View Full Version : Help Please?! - Integrity Threat Detected pop up
ricbenson
2007-10-29, 09:14
Hi Guys,
Can someone please help me remove the "Integrity Threat Detected" pop up please.
here's my HijackThis Log
Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:27 PM, on 29/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DFCFB5E-3974-3338-8F09-0B2552E546A8} - C:\Program Files\Egseewks\npnojpap.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v1.dll
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-f7ed0776fb27} - c:\program files\steganos internet anonym 2006\sia2006iep.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [uxcvoraf] rundll32.exe "C:\Program Files\uxcvoraf\kpqlwhmn.dll",Init
O4 - HKLM\..\Run: [fgpsbepq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fgpsbepq.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [rqjcfglq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rqjcfglq.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: ComproRemote.lnk = C:\Program Files\Common Files\VideoMate\ComproRemote.exe
O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.highend3d.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158479117406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158479290906
O20 - Winlogon Notify: vtutuvt - C:\WINDOWS\
O20 - Winlogon Notify: winlbu32 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
--
End of file - 8156 bytes
Hi ricbenson
1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
ricbenson
2007-10-29, 11:28
Hi Shaba,
Thanks for your help. Much appreciated.
Here's my log -
ComboFix 07-10-28.2 - Administrator 2007-10-29 21:11:03.1 - NTFSx86
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS - system32: deleted 68198 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\SKS~1
C:\Documents and Settings\Administrator\Application Data\SKS~1\??sks\
C:\Documents and Settings\All Users\Application Data.\rqjcfglq.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\lidkfqkv
C:\WINDOWS\system32\lidkfqkv\bg1.gif
C:\WINDOWS\system32\lidkfqkv\bgtop.gif
C:\WINDOWS\system32\lidkfqkv\bottom1.gif
C:\WINDOWS\system32\lidkfqkv\essentials.gif
C:\WINDOWS\system32\lidkfqkv\icon1.ico
C:\WINDOWS\system32\lidkfqkv\install1.gif
C:\WINDOWS\system32\lidkfqkv\left1.gif
C:\WINDOWS\system32\lidkfqkv\li.gif
C:\WINDOWS\system32\lidkfqkv\lidkfqkv2.exe
C:\WINDOWS\system32\lidkfqkv\lidkfqkv3.exe
C:\WINDOWS\system32\lidkfqkv\logo.gif
C:\WINDOWS\system32\lidkfqkv\main.htm
C:\WINDOWS\system32\lidkfqkv\mainframe.htm
C:\WINDOWS\system32\lidkfqkv\reinstall1.gif
C:\WINDOWS\system32\lidkfqkv\right1.gif
C:\WINDOWS\system32\lidkfqkv\s1.htm
C:\WINDOWS\system32\lidkfqkv\s2.htm
C:\WINDOWS\system32\lidkfqkv\s3.htm
C:\WINDOWS\system32\lidkfqkv\SMTop1.gif
C:\WINDOWS\system32\lidkfqkv\SMTop2.gif
C:\WINDOWS\system32\lidkfqkv\SMTop3.gif
C:\WINDOWS\system32\lidkfqkv\SMTop4.gif
C:\WINDOWS\system32\lidkfqkv\soft1_off.gif
C:\WINDOWS\system32\lidkfqkv\soft1_off_ext.gif
C:\WINDOWS\system32\lidkfqkv\soft1_on.gif
C:\WINDOWS\system32\lidkfqkv\soft1_on_ext.gif
C:\WINDOWS\system32\lidkfqkv\soft2_off.gif
C:\WINDOWS\system32\lidkfqkv\soft2_off_ext.gif
C:\WINDOWS\system32\lidkfqkv\soft2_on.gif
C:\WINDOWS\system32\lidkfqkv\soft2_on_ext.gif
C:\WINDOWS\system32\lidkfqkv\soft3_off.gif
C:\WINDOWS\system32\lidkfqkv\soft3_off_ext.gif
C:\WINDOWS\system32\lidkfqkv\soft3_on.gif
C:\WINDOWS\system32\lidkfqkv\soft3_on_ext.gif
C:\WINDOWS\system32\lidkfqkv\softbottom_off.gif
C:\WINDOWS\system32\lidkfqkv\softbottom_on.gif
C:\WINDOWS\system32\lidkfqkv\softleft_off.gif
C:\WINDOWS\system32\lidkfqkv\softleft_on.gif
C:\WINDOWS\system32\lidkfqkv\top1.gif
C:\WINDOWS\system32\lidkfqkv\top2.gif
C:\WINDOWS\system32\lidkfqkv\turnoff1.gif
C:\WINDOWS\system32\lidkfqkv\turnon1.gif
C:\WINDOWS\system32\nvrssk.dll
C:\WINDOWS\system32\nvrssl.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.
2007-10-29 21:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 20:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-29 20:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-29 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-29 16:35 <DIR> d-------- C:\Program Files\Gabest
2007-10-29 16:35 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-29 16:35 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-10-29 16:34 <DIR> d-------- C:\Program Files\AutoGK
2007-10-29 15:58 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-10-29 10:41 <DIR> d-------- C:\Program Files\Egseewks
2007-10-28 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-28 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-28 21:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
2007-10-28 21:11 <DIR> d-------- C:\Program Files\Comodo
2007-10-28 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 19:56 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2007-10-28 19:05 <DIR> d-------- C:\Program Files\E404 Helper
2007-10-28 19:05 14,848 --a------ C:\Program Files\msc.exe
2007-10-28 19:00 9,728 --a------ C:\Program Files\hlpsrv.exe
2007-10-28 16:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-28 16:07 <DIR> d-------- C:\Program Files\Blaze Media Pro
2007-10-28 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-10-28 15:44 <DIR> d-------- C:\Program Files\uxcvoraf
2007-10-28 15:44 <DIR> d-------- C:\Program Files\Kukpaaug
2007-10-28 15:44 32,256 --a------ C:\WINDOWS\system32\byxyxxx.dll
2007-10-28 15:25 <DIR> d-------- C:\Program Files\Steganos Internet Anonym 2006
2007-10-28 15:25 <DIR> d-------- C:\Program Files\Secure Surfing Engine
2007-10-28 10:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-26 21:04 <DIR> d-------- C:\Program Files\RedTube Movie Ripper V1.1.1
2007-10-26 21:04 81,920 --a------ C:\WINDOWS\system32\GkSui20.EXE
2007-10-25 00:02 <DIR> d-------- C:\Documents and Settings\Administrator\dwhelper
2007-10-24 23:38 <DIR> d-------- C:\Program Files\UnH Solutions
2007-10-24 09:04 <DIR> d-------- C:\Program Files\iTunes
2007-10-24 09:04 <DIR> d-------- C:\Program Files\iPod
2007-10-22 23:59 <DIR> d-------- C:\etax2007
2007-10-22 23:23 <DIR> d-------- C:\Program Files\Ares
2007-10-22 22:54 <DIR> d-------- C:\Program Files\QuickTime
2007-10-22 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-22 19:58 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-22 00:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-20 21:11 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-10-20 21:10 <DIR> d-------- C:\Program Files\ASUS WiFi-AP Solo
2007-10-20 21:10 175,872 --a------ C:\WINDOWS\system32\drivers\RTL8187.sys
2007-10-20 21:10 13,532 --a------ C:\WINDOWS\system32\drivers\SjyPkt.sys
2007-10-15 22:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ethereal
2007-10-15 22:34 <DIR> d-------- C:\Program Files\WinPcap
2007-10-10 18:06 <DIR> d-------- C:\Program Files\WinFF
2007-10-10 18:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Winff
2007-10-09 23:26 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-10-09 18:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2007-10-09 17:54 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-10-09 17:54 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-10-09 17:54 737,280 --a------ C:\WINDOWS\iun6002.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 05:55 --------- d-----w C:\Program Files\EasyDVDConverter
2007-10-29 05:42 --------- d-----w C:\Program Files\eMule
2007-10-28 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-28 06:49 --------- d-----w C:\Program Files\McAfee
2007-10-28 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2007-10-22 11:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-20 13:10 --------- d-----w C:\Program Files\Color_Cop
2007-10-20 11:36 --------- d-----w C:\Program Files\LimeWire
2007-10-20 10:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 09:48 --------- d-----w C:\Program Files\OptusNet DSL Internet
2007-10-09 09:09 --------- d-----w C:\Program Files\Winamp
2007-09-26 07:37 --------- d-----w C:\Program Files\Institute of Animation - Facial Animation Toolset 1.2
2007-09-14 11:26 --------- d-----w C:\Program Files\FLV Player
2007-08-12 09:08 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-08-12 09:08 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-08-12 09:08 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-08-12 09:08 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-08-12 09:08 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-08-12 09:08 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-08-12 09:08 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-08-12 09:08 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-08-12 09:08 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DFCFB5E-3974-3338-8F09-0B2552E546A8}]
2007-10-29 10:41 94208 --a------ C:\Program Files\Egseewks\npnojpap.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
2007-10-28 19:05 15872 --a------ C:\Program Files\E404 Helper\e404.v1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 16:29]
"nwiz"="nwiz.exe" [2006-03-09 16:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-03-09 16:29 C:\WINDOWS\system32\nvmctray.dll]
"RegistryMechanic"="" []
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 18:34 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
"Ai Quicker Help"="C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe" [2006-11-09 21:29]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe" [2006-11-14 14:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 17:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-24 09:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 20:31]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-10-29 20:37]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SIA2006"="C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 01:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 01:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2007-10-20 21:10:44]
ComproRemote.lnk - C:\Program Files\Common Files\VideoMate\ComproRemote.exe [2007-07-22 21:15:56]
ComproSchedulerDTV.lnk - C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe [2007-08-09 10:09:51]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 06:05:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutuvt]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlbu32]
R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys
R3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
R3 SjyPkt;SjyPkt;\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys
R3 VMHybrid;VMHybrid service;C:\WINDOWS\system32\DRIVERS\VMHybrid.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\NSNDIS5.SYS
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys
*Newly Created Service* - SJYPKT
.
**************************************************************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 21:21:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-29 21:23:47 - machine was rebooted
.
--- E O F ---
Hi
How about a fresh HijackThis log? :)
ricbenson
2007-10-29, 23:07
hi shaba,
here's the hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:57 AM, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DFCFB5E-3974-3338-8F09-0B2552E546A8} - C:\Program Files\Egseewks\npnojpap.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v1.dll
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-f7ed0776fb27} - c:\program files\steganos internet anonym 2006\sia2006iep.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: ComproRemote.lnk = C:\Program Files\Common Files\VideoMate\ComproRemote.exe
O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.highend3d.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158479117406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158479290906
O20 - Winlogon Notify: vtutuvt - C:\WINDOWS\
O20 - Winlogon Notify: winlbu32 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
--
End of file - 7916 bytes
Hi
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\Program Files\E404 Helper\e404.v1.dll
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
ricbenson
2007-10-30, 11:55
Hi Shaba,
here's the e404 log,
File e404.v1.dll received on 10.30.2007 11:45:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/32 (34.38%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.30.0 2007.10.30 -
AntiVir 7.6.0.30 2007.10.30 ADSPY/Bho.DB.1
Authentium 4.93.8 2007.10.29 -
Avast 4.7.1074.0 2007.10.30 -
AVG 7.5.0.503 2007.10.29 Adware Generic2.UNY
BitDefender 7.2 2007.10.30 -
CAT-QuickHeal 9.00 2007.10.29 AdWare.BHO.je (Not a Virus)
ClamAV 0.91.2 2007.10.30 -
DrWeb 4.44.0.09170 2007.10.30 -
eSafe 7.0.15.0 2007.10.28 Suspicious File
eTrust-Vet 31.2.5253 2007.10.30 -
Ewido 4.0 2007.10.29 -
FileAdvisor 1 2007.10.30 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.29 W32/Adware.YTL
F-Secure 6.70.13030.0 2007.10.30 -
Ikarus T3.1.1.12 2007.10.30 -
Kaspersky 7.0.0.125 2007.10.30 not-a-virus:AdWare.Win32.BHO.je
McAfee 5151 2007.10.29 potentially unwanted program Adware-BHO
Microsoft 1.2908 2007.10.30 -
NOD32v2 2626 2007.10.30 -
Norman 5.80.02 2007.10.29 -
Panda 9.0.0.4 2007.10.30 Suspicious file
Prevx1 V2 2007.10.30 Heuristic: Suspicious Self Modifying File
Rising 19.47.12.00 2007.10.30 -
Sophos 4.23.0 2007.10.30 -
Sunbelt 2.2.907.0 2007.10.29 VIPRE.Suspicious
Symantec 10 2007.10.30 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.29 -
Webwasher-Gateway 6.6.1 2007.10.30 Ad-Spyware.Bho.DB.1
Additional information
File size: 15872 bytes
MD5: f114ca5f2bcd702e9874e236cc2ad75b
SHA1: d3b3c55eb46a8eb0984a44bdb532c459d5d64405
packers: PE_Patch.PECompact, PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=40AC1DF600F9706A3EC900063BAC3800E99EAB48
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Hi
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
C:\Program Files\E404 Helper\e404.v1.dll
Go to spykiller (http://www.thespykiller.co.uk/index.php?PHPSESSID=d65884362fbc872b70e1a9a9a7e13700&board=1.0)
Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.
Reply after that and we'll continue :)
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.