
ClamAV X
CPsecure X
Dr.Web BackDoor.Iroffer.1349
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 BackDoor.Iroffer.1349
You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.
Frequently asked questions - Feedback - Privacy policy
Page generated by JTPL
Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>
Here is the VirusTotal
Français | Svenska | Português | Italiano | | | Magyar |
Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File 180axp.exe received on 08.16.2007 08:10:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/32 (34.38%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 58 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.8.15.0 2007.08.16 -
AntiVir 7.4.1.62 2007.08.15 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.08.16 -
Avast 4.7.1029.0 2007.08.15 -
AVG 7.5.0.476 2007.08.15 Win32/PolyCrypt
BitDefender 7.2 2007.08.16 Trojan.PWS.LDPinch.TAW
CAT-QuickHeal 9.00 2007.08.14 -
ClamAV 0.91 2007.08.16 -
DrWeb 4.33 2007.08.16 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5063 2007.08.15 -
Ewido 4.0 2007.08.15 -
FileAdvisor 1 2007.08.16 -
Fortinet 2.91.0.0 2007.08.16 -
F-Prot 4.3.2.48 2007.08.15 -
F-Secure 6.70.13030.0 2007.08.16 Trojan.Win32.Pakes
Ikarus T3.1.1.12 2007.08.16 -
Kaspersky 4.0.2.24 2007.08.16 Trojan.Win32.Pakes
McAfee 5098 2007.08.15 -
Microsoft 1.2704 2007.08.15 TrojanDownloader:Win32/Small.CBA
NOD32v2 2465 2007.08.16 -
Norman 5.80.02 2007.08.15 -
Panda 9.0.0.4 2007.08.16 -
Prevx1 V2 2007.08.16 -
Rising 19.36.30.00 2007.08.16 Packer.RyCrypt
Sophos 4.20.0 2007.08.12 Mal/Basine-C
Sunbelt 2.2.907.0 2007.08.16 Trojan-PWS.LDPinch.TAW
Symantec 10 2007.08.16 -
TheHacker 6.1.8.170 2007.08.15 -
VBA32 3.12.2.2 2007.08.16 -
VirusBuster 4.3.26:9 2007.08.15 Trojan.DR.Cimuz.Gen.1
Webwasher-Gateway 6.0.1 2007.08.16 Trojan.Crypt.XPACK.Gen
Additional information
File size: 46913 bytes
MD5: c5b43cb06c64b0e013d418d9e7578e73
SHA1: 940cf38e93b1eecf212821c6cb311222df6fc050
packers: RCrypt
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com
Angelfire777
2007-08-16, 10:05
Hi,
Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O23 - Service: Smart Card SCardSvrgusvc (SCardSvrgusvc) - Unknown owner - C:\WINDOWS\system32\180axp.exe
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_______
Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.
@echo off
catchme -k C:\WINDOWS\system32\180axp.exe
catchme -k C:\180axp.exe
sc stop SCardSvrgusvc
sc delete SCardSvrgusvc
cls
echo.Press any key to reboot
pause > nul
nircmd exitwin reboot force
exit
Double click clean.bat then follow the prompts.
_______
After your machine reboots, please delete this file:
C:\WINDOWS\system32\180axp.exe
C:\180axp.exe
Empty your recycle bin.
Please post a fresh HijackThis log.
The 180axp is in the following locations. Do you want me to delete all the files.
180axp
180axp.exe.1
C:\Documents and Settings\Administrator\Desktop\catchme.zip
180axp
C:\
180axp
C:\WINDOWS\SYSTEM32
Angelfire777
2007-08-16, 10:56
Yes. :D:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:19 AM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program
Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} -
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program
Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe
-RunOnce
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe"
-hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [My Web Search Bar] rundll32
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat
7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting]
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting]
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus
F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search -
http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation
Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.c
ab?1183527342288
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.c
ab?1183527337982
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) -
https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program
Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner -
C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. -
C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation -
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec
Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 6117 bytes
Angelfire777
2007-08-16, 11:19
You seem to have grabbed a new adware...
It's very hard to read your log in that format..
In notepad, click format > uncheck wordwrap
Do that before posting the fresh HijackThis log.
Then,
*Click Start > Control Panel > Add or Remove Programs and uninstall the item I listed in bold if found.
MyWebSearch
Reboot then post the fresh HijackThis log.
The computer that is having the problem is connected to the internet. I connected it to scan the files you wanted. I will take it off the net and keep it off untill we completely fix the problem.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:50 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183527342288
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183527337982
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 5264 bytes
Computer is offline
Angelfire777
2007-08-17, 04:47
Congratulations! Your log looks clean!
Configure Windows Xp to hide system files:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading, select Do not show hidden files and folders.
Check the Hide protected operating system files option.
Click Yes to confirm.
Click OK.
_______________________
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.
» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http//www.sunbelt-software.com/Kerio-Download.cfm)
MVPS Hosts File
~You can download it from here (http://www.mvps.org/winhelp2002/hosts.zip)
~I highly recommend this hosts file. You can learn more about this here (http://www.mvps.org/winhelp2002/hosts.htm)
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!
Angelfire777
2007-08-20, 10:13
Glad we could be of assistance :bigthumb:
Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
Thank you Angelfire777. :)