View Full Version : Another Virtumonde Victim
flyngunr
2007-10-08, 05:51
Hi and let me thank you guys in advance for helping people like me. Well like the title says, I got hit by Virtumonde and it's driving me nuts. I followed all the instructions before posting so here goes both my HiJackThis log followed by the Kaspersky Log. Please help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:42 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = FLYNGUN
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\evhabiky.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\001-_D~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\GH4DEN~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\TRAIN~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\MILLED~1.SH! D:\DOWNLO~1\scene82.SH! D:\DOWNLO~1\scene89.SH! D:\MWR\Stills\LIHKNB.SH! C:\DOCUME~1\Rich\APPLIC~1\Sun\Java\DEPLOY~1\cache\javapi\v1.0\jar\COUNTJ~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\TIREOR~1\LACL~1.SH!
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.samsung.com/plugin/vmpinstaller/installer/components/MTSInstallers/MetaStream3.cab?url=http://www.samsungblackjack.com/3d/SGH%2Di607/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/budsinc/grinstall_budsinc1001_sp2.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Rich/Desktop/deskbutt.jpg
--
End of file - 8933 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 07, 2007 8:18:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 8/10/2007
Kaspersky Anti-Virus database records: 428879
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
Scan Statistics:
Total number of scanned objects: 54735
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 00:58:12
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{0C213DEA-3FB1-4E08-A689-71ABBC7E0BD5}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{955D865E-94F5-41A4-981B-870D9CB4A5D6}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rich\Application Data\McAfee\MBK\ARBUSFILE.GDB Object is locked skipped
C:\Documents and Settings\Rich\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Application Data\ApplicationHistory\Explorer.EXE.3c2f65a1.ini.inuse Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Application Data\ApplicationHistory\iexplore.exe.26e3ad32.ini.inuse Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Application Data\ApplicationHistory\McAfeeDataBackup.exe.e548c4c.ini.inuse Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Temp\fb_3140.lck Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bkw skipped
C:\Documents and Settings\Rich\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Rich\Local Settings\Temp\sqlite_vA5h9yMWh6zZLnd Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Temp\~DF6A88.tmp Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Temp\~DF8278.tmp Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rich\Local Settings\Temporary Internet Files\Content.IE5\ONE7YC8I\snapsnet[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.bkw skipped
C:\Documents and Settings\Rich\Local Settings\Temporary Internet Files\Content.IE5\ONE7YC8I\snapsnet[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Rich\ntuser.dat Object is locked skipped
C:\Documents and Settings\Rich\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E4F66DAF-F561-471C-8F1A-8C36CEA1E35A}\RP708\change.log Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N82M1105NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.j skipped
C:\WINDOWS\Downloaded Program Files\UERS_0001_N82M1105NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.j skipped
C:\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.bb skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E5753946-301A-40BA-8BA7-4A64B9064785}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_FJdRJrTlXsHEPbF Object is locked skipped
C:\WINDOWS\Temp\mcmsc_4aGqQm0SVG6QmTI Object is locked skipped
C:\WINDOWS\Temp\mcmsc_afoV4gc6Hh8N5Bh Object is locked skipped
C:\WINDOWS\Temp\mcmsc_dqjbMtLz2f1ElWO Object is locked skipped
C:\WINDOWS\Temp\mcmsc_yhPlwLE48VhIfS1 Object is locked skipped
C:\WINDOWS\Temp\sqlite_7wREGvne4Mh6TQb Object is locked skipped
C:\WINDOWS\Temp\sqlite_Vrtwbtp6YEnvKe9 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{E4F66DAF-F561-471C-8F1A-8C36CEA1E35A}\RP669\A0058211.exe Infected: Trojan.Win32.KillFW.a skipped
D:\System Volume Information\_restore{E4F66DAF-F561-471C-8F1A-8C36CEA1E35A}\RP708\change.log Object is locked skipped
Scan process completed.
__RiP_ChAiN_
2007-10-08, 06:15
Hello flyngunr,
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
flyngunr
2007-10-08, 11:36
Thanks for helping out Rip Chain. Going to have to post logs seperately, forum says my text exceeds 20000 characters.
Here is the HiJack Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:29 AM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Tensons.Application.DownloadAcceleratorManager.BHO - {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: ohb Class - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\001-_D~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\GH4DEN~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\TRAIN~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\MILLED~1.SH! D:\DOWNLO~1\scene82.SH! D:\DOWNLO~1\scene89.SH! D:\MWR\Stills\LIHKNB.SH! C:\DOCUME~1\Rich\APPLIC~1\Sun\Java\DEPLOY~1\cache\javapi\v1.0\jar\COUNTJ~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\TIREOR~1\LACEYL~1.SH!
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.samsung.com/plugin/vmpinstaller/installer/components/MTSInstallers/MetaStream3.cab?url=http://www.samsungblackjack.com/3d/SGH%2Di607/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/budsinc/grinstall_budsinc1001_sp2.cab
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O20 - Winlogon Notify: nnnlkkh - C:\WINDOWS\SYSTEM32\nnnlkkh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Rich/Desktop/deskbutt.jpg
--
End of file - 10004 bytes
flyngunr
2007-10-08, 11:37
ComboFix 07-10-07.2 - Rich 2007-10-08 3:04:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.548 [GMT -5:00]
Running from: C:\Documents and Settings\Rich\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Guest\Desktop\internet.lnk
C:\Program Files\dialers
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UERS_0001_N82M1105NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UERS_0001_N82M1105NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe
C:\WINDOWS\system32\evhabiky.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\ykibahve.ini
.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.
2007-10-08 03:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 16:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-07 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-07 05:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 05:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-06 22:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-06 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-06 12:38 <DIR> d-------- C:\Program Files\Ad-Aware 2007(2)
2007-10-06 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
2007-10-05 02:05 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee
2007-10-05 02:05 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee
2007-10-04 01:48 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-04 01:48 <DIR> d-------- C:\Temp\xOe
2007-10-04 01:48 <DIR> d-------- C:\Temp
2007-10-04 01:47 36,352 --a------ C:\WINDOWS\system32\nnnlkkh.dll
2007-10-02 23:05 <DIR> d-------- C:\WINDOWS\FLV Player
2007-10-02 23:05 <DIR> d-------- C:\Program Files\FLV Player
2007-10-01 00:37 <DIR> d-------- C:\Program Files\Any Video Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 00:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-07 01:55 --------- d-------- C:\Program Files\McAfee
2007-10-06 22:28 --------- d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-10-06 13:09 --------- d-------- C:\Documents and Settings\Rich\Application Data\SiteAdvisor
2007-10-05 01:55 --------- d-------- C:\Documents and Settings\Rich\Application Data\Lavasoft
2007-09-25 01:01 --------- d-------- C:\Program Files\PFE Studyware
2007-09-17 20:32 --------- d-------- C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2007-09-14 11:07 --------- d-------- C:\Program Files\SiteAdvisor
2007-08-30 23:44 --------- d-------- C:\Documents and Settings\Guest\Application Data\Real
2007-08-30 23:44 --------- d-------- C:\Documents and Settings\Guest\Application Data\McAfee
2007-08-19 18:43 --------- d-------- C:\Documents and Settings\Rich\Application Data\Real
2007-08-17 14:59 --------- d-------- C:\Program Files\Viewpoint
2007-08-17 14:59 --------- d-------- C:\Documents and Settings\Rich\Application Data\Viewpoint
2007-08-17 14:59 --------- d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2002-09-03 17:07:40 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2002-01-16 23:49]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35]
"nwiz"="nwiz.exe" [2005-08-02 16:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-08-02 16:35]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-28 14:30]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2006-10-10 18:40]
"acEventServ"="C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe" [2004-06-15 11:34]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 10:42]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 08:21]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 17:43]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\001-_D~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\GH4DEN~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\TRAIN~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\MILLED~1.SH! D:\DOWNLO~1\scene82.SH! D:\DOWNLO~1\scene89.SH! D:\MWR\Stills\LIHKNB.SH! C:\DOCUME~1\Rich\APPLIC~1\Sun\Java\DEPLOY~1\cache\javapi\v1.0\jar\COUNTJ~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\TIREOR~1\LACEYL~1.SH!
C:\Documents and Settings\Rich\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-06-06 16:26:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileSharing"=0 (0x0)
"NoPrintSharing"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}"= C:\WINDOWS\system32\nnnlkkh.dll [2007-10-04 01:47 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acAuth]
acauth.dll 2004-06-15 11:34 65536 C:\WINDOWS\system32\acauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnlkkh]
nnnlkkh.dll 2007-10-04 01:47 36352 C:\WINDOWS\system32\nnnlkkh.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkklk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 ACachSrv;ActivCard Authentication Service;C:\Program Files\Common Files\ActivCard\acachsrv.exe
R2 acautoreg;ActivCard Gold Autoregister;C:\Program Files\Common Files\ActivCard\acautoreg.exe
R2 Accoca;ActivCard Gold service;C:\Program Files\Common Files\ActivCard\accoca.exe
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R3 SCRx31 USB Reader;SCRx31 USB Reader;C:\WINDOWS\system32\DRIVERS\stc2.sys
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-02 22:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-08-15 06:54:48 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-01 06:09:39 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 03:13:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-08 3:15:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 03:15
.
--- E O F ---
__RiP_ChAiN_
2007-10-09, 04:03
Hello flyngunr,
A. Please RUN HijackThis
Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Tensons.Application.DownloadAcceleratorManager.BHO - {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll (file missing)
O2 - BHO: ohb Class - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.samsung.com/plugin/vmpins...3d/SGH%2Di607/
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...nc1001_sp2.cab
O20 - Winlogon Notify: nnnlkkh - C:\WINDOWS\SYSTEM32\nnnlkkh.dll
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\system32\nnnlkkh.dll
Folder::
C:\WINDOWS\system32\vMW02a
C:\Temp\xOe
C:\Program Files\Viewpoint
C:\Documents and Settings\Rich\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.
flyngunr
2007-10-09, 15:37
Hi RipChain,
I did your steps and there were a few items missing from the HiJack report, but I checked those that were there, ran and fixed without problems. When I dragged the CFScript.txt file onto combofix, I kept getting the following error: Freeware implementation of REG.EXE has encountered a problem and needs to close. We are sorry for the inconvenience.
And the last one I recieved said I need administrator priviledges to run this program. The kicker is, I AM the administrator for this computer. Any suggestions???
__RiP_ChAiN_
2007-10-09, 21:22
Hello flyngunr,
Please delete any instances you may have of CFScript.txt and try running this modified one:
Hello flyngunr,
1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::
File::
C:\WINDOWS\system32\nnnlkkh.dll
Folder::
C:\WINDOWS\system32\vMW02a
C:\Temp\xOe
C:\Program Files\Viewpoint
C:\Documents and Settings\Rich\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.
flyngunr
2007-10-10, 06:01
OK, ran the new CFScript and it seemed to work well. After the re-boot, while ComboFix was attempting to write the log, I got the 2 following errors:
acevtsrv.exe:
This application has failed to start becasue acauth.dll was not found. Re-installing the program might ...
and,
agquickp.exe:
This application has failed to start becasue acauth.dll was not found. Re-installing the program might ...
So once I clicked closed both these boxes, ComboFix just seemed to hang there saying that it was attempting to write the log and the cursor blinking underneath.
Awaiting instructions...
__RiP_ChAiN_
2007-10-10, 07:55
Hello flyngunr,
Try rebooting the computer once more, let me know if those error messages come up again.
Please run through combofix once more, I'd like to see if it successfully completed the script.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
flyngunr
2007-10-10, 10:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:07 AM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: Tensons.Application.DownloadAcceleratorManager.BHO - {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: ohb Class - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - (no file)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\001-_D~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\GH4DEN~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\TRAIN~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\MILLED~1.SH! D:\DOWNLO~1\scene82.SH! D:\DOWNLO~1\scene89.SH! D:\MWR\Stills\LIHKNB.SH! C:\DOCUME~1\Rich\APPLIC~1\Sun\Java\DEPLOY~1\cache\javapi\v1.0\jar\COUNTJ~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\TIREOR~1\LACEYL~1.SH!
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: acAuth - acauth.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0034011191992778) (0034011191992778mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\003401~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Rich/Desktop/deskbutt.jpg
--
End of file - 9538 bytes
flyngunr
2007-10-10, 10:28
ComboFix 07-10-07.2 - Rich 2007-10-10 2:16:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.620 [GMT -5:00]
Running from: C:\Documents and Settings\Rich\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.
2007-10-10 00:06 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-08 03:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 16:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-07 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-07 05:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 05:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-06 22:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-06 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-06 12:38 <DIR> d-------- C:\Program Files\Ad-Aware 2007(2)
2007-10-06 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
2007-10-05 02:05 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee
2007-10-05 02:05 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee
2007-10-04 01:48 <DIR> d-------- C:\Temp
2007-10-02 23:05 <DIR> d-------- C:\WINDOWS\FLV Player
2007-10-02 23:05 <DIR> d-------- C:\Program Files\FLV Player
2007-10-01 00:37 <DIR> d-------- C:\Program Files\Any Video Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 00:06 --------- d-------- C:\Program Files\McAfee
2007-10-10 00:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-08 04:10 --------- d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-10-06 13:09 --------- d-------- C:\Documents and Settings\Rich\Application Data\SiteAdvisor
2007-10-05 01:55 --------- d-------- C:\Documents and Settings\Rich\Application Data\Lavasoft
2007-09-25 01:01 --------- d-------- C:\Program Files\PFE Studyware
2007-09-17 20:32 --------- d-------- C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2007-09-14 11:07 --------- d-------- C:\Program Files\SiteAdvisor
2007-08-30 23:44 --------- d-------- C:\Documents and Settings\Guest\Application Data\Real
2007-08-30 23:44 --------- d-------- C:\Documents and Settings\Guest\Application Data\McAfee
2007-08-19 18:43 --------- d-------- C:\Documents and Settings\Rich\Application Data\Real
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-03 17:07:40 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((( snapshot@2007-10-08_ 3.14.48.48 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2007-10-10 05:05:41 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-10 05:05:41 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-10 05:05:41 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 32,768 2007-10-08 05:28:34 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-08 05:28:34 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 81,920 2007-10-08 05:28:34 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2002-01-16 23:49]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35]
"nwiz"="nwiz.exe" [2005-08-02 16:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-08-02 16:35]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-28 14:30]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2006-10-10 18:40]
"acEventServ"="C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe" [2004-06-15 11:34]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 10:42]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 08:21]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 17:43]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\001-_D~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\GH4DEN~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\TRAIN~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\MILLED~1.SH! D:\DOWNLO~1\scene82.SH! D:\DOWNLO~1\scene89.SH! D:\MWR\Stills\LIHKNB.SH! C:\DOCUME~1\Rich\APPLIC~1\Sun\Java\DEPLOY~1\cache\javapi\v1.0\jar\COUNTJ~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\TIREOR~1\LACEYL~1.SH!
C:\Documents and Settings\Rich\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-06-06 16:26:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileSharing"=0 (0x0)
"NoPrintSharing"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acAuth]
acauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 ACachSrv;ActivCard Authentication Service;C:\Program Files\Common Files\ActivCard\acachsrv.exe
R2 Accoca;ActivCard Gold service;C:\Program Files\Common Files\ActivCard\accoca.exe
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R3 SCRx31 USB Reader;SCRx31 USB Reader;C:\WINDOWS\system32\DRIVERS\stc2.sys
S2 0034011191992778mcinstcleanup;McAfee Application Installer Cleanup (0034011191992778);C:\WINDOWS\TEMP\003401~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 acautoreg;ActivCard Gold Autoregister;C:\Program Files\Common Files\ActivCard\acautoreg.exe
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 22:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-08-15 06:54:48 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-01 06:09:39 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 02:19:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-10 2:21:46
C:\ComboFix ... 2007-10-10 02:21
C:\ComboFix-quarantined-files.txt ... 2007-10-10 02:21
.
--- E O F ---
__RiP_ChAiN_
2007-10-11, 21:35
Hello flyngunr,
A. Please RUN HijackThis
Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:
O2 - BHO: ohb Class - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\SHRED32.EXE" /q C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\001-_D~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\GH4DEN~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~2.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\HUEY_C~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\TRAIN~3.SH! C:\DOCUME~1\Rich\MYDOCU~1\MYRECE~1\MILLED~1.SH! D:\DOWNLO~1\scene82.SH! D:\DOWNLO~1\scene89.SH! D:\MWR\Stills\LIHKNB.SH! C:\DOCUME~1\Rich\APPLIC~1\Sun\Java\DEPLOY~1\cache\javapi\v1.0\jar\COUNTJ~1.SH! C:\DOCUME~1\Rich\MYDOCU~1\TIREOR~1\LACEYL~1.SH!
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Driver::
0034011191992778mcinstcleanup
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.
flyngunr
2007-10-12, 03:36
OK, the past few times I've rebooted, I've got the following 2 messages:
acevtsrv.exe
this aplication has failed to start because acauth.dll was not found. Reinstalling the apllication may fix this problem.
agquickp.exe
(Same exact message as above)
I think these files belong to my smartcard reader software, can I just reinstall the missing .dll?
Here is the Hijack Log, ComboFix log in the following message:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:58 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O2 - BHO: Tensons.Application.DownloadAcceleratorManager.BHO - {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: acAuth - acauth.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0025061192072779) (0025061192072779mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\002506~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Rich/Desktop/deskbutt.jpg
--
End of file - 8773 bytes
flyngunr
2007-10-12, 03:41
ComboFix 07-10-07.2 - Rich 2007-10-11 19:10:30.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.609 [GMT -5:00]
Running from: C:\Documents and Settings\Rich\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rich\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.
2007-10-10 00:06 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-08 03:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 16:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-07 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-07 05:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 05:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-06 22:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-06 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-06 12:38 <DIR> d-------- C:\Program Files\Ad-Aware 2007(2)
2007-10-06 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
2007-10-05 02:05 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee
2007-10-05 02:05 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\McAfee
2007-10-04 01:48 <DIR> d-------- C:\Temp
2007-10-02 23:05 <DIR> d-------- C:\WINDOWS\FLV Player
2007-10-02 23:05 <DIR> d-------- C:\Program Files\FLV Player
2007-10-01 00:37 <DIR> d-------- C:\Program Files\Any Video Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 00:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-10 00:06 --------- d-------- C:\Program Files\McAfee
2007-10-08 04:10 --------- d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-10-06 13:09 --------- d-------- C:\Documents and Settings\Rich\Application Data\SiteAdvisor
2007-10-05 01:55 --------- d-------- C:\Documents and Settings\Rich\Application Data\Lavasoft
2007-09-25 01:01 --------- d-------- C:\Program Files\PFE Studyware
2007-09-17 20:32 --------- d-------- C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2007-09-14 11:07 --------- d-------- C:\Program Files\SiteAdvisor
2007-08-30 23:44 --------- d-------- C:\Documents and Settings\Guest\Application Data\Real
2007-08-30 23:44 --------- d-------- C:\Documents and Settings\Guest\Application Data\McAfee
2007-08-19 18:43 --------- d-------- C:\Documents and Settings\Rich\Application Data\Real
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-03 17:07:40 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((( snapshot@2007-10-08_ 3.14.48.48 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2007-10-11 21:02:50 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-11 21:02:50 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-11 21:02:50 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 32,768 2007-10-08 05:28:34 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-08 05:28:34 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 81,920 2007-10-08 05:28:34 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2002-01-16 23:49]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35]
"nwiz"="nwiz.exe" [2005-08-02 16:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-08-02 16:35]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-28 14:30]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2006-10-10 18:40]
"acEventServ"="C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe" [2004-06-15 11:34]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 10:42]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 08:21]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 17:43]
C:\Documents and Settings\Rich\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-06-06 16:26:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileSharing"=0 (0x0)
"NoPrintSharing"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acAuth]
acauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 ACachSrv;ActivCard Authentication Service;C:\Program Files\Common Files\ActivCard\acachsrv.exe
R2 Accoca;ActivCard Gold service;C:\Program Files\Common Files\ActivCard\accoca.exe
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R3 SCRx31 USB Reader;SCRx31 USB Reader;C:\WINDOWS\system32\DRIVERS\stc2.sys
S2 0025061192072779mcinstcleanup;McAfee Application Installer Cleanup (0025061192072779);C:\WINDOWS\TEMP\002506~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 acautoreg;ActivCard Gold Autoregister;C:\Program Files\Common Files\ActivCard\acautoreg.exe
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 22:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-08-15 06:54:48 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-01 06:09:39 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 19:13:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-11 19:14:58
C:\ComboFix ... 2007-10-11 19:14
C:\ComboFix-quarantined-files.txt ... 2007-10-11 19:14
C:\ComboFix2.txt ... 2007-10-10 02:21
.
--- E O F ---
__RiP_ChAiN_
2007-10-12, 18:42
Hello flyngunr,
I think these files belong to my smartcard reader software, can I just reinstall the missing .dll?
You could try reinstalling the reader software to see if that corrects the error that keeps popping up on startup.
Other then that error, how is your computer currently running now?
flyngunr
2007-10-13, 15:26
Well, it seems like it's gone! Haven't had any more pop ups or slow IE with redirects. Thanks very much RipChain, I was just about tho throw my PC out the window.
Is there anything else I need to do? Do you recommend any specific SpyBot settings or for anyother program?
Thanks again,
FlynGunr
__RiP_ChAiN_
2007-10-13, 21:41
Hello flyngunr,
Thanks very much RipChain, I was just about tho throw my PC out the window.
I've wanted to do that with mine a few times...
Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
here are some additional utilities that will enhance your safety
IE/Spyad (http://www.bleepingcomputer.com/tutorials/tutorial53.html) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)