PDA

View Full Version : Virtumonde HELP!



TJ1212
2007-09-30, 15:24
Please help me remove Virtumonde. Here is my Spybot s&d log:


--- Search result list ---
SpyAgent: Executable (File, fixed)
H:\WINDOWS\unvise32.exe

Virtumonde: Executable (File, fixed)
H:\Documents and Settings\Tom\Local Settings\Temp\removalfile.bat

Virtumonde: Library (File, fixing failed)
H:\WINDOWS\system32\qomkjjk.dll

Virtumonde: Library (File, fixing failed)
H:\WINDOWS\system32\awvvv.dll

Virtumonde: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-436374069-1897051121-839522115-1005\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService

Virtumonde: System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService

Virtumonde: System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService

Virtumonde: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-436374069-1897051121-839522115-1005\Software\Microsoft\aldd

Virtumonde.generic: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{51248DEA-04B5-4AD8-AC08-547371D86740}

Virtumonde.generic: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51248DEA-04B5-4AD8-AC08-547371D86740}

Virtumonde.generic: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{51248DEA-04B5-4AD8-AC08-547371D86740}

Virtumonde.generic: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-436374069-1897051121-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{51248DEA-04B5-4AD8-AC08-547371D86740}


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-10-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-09-26 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-09-26 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-09-26 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-09-26 Includes\KeyloggersC.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-26 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-09-26 Includes\PUPSC.sbi (*)
2007-09-26 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-26 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-09-26 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-26 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 12/04/2006 1:17:24 PM
Date (last access): 30/09/2007 9:13:44 PM
Date (last write): 16/04/2001 4:09:02 PM
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1

{1C56E592-4D44-42B3-A0CE-48415B365B67} ()
BHO name:
CLSID name:
Path: H:\WINDOWS\system32\
Long name: awvvv.dll
Short name:
Date (created): 30/09/2007 4:30:04 PM
Date (last access): 30/09/2007 9:48:54 PM
Date (last write): 30/09/2007 4:30:14 PM
Filesize: 262708
Attributes:
MD5: 3F41CDA8B269D01BFFD20E0222BAEC49
CRC32: 7563B061

{51248DEA-04B5-4AD8-AC08-547371D86740} ()
BHO name:
CLSID name:
Path: H:\WINDOWS\system32\
Long name: qomkjjk.dll
Short name:
Date (created): 30/09/2007 4:24:56 PM
Date (last access): 30/09/2007 9:49:26 PM
Date (last write): 30/09/2007 4:24:56 PM
Filesize: 26678
Attributes:
MD5: 83A3AD318071763F6CA0FE426623AB9E
CRC32: CE03B082

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: H:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 22/10/2006 10:39:54 AM
Date (last access): 30/09/2007 9:13:44 PM
Date (last write): 31/05/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{5785E523-865B-4657-9D86-1777DDD1EF24} ()
BHO name:
CLSID name:
Path: H:\WINDOWS\system32\
Long name: otxixmhp.dll
Short name:
Date (created): 30/09/2007 4:42:16 PM
Date (last access): 30/09/2007 9:13:50 PM
Date (last write): 30/09/2007 4:42:22 PM
Filesize: 121364
Attributes: archive
MD5: A43B015E3889F652C09A4F79710F4A6D
CRC32: CD504F56

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: H:\Program Files\Java\jre1.6.0_02\bin\
Long name: ssv.dll
Short name:
Date (created): 15/08/2007 4:53:36 PM
Date (last access): 30/09/2007 9:14:32 PM
Date (last write): 12/07/2007 4:00:36 AM
Filesize: 501136
Attributes: archive
MD5: D6137540BDF0F9F9B9055C60ADD8007A
CRC32: 29E910AF
Version: 6.0.20.6



--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 30/09/2007 9:54:31 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
H:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com.au/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A6FF3EED-3812-4B75-B041-C40303B31E78}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A6FF3EED-3812-4B75-B041-C40303B31E78}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{218C867E-1126-4AFB-8CE2-93243FA5CE09}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{218C867E-1126-4AFB-8CE2-93243FA5CE09}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{789044B0-3D73-46FC-A5A7-3066BE672CBC}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{789044B0-3D73-46FC-A5A7-3066BE672CBC}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{99109F7B-4181-4D1D-ABE7-0D547EDEA1AB}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{99109F7B-4181-4D1D-ABE7-0D547EDEA1AB}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D5BB90E4-A432-4B47-A029-DF29BFDFA44E}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D5BB90E4-A432-4B47-A029-DF29BFDFA44E}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{383604DD-1999-4E4C-9221-E17C5BF83903}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{383604DD-1999-4E4C-9221-E17C5BF83903}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{36D2B17C-2C56-4C74-9349-E589215B8A07}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{36D2B17C-2C56-4C74-9349-E589215B8A07}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: H:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP





Thanks in advance!

TJ1212
2007-09-30, 16:01
Here is a Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:26:25 PM, on 30/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program Files\Softwin\BitDefender9\bdoesrv.exe
H:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe
H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\sm56hlpr.exe
H:\Program Files\HP\HP Software Update\HPWuSchd.exe
H:\Program Files\HP\hpcoretech\hpcmpmgr.exe
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\Program Files\QuickTime\QTTask.exe
H:\WINDOWS\system32\bgsvcgen.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
H:\WINDOWS\system32\qsxdlvll.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
H:\Program Files\Softwin\BitDefender9\vsserv.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Hijackthis\HijackThis.exe
H:\Program Files\SpywareBlaster\spywareblaster.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [BDOESRV] "H:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "H:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "H:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [zzGBK] G:\Setup.exe
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HP Software Update] "H:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "H:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] H:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UVS11 Preload] H:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "H:\WINDOWS\system32\xjigwqlt.dll",sitypnow
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "H:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4542] command /c del "H:\WINDOWS\system32\awvvv.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8938] cmd /c del "H:\WINDOWS\system32\awvvv.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4878] command /c del "H:\WINDOWS\system32\qomkjjk.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6908] cmd /c del "H:\WINDOWS\system32\qomkjjk.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "H:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2903] command /c del "H:\WINDOWS\system32\awvvv.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2098] cmd /c del "H:\WINDOWS\system32\awvvv.dll_tobedeleted"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] H:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [uTorrent] "H:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7040] command /c del "H:\WINDOWS\system32\awvvv.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5228] cmd /c del "H:\WINDOWS\system32\awvvv.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4057] command /c del "H:\WINDOWS\system32\qomkjjk.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3010] cmd /c del "H:\WINDOWS\system32\qomkjjk.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9572] command /c del "H:\WINDOWS\system32\awvvv.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD352] cmd /c del "H:\WINDOWS\system32\awvvv.dll_tobedeleted"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - H:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - H:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - H:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - H:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Shaba
2007-10-03, 09:38
Hi TJ1212

Rename HijackThis.exe to TJ1212.exe and post back a fresh HijackThis log, please :)

TJ1212
2007-10-03, 12:47
Hey there, thanks for offering your help to me.

Here is the Hijak This log (renamed as TJ1212 as requested :bigthumb:)

Logfile of HijackThis v1.99.1
Scan saved at 7:15:45 PM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINDOWS\system32\bgsvcgen.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\Program Files\Softwin\BitDefender9\vsserv.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\iTunes\iTunes.exe
H:\PROGRA~1\Mozilla Firefox\firefox.exe
H:\Program Files\LimeWire\LimeWire.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\MSN Messenger\usnsvc.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [BDOESRV] "H:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "H:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "H:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [zzGBK] G:\Setup.exe
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HP Software Update] "H:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "H:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] H:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UVS11 Preload] H:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "H:\WINDOWS\system32\wataattn.dll",sitypnow
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] H:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [uTorrent] "H:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - H:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - H:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - H:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - H:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Shaba
2007-10-03, 17:42
Hi

Unfortunately it didn't went right.

Rename HijackThis.exe to TJ1212.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> H:\Program Files\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to TJ1212.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

TJ1212
2007-10-04, 05:43
Logfile of HijackThis v1.99.1
Scan saved at 12:12:30 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\Program Files\Softwin\BitDefender9\bdoesrv.exe
H:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe
H:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe
H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\sm56hlpr.exe
H:\Program Files\HP\HP Software Update\HPWuSchd.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\Program Files\HP\hpcoretech\hpcmpmgr.exe
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\WINDOWS\system32\bgsvcgen.exe
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
H:\Program Files\QuickTime\QTTask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\uTorrent\uTorrent.exe
H:\WINDOWS\system32\keevxcuh.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
H:\Program Files\LimeWire\LimeWire.exe
H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
H:\Program Files\Softwin\BitDefender9\vsserv.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\explorer.exe
H:\Program Files\MSN Messenger\usnsvc.exe
H:\Program Files\Ulead Systems\Ulead VideoStudio 11\vstudio.dat
H:\PROGRA~1\Mozilla Firefox\firefox.exe
H:\Program Files\Hijackthis\TJ1212.exe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2970A15E-A497-4710-932D-F5353A046A97} - H:\WINDOWS\system32\awvvv.dll
O2 - BHO: (no name) - {51248DEA-04B5-4AD8-AC08-547371D86740} - H:\WINDOWS\system32\qomkjjk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5785E523-865B-4657-9D86-1777DDD1EF24} - H:\WINDOWS\system32\ipxfswbf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B46C296D-CEB5-481C-AE25-15225E7AEF7c} - H:\WINDOWS\system32\ipxfswbf.dll
O4 - HKLM\..\Run: [BDOESRV] "H:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "H:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "H:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [zzGBK] G:\Setup.exe
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HP Software Update] "H:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "H:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] H:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UVS11 Preload] H:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "H:\WINDOWS\system32\wataattn.dll",sitypnow
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] H:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [uTorrent] "H:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awvvv - H:\WINDOWS\system32\awvvv.dll
O20 - Winlogon Notify: qomkjjk - H:\WINDOWS\SYSTEM32\qomkjjk.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - H:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - H:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DomainService - - H:\WINDOWS\system32\keevxcuh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - H:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - H:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Shaba
2007-10-04, 12:41
Hi

1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

TJ1212
2007-10-07, 09:06
ComboFix report:

ComboFix 07-10-04.6 - Tom 2007-10-07 14:53:41.2 - NTFSx86
Script execution time was exceeded on script "H:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: H:\Documents and Settings\Tom\Desktop\iPod Programs\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-01 08:52 24,576 --a------ H:\WINDOWS\system32\VundoFixSVC.exe
2007-09-30 22:33 <DIR> d-------- H:\VundoFix Backups
2007-09-29 18:36 <DIR> d-------- H:\Program Files\iTunes
2007-09-17 19:23 <DIR> d-------- H:\Program Files\Xplosiv
2007-09-17 10:34 <DIR> d-------- H:\Documents and Settings\Tom\Application Data\Ulead Systems
2007-09-16 20:09 <DIR> d-------- H:\Documents and Settings\user 1\Application Data\Ulead Systems
2007-09-16 15:53 26,136 --a------ H:\WINDOWS\system32\IVIresize.dll
2007-09-16 15:53 210,456 --a------ H:\WINDOWS\system32\IVIresizeW7.dll
2007-09-16 15:53 206,360 --a------ H:\WINDOWS\system32\IVIresizeA6.dll
2007-09-16 15:53 198,168 --a------ H:\WINDOWS\system32\IVIresizeP6.dll
2007-09-16 15:53 198,168 --a------ H:\WINDOWS\system32\IVIresizeM6.dll
2007-09-16 15:53 194,072 --a------ H:\WINDOWS\system32\IVIresizePX.dll
2007-09-16 15:53 <DIR> d-------- H:\Program Files\Common Files\InterVideo
2007-09-16 15:53 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\InterVideo
2007-09-16 15:52 <DIR> d-------- H:\Program Files\Windows Media Components
2007-09-16 15:51 <DIR> d-------- H:\Program Files\Ulead Systems
2007-09-16 15:51 <DIR> d-------- H:\Program Files\Common Files\Ulead Systems
2007-09-16 15:51 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Ulead Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 15:04 --------- d-------- H:\Documents and Settings\Tom\Application Data\uTorrent
2007-10-03 18:34 --------- d-------- H:\Program Files\LimeWire
2007-09-30 22:28 --------- d-------- H:\Program Files\SpywareBlaster
2007-09-30 18:55 --------- d-------- H:\Program Files\TuxPaint
2007-09-30 18:48 --------- d-------- H:\Documents and Settings\Tom\Application Data\TuxPaint
2007-09-29 18:37 --------- d-------- H:\Program Files\iPod
2007-09-23 12:14 --------- d-------- H:\Program Files\Apple Software Update
2007-09-17 19:24 --------- d--h----- H:\Program Files\InstallShield Installation Information
2007-09-15 09:28 --------- d-------- H:\Program Files\Puppy Luv
2007-09-14 17:51 --------- d-------- H:\Documents and Settings\Tom\Application Data\Apple Computer
2007-09-14 15:37 --------- d-------- H:\Documents and Settings\All Users\Application Data\WinZip
2007-09-02 19:29 --------- d-------- H:\Program Files\VideoLAN
2007-08-31 18:21 --------- d-------- H:\Program Files\WinHex
2007-08-29 20:18 --------- d-------- H:\Program Files\ImTOO
2007-08-23 17:19 --------- d-------- H:\Documents and Settings\All Users\Application Data\The Learning Company
2007-08-23 17:18 --------- d-------- H:\Program Files\The Learning Company
2007-08-14 21:24 --------- d-------- H:\Program Files\Windows Media Connect 2
2007-08-11 18:28 --------- d-------- H:\Program Files\Hasbro Interactive
2007-08-10 21:05 --------- d-------- H:\Documents and Settings\LocalService\Application Data\Ahead
2007-08-10 21:05 --------- d-------- H:\Documents and Settings\LocalService\Application Data\Ahead
2007-08-10 21:05 --------- d-------- H:\Documents and Settings\LocalService\Application Data\Ahead
2007-08-07 22:16 --------- d-------- H:\Program Files\Replay AV 8
2007-08-07 22:06 --------- d-------- H:\Program Files\WinPcap
2007-08-07 22:03 737280 --a------ H:\WINDOWS\iun6002.exe
2007-08-07 21:08 --------- d-------- H:\Documents and Settings\Tom\Application Data\GetRightToGo
2007-07-18 19:13 7168 --ahs---- H:\Program Files\Thumbs.db
2007-06-02 21:53 25214 --a------ H:\Program Files\B.ico
2007-06-02 21:53 25214 --a------ H:\Program Files\A.ico
2007-04-15 12:25 167 --a------ H:\Documents and Settings\Tom\2322.bat
2007-04-15 12:23 32768 --a------ H:\Documents and Settings\Tom\setup9x.exe
2007-04-10 12:24 167 --a------ H:\Documents and Settings\Tom\5019.bat
2007-04-09 20:38 167 --a------ H:\Documents and Settings\user 1\9846.bat
2007-04-09 19:38 167 --a------ H:\Documents and Settings\Tom\4107.bat
2007-02-20 17:52 63 --a------ H:\Documents and Settings\user 1\yyd.bat
2007-02-20 17:28 63 --a------ H:\Documents and Settings\Tom\yyd.bat
2007-02-20 17:17 203149 --a------ H:\Documents and Settings\Tom\up.exe
2007-02-20 17:03 192 --a------ H:\Documents and Settings\user 1\ggg.bat
2007-02-20 16:55 63 --a------ H:\Documents and Settings\Ben.HOME-84BAC581ED\yyd.bat
2007-02-17 15:50 192 --a------ H:\Documents and Settings\Tom\ggg.bat
2007-02-07 15:44 30561 --------- H:\Documents and Settings\user 1\dr.exe
2007-02-07 15:41 32768 --a------ H:\Documents and Settings\user 1\setup.exe
2007-02-07 15:00 32768 --a------ H:\Documents and Settings\Tom\setup.exe
2007-02-07 14:47 30561 --------- H:\Documents and Settings\Tom\dr.exe
2004-10-01 14:30 40960 --a------ H:\Program Files\Uninstall_CDS.exe
2007-03-09 09:12:32 27,648 --sha-w H:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDOESRV"="H:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 17:23]
"BDNewsAgent"="H:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe" [2005-06-09 09:58]
"BDSwitchAgent"="H:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe" [2005-04-06 12:39]
"zzGBK"="G:\Setup.exe" []
"RemoteControl"="H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:54]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 19:43 H:\WINDOWS\SOUNDMAN.EXE]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 05:31 H:\WINDOWS\sm56hlpr.exe]
"HP Software Update"="H:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28]
"HP Component Manager"="H:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"DXDllRegExe"="dxdllreg.exe" []
"REGSHAVE"="H:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"AVG7_CC"="H:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 12:35]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroFilterCheck"="H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"NvCplDaemon"="H:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35]
"nwiz"="nwiz.exe" [2005-08-02 16:35 H:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="H:\WINDOWS\system32\NvMcTray.dll" [2005-08-02 16:35]
"QuickTime Task"="H:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"UVS11 Preload"="H:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-10-09 11:28]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:26]
"LaunchList"="H:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 15:41]
"uTorrent"="H:\Program Files\uTorrent\uTorrent.exe" [2007-09-15 12:45]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= H:\Program Files\Outlook Express\bazywuaprak.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

R1 bdftdif;BitDefender Firewall TDI Filter;\??\H:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;H:\WINDOWS\system32\DRIVERS\bdfndisf.sys
S3 APLMp50;APLMp50 NDIS Protocol Driver;H:\WINDOWS\system32\Drivers\APLMp50.sys
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\G:\BPIKSp50.sys
S3 gdrv;gdrv;\??\H:\WINDOWS\gdrv.sys
S3 NPF;NetGroup Packet Filter Driver;H:\WINDOWS\system32\drivers\npf.sys
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;H:\WINDOWS\system32\DRIVERS\wg111v2.sys
S3 sonypvs1;Sony Digital Imaging Video2;H:\WINDOWS\system32\DRIVERS\sonypvs1.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 08:47:26 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 15:04:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D??????w???????????????wl?@?l?@????? ???????????g??w???w???????w???wx??????????w???????? ??????????????|x???0???????????? st???w?????????????????AN?H???f???????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-07 15:07:31
H:\ComboFix-quarantined-files.txt ... 2007-10-07 15:06
.
--- E O F ---

TJ1212
2007-10-07, 09:07
HijakThis report:

Logfile of HijackThis v1.99.1
Scan saved at 3:34:35 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINDOWS\system32\bgsvcgen.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\Program Files\Softwin\BitDefender9\vsserv.exe
H:\Program Files\Softwin\BitDefender9\bdoesrv.exe
H:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe
H:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\sm56hlpr.exe
H:\Program Files\HP\HP Software Update\HPWuSchd.exe
H:\Program Files\HP\hpcoretech\hpcmpmgr.exe
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\Program Files\QuickTime\QTTask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\uTorrent\uTorrent.exe
H:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\MSN Messenger\usnsvc.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\Hijackthis\TJ1212.exe.exe
H:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [BDOESRV] "H:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "H:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "H:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [zzGBK] G:\Setup.exe
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HP Software Update] "H:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "H:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] H:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UVS11 Preload] H:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] H:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [uTorrent] "H:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - H:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - H:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - H:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - H:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - H:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Thanks again for your help.

Shaba
2007-10-07, 12:13
Hi

Do you know what these are?

2007-04-15 12:25 167 --a------ H:\Documents and Settings\Tom\2322.bat
2007-04-15 12:23 32768 --a------ H:\Documents and Settings\Tom\setup9x.exe
2007-04-10 12:24 167 --a------ H:\Documents and Settings\Tom\5019.bat
2007-04-09 20:38 167 --a------ H:\Documents and Settings\user 1\9846.bat
2007-04-09 19:38 167 --a------ H:\Documents and Settings\Tom\4107.bat
2007-02-20 17:52 63 --a------ H:\Documents and Settings\user 1\yyd.bat
2007-02-20 17:28 63 --a------ H:\Documents and Settings\Tom\yyd.bat
2007-02-20 17:17 203149 --a------ H:\Documents and Settings\Tom\up.exe
2007-02-20 17:03 192 --a------ H:\Documents and Settings\user 1\ggg.bat
2007-02-20 16:55 63 --a------ H:\Documents and Settings\Ben.HOME-84BAC581ED\yyd.bat
2007-02-17 15:50 192 --a------ H:\Documents and Settings\Tom\ggg.bat
2007-02-07 15:44 30561 --------- H:\Documents and Settings\user 1\dr.exe
2007-02-07 15:41 32768 --a------ H:\Documents and Settings\user 1\setup.exe
2007-02-07 15:00 32768 --a------ H:\Documents and Settings\Tom\setup.exe
2007-02-07 14:47 30561 --------- H:\Documents and Settings\Tom\dr.exe

TJ1212
2007-10-07, 15:10
I have never actually seen those files before, some are MS-DOS batch files, some are executable files and some i have never seen before. I'm not certain if they are really necessary to have. Do you think I should delete them or leave them in case they are required for something?

Shaba
2007-10-07, 15:39
Hi

You can open those .bat files in Notepad and take a look what they have inside.

For exes, we need more:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Please click this link-->Jotti (http://virusscan.jotti.org/)

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

H:\Documents and Settings\Tom\up.exe

Repeat step for these:

H:\Documents and Settings\user 1\dr.exe
H:\Documents and Settings\user 1\setup.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Shaba
2007-10-14, 12:18
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.