View Full Version : I need help, can't get rid of virtumunde,vundo,think my ports are open
Hi, I need help badly. I tried to get rid of virtumonde with Norton 2008, spybot search and destroy,vundofix, ms defender, ms livecare tool. Norton removal tool. I can't connect on the internet on this computer. I think I have been hacked. It seems that the virus has learned to hide from detection.
I just ran spybot both in safe mode and normal and it didn't find virtumunde, but I had run it earlier and it found it.
I am pasting my High jack this log. I will gladly make a donation if someone can help me fix this problem.
thanks for your time.
Bill
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:49 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
--
End of file - 7115 bytes
steamwiz
2007-11-06, 20:35
Hi
It seems that the virus has learned to hide from detection.
It can run ... but it can't hide ... from us
However it has hidden it's run keys from hijackthis ...
You say you've run vundofix ... please post the log for me, you'll find it here :-
C:\vundofix.txt
THEN ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
THEN ...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
Please remember to post :-
1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log.( run after everything else)
steam
Thanks for responding so quickly Steam. I appreciate your help and enthusiam.
I ran vundofix earlier, superantispyware, combofix and reran highjack this. I will attach the logs and wait for your next direction.
Thanks again
Bill
VundoFix V6.5.11
Checking Java version...
Scan started at 11:47:57 AM 10/30/2007
Listing files found while scanning....
C:\WINDOWS\system32\jgcxujrh.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jgcxujrh.dll
C:\WINDOWS\system32\jgcxujrh.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Scan started at 12:00:04 PM 10/30/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Scan started at 4:32:55 PM 10/30/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Scan started at 11:14:43 AM 10/31/2007
Listing files found while scanning....
C:\WINDOWS\system32\gwndagdr.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gwndagdr.dll
C:\WINDOWS\system32\gwndagdr.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Scan started at 1:26:36 PM 11/2/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Scan started at 1:36:42 PM 11/2/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Scan started at 9:51:11 PM 11/5/2007
Listing files found while scanning....
No infected files were found.
------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/06/2007 at 05:47 PM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type : Complete Scan
Total Scan Time : 02:05:46
Memory items scanned : 439
Memory threats detected : 1
Registry items scanned : 6807
Registry threats detected : 5
File items scanned : 91594
File threats detected : 3
Trojan.WinFixer
C:\WINDOWS\SYSTEM32\AWTQR.DLL
C:\WINDOWS\SYSTEM32\AWTQR.DLL
HKLM\Software\Classes\CLSID\{F16389E1-E02A-48A9-B46E-DA6F8B504B71}
HKCR\CLSID\{F16389E1-E02A-48A9-B46E-DA6F8B504B71}
HKCR\CLSID\{F16389E1-E02A-48A9-B46E-DA6F8B504B71}\InprocServer32
HKCR\CLSID\{F16389E1-E02A-48A9-B46E-DA6F8B504B71}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F16389E1-E02A-48A9-B46E-DA6F8B504B71}
Adware.Tracking Cookie
C:\Documents and Settings\Bill\Cookies\bill@atdmt[2].txt
C:\Documents and Settings\Bill\Cookies\bill@www.googleadservices[1].txt
-----------------------------------------------------------
ComboFix 07-11-06.4 - Bill 2007-11-06 18:43:57.1 - NTFSx86
Running from: C:\Documents and Settings\Bill\Desktop\downloadedforfix\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Bill\My Documents\SCURIT~1
C:\Program Files\Common Files\sks~1
C:\svchost.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\dcbaqaxn.dll
C:\WINDOWS\system32\nxaqabcd.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\uvvwa.tmp
C:\WINDOWS\system32\xbgbkngx.dll
C:\WINDOWS\system32\xybeg.ini2
C:\WINDOWS\system32\xybeg.tmp
C:\z.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.
2007-11-06 18:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 15:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-06 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 12:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 10:52 1,396,831 --a------ C:\WINDOWS\system32\AegisE5.dll
2007-11-06 10:52 651,264 --a------ C:\WINDOWS\system32\libeay32.dll
2007-11-06 10:52 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-11-06 10:52 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-06 10:49 369,024 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-11-06 07:49 <DIR> d-------- C:\Inetpub
2007-11-05 20:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2
2007-11-05 20:15 35,328 --a------ C:\WINDOWS\system32\awtuvtr.dll
2007-11-05 13:20 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-11-05 13:20 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-11-05 13:19 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-05 13:19 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-03 16:45 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2007-11-03 16:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-02 09:12 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-31 13:26 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-31 12:36 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-31 12:36 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-31 12:36 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-31 12:36 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-31 12:36 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-31 12:36 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-31 12:36 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-31 12:36 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-31 12:03 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-31 05:23 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-30 11:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-30 10:47 <DIR> d-------- C:\VundoFix Backups
2007-10-29 23:54 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-29 23:54 <DIR> d-------- C:\TEMP\mZOr
2007-10-29 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 16:46 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-28 15:27 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\SUPERAntiSpyware.com
2007-10-28 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-28 14:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-28 08:27 <DIR> d--hs---- C:\WINDOWS\V2lsbGlhbSBLaXZp
2007-10-27 14:12 28,672 --a------ C:\Documents and Settings\Carrie\update.exe
2007-10-26 11:03 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Poser 7
2007-10-26 10:31 <DIR> d-------- C:\Program Files\e frontier
2007-10-26 09:42 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2007-10-25 11:43 82 --a------ C:\n.bat
2007-10-25 11:43 0 --a------ C:\z.dat
2007-10-24 14:31 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Ahead
2007-10-09 16:54 <DIR> d-------- C:\Program Files\Analog Devices
2007-10-09 16:24 195,096 --a------ C:\WINDOWS\system32\lvci1110.dll
2007-10-09 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-10-09 14:47 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 23:52 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-06 23:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-06 15:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 04:29 --------- d-----w C:\Program Files\Creative
2007-11-06 04:25 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-06 04:22 --------- d-----w C:\Program Files\Web Publish
2007-11-06 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 18:50 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 18:50 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 18:50 --------- d-----w C:\Program Files\Symantec
2007-11-05 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-05 18:17 --------- d-----w C:\Program Files\Yahoo!
2007-10-30 15:52 --------- d-----w C:\Program Files\Google
2007-10-30 15:31 --------- d-----w C:\Program Files\Java
2007-10-28 18:33 --------- d-----w C:\Program Files\ArKaos2_0FC1
2007-10-26 14:42 --------- d-----w C:\Program Files\Macromedia
2007-10-25 16:47 278,540 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-10-25 16:42 278,539 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-10-09 21:29 --------- d-----w C:\Program Files\Common Files\LogiShrd
2007-10-09 21:23 --------- d-----w C:\Program Files\Logitech
2007-09-24 23:33 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 19:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 19:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 19:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 19:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 19:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 19:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 19:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-09 04:39 --------- d-----w C:\Documents and Settings\Bill\Application Data\Yahoo!
2007-09-09 00:29 --------- d-----w C:\Documents and Settings\Carrie\Application Data\Yahoo!
2007-09-08 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-08 04:35 769,536 ----a-w C:\Documents and Settings\Bill\Application Data\sfdnwin.dll
2007-09-08 04:29 --------- d-----w C:\Program Files\Ahead
2007-09-08 04:27 --------- d-----w C:\Program Files\Common Files\Nero
2007-09-08 04:24 --------- d-----w C:\Program Files\Common Files\Ahead
2007-09-08 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-08 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-09-07 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memo save stupid creative
2007-08-29 19:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-13 22:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 22:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 22:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 22:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 22:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 22:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-13 22:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-13 22:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-13 22:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2003-07-31 09:53 147,456 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-05 13:40 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
2007-11-05 20:15 35328 --a------ C:\WINDOWS\system32\awtuvtr.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-07 20:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-10-25 11:42]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\WINDOWS\system32\awtuvtr.dll [2007-11-05 20:15 35328]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuvtr]
awtuvtr.dll 2007-11-05 20:15 35328 C:\WINDOWS\system32\awtuvtr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c1b35f9]
rundll32.exe "C:\WINDOWS\system32\dcbaqaxn.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kkw_run.exe]
kkw_run.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kmw_run.exe]
kmw_run.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSWheel]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"aawservice"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WebClient"=2 (0x2)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"lanmanserver"=2 (0x2)
"HidServ"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"aliasdocserver"=2 (0x2)
"ALG"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"gusvc"=3 (0x3)
"Autodesk Licensing Service"=2 (0x2)
"lanmanworkstation"=2 (0x2)
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 cinemclc;CineMaster C 3.0 WDM Main Driver;C:\WINDOWS\system32\drivers\cinemclc.sys
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
R3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
R3 vdmindvd;Cinemaster C WDM DVD Driver;C:\WINDOWS\system32\drivers\vdmindvd.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S4 aliasdocserver;Alias Documentation Server;"C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf"
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 23:55:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-06 01:09:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bill.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 18:55:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-06 18:58:14 - machine was rebooted
.
--- E O F ---
----------------------------------------------------------
hijack this log will be on seperate post
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:21 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy2\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
--
End of file - 7450 bytes
steamwiz
2007-11-07, 21:11
Hi
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\awtuvtr.dll
C:\n.bat
C:\z.dat
C:\WINDOWS\Fonts\svchost.exe
Folder::
C:\WINDOWS\system32\Mz18r
C:\TEMP\mZOr
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuvtr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c1b35f9]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
thanks again for the help. this has been a nightmare to say the least.
ComboFix 07-11-06.4 - Bill 2007-11-07 15:41:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2525 [GMT -5:00]
Running from: C:\Documents and Settings\Bill\Desktop\downloadedforfix\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bill\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\n.bat
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\awtuvtr.dll
C:\z.dat
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Bill\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Bill\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Bill\Favorites\Online Security Guide.lnk
C:\n.bat
C:\TEMP\mZOr
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\awtuvtr.dll
C:\WINDOWS\system32\jophhkub.dllbox
C:\WINDOWS\system32\Mz18r
C:\z.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.
2007-11-07 10:17 86,080 --a------ C:\WINDOWS\system32\eaunmeqr.dll
2007-11-07 10:11 79,936 --a------ C:\WINDOWS\system32\hqbprorn.dll
2007-11-07 10:06 145,984 --a------ C:\WINDOWS\system32\jophhkub.dll
2007-11-07 10:05 145,984 --a------ C:\WINDOWS\system32\ihlkplin.dll
2007-11-07 10:03 422,864 --ahs---- C:\WINDOWS\system32\prutv.bak2
2007-11-06 20:00 6,658 --ahs---- C:\WINDOWS\system32\prutv.bak1
2007-11-06 18:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 15:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-06 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 12:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 10:52 1,396,831 --a------ C:\WINDOWS\system32\AegisE5.dll
2007-11-06 10:52 651,264 --a------ C:\WINDOWS\system32\libeay32.dll
2007-11-06 10:52 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-11-06 10:52 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-06 10:49 369,024 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-11-06 07:49 <DIR> d-------- C:\Inetpub
2007-11-05 20:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2
2007-11-05 13:20 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-11-05 13:20 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-11-05 13:19 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-05 13:19 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-03 16:45 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2007-11-03 16:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-02 09:12 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-31 13:26 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-31 12:36 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-31 12:36 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-31 12:36 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-31 12:36 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-31 12:36 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-31 12:36 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-31 12:36 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-31 12:36 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-31 12:03 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-31 05:23 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-30 11:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-30 10:47 <DIR> d-------- C:\VundoFix Backups
2007-10-29 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 16:46 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-28 15:27 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\SUPERAntiSpyware.com
2007-10-28 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-28 14:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-28 08:27 <DIR> d--hs---- C:\WINDOWS\V2lsbGlhbSBLaXZp
2007-10-27 14:12 28,672 --a------ C:\Documents and Settings\Carrie\update.exe
2007-10-26 11:03 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Poser 7
2007-10-26 10:31 <DIR> d-------- C:\Program Files\e frontier
2007-10-26 09:42 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2007-10-24 14:31 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Ahead
2007-10-09 16:54 <DIR> d-------- C:\Program Files\Analog Devices
2007-10-09 16:24 195,096 --a------ C:\WINDOWS\system32\lvci1110.dll
2007-10-09 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-10-09 14:47 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 20:52 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-07 20:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-06 15:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 04:29 --------- d-----w C:\Program Files\Creative
2007-11-06 04:25 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-06 04:22 --------- d-----w C:\Program Files\Web Publish
2007-11-06 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 18:50 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 18:50 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 18:50 --------- d-----w C:\Program Files\Symantec
2007-11-05 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-05 18:17 --------- d-----w C:\Program Files\Yahoo!
2007-10-30 15:52 --------- d-----w C:\Program Files\Google
2007-10-30 15:31 --------- d-----w C:\Program Files\Java
2007-10-28 18:33 --------- d-----w C:\Program Files\ArKaos2_0FC1
2007-10-26 14:42 --------- d-----w C:\Program Files\Macromedia
2007-10-25 16:47 278,540 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-10-09 21:29 --------- d-----w C:\Program Files\Common Files\LogiShrd
2007-10-09 21:23 --------- d-----w C:\Program Files\Logitech
2007-09-24 23:33 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 19:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 19:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 19:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 19:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 19:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 19:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 19:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-09 04:39 --------- d-----w C:\Documents and Settings\Bill\Application Data\Yahoo!
2007-09-09 00:29 --------- d-----w C:\Documents and Settings\Carrie\Application Data\Yahoo!
2007-09-08 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-08 04:35 769,536 ----a-w C:\Documents and Settings\Bill\Application Data\sfdnwin.dll
2007-09-08 04:29 --------- d-----w C:\Program Files\Ahead
2007-09-08 04:27 --------- d-----w C:\Program Files\Common Files\Nero
2007-09-08 04:24 --------- d-----w C:\Program Files\Common Files\Ahead
2007-09-08 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-08 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-09-07 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memo save stupid creative
2003-07-31 09:53 147,456 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.
((((((((((((((((((((((((((((( snapshot@2007-11-06_18.56.43.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-05 13:40 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-07 10:06 145984 --a------ C:\WINDOWS\system32\jophhkub.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E244B46B-C69B-4267-9411-C5050ECCB60D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\jophhkub.dll [2007-11-07 10:06 145984]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-07 20:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuvtr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jophhkub]
jophhkub.dll 2007-11-07 10:06 145984 C:\WINDOWS\system32\jophhkub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kkw_run.exe]
kkw_run.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kmw_run.exe]
kmw_run.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSWheel]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"aawservice"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WebClient"=2 (0x2)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"lanmanserver"=2 (0x2)
"HidServ"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"aliasdocserver"=2 (0x2)
"ALG"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"gusvc"=3 (0x3)
"Autodesk Licensing Service"=2 (0x2)
"lanmanworkstation"=2 (0x2)
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 cinemclc;CineMaster C 3.0 WDM Main Driver;C:\WINDOWS\system32\drivers\cinemclc.sys
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
R3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
R3 vdmindvd;Cinemaster C WDM DVD Driver;C:\WINDOWS\system32\drivers\vdmindvd.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S4 aliasdocserver;Alias Documentation Server;"C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf"
.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 20:55:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-06 01:09:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bill.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 15:53:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-07 15:57:34 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-06 18:58
.
--- E O F ---
-----------------
hjt log will be seperate it was too long.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:48 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\jophhkub.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E244B46B-C69B-4267-9411-C5050ECCB60D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jophhkub.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jophhkub - C:\WINDOWS\SYSTEM32\jophhkub.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
--
End of file - 8421 bytes
steamwiz
2007-11-07, 22:41
HI
You have more ... this can happen if the original malware isn't removed quick enough ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\eaunmeqr.dll
C:\WINDOWS\system32\hqbprorn.dll
C:\WINDOWS\system32\jophhkub.dll
C:\WINDOWS\system32\ihlkplin.dll
C:\WINDOWS\system32\prutv.bak2
C:\WINDOWS\system32\prutv.bak1
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E244B46B-C69B-4267-9411-C5050ECCB60D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuvtr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jophhkub]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
ComboFix 07-11-06.4 - Bill 2007-11-07 16:51:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2518 [GMT -5:00]
Running from: C:\Documents and Settings\Bill\Desktop\downloadedforfix\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bill\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\eaunmeqr.dll
C:\WINDOWS\system32\hqbprorn.dll
C:\WINDOWS\system32\ihlkplin.dll
C:\WINDOWS\system32\jophhkub.dll
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\prutv.bak2
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\eaunmeqr.dll
C:\WINDOWS\system32\hqbprorn.dll
C:\WINDOWS\system32\ihlkplin.dll
C:\WINDOWS\system32\jophhkub.dll
C:\WINDOWS\system32\jophhkub.dllbox
C:\WINDOWS\system32\prutv.bak1
C:\WINDOWS\system32\prutv.bak2
.
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.
2007-11-06 18:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 15:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-06 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 12:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 10:52 1,396,831 --a------ C:\WINDOWS\system32\AegisE5.dll
2007-11-06 10:52 651,264 --a------ C:\WINDOWS\system32\libeay32.dll
2007-11-06 10:52 147,456 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-11-06 10:52 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-11-06 10:49 369,024 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-11-06 07:49 <DIR> d-------- C:\Inetpub
2007-11-05 20:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2
2007-11-05 13:20 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-11-05 13:20 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-11-05 13:19 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-05 13:19 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-03 16:45 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2007-11-03 16:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-02 09:12 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-31 13:26 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-31 12:36 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-31 12:36 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-31 12:36 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-31 12:36 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-31 12:36 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-31 12:36 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-31 12:36 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-31 12:36 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-31 12:03 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-31 05:23 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-30 11:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-30 10:47 <DIR> d-------- C:\VundoFix Backups
2007-10-29 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 16:46 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-28 15:27 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\SUPERAntiSpyware.com
2007-10-28 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-28 14:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-28 08:27 <DIR> d--hs---- C:\WINDOWS\V2lsbGlhbSBLaXZp
2007-10-27 14:12 28,672 --a------ C:\Documents and Settings\Carrie\update.exe
2007-10-26 11:03 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Poser 7
2007-10-26 10:31 <DIR> d-------- C:\Program Files\e frontier
2007-10-26 09:42 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2007-10-24 14:31 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Ahead
2007-10-09 16:54 <DIR> d-------- C:\Program Files\Analog Devices
2007-10-09 16:24 195,096 --a------ C:\WINDOWS\system32\lvci1110.dll
2007-10-09 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-10-09 14:47 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 22:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 21:59 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-06 15:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-06 04:29 --------- d-----w C:\Program Files\Creative
2007-11-06 04:25 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-06 04:22 --------- d-----w C:\Program Files\Web Publish
2007-11-06 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 18:50 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 18:50 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 18:50 --------- d-----w C:\Program Files\Symantec
2007-11-05 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-05 18:17 --------- d-----w C:\Program Files\Yahoo!
2007-10-30 15:52 --------- d-----w C:\Program Files\Google
2007-10-30 15:31 --------- d-----w C:\Program Files\Java
2007-10-28 18:33 --------- d-----w C:\Program Files\ArKaos2_0FC1
2007-10-26 14:42 --------- d-----w C:\Program Files\Macromedia
2007-10-25 16:47 278,540 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-10-09 21:29 --------- d-----w C:\Program Files\Common Files\LogiShrd
2007-10-09 21:23 --------- d-----w C:\Program Files\Logitech
2007-09-24 23:33 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 19:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 19:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 19:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 19:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 19:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 19:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 19:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-09 04:39 --------- d-----w C:\Documents and Settings\Bill\Application Data\Yahoo!
2007-09-09 00:29 --------- d-----w C:\Documents and Settings\Carrie\Application Data\Yahoo!
2007-09-08 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-08 04:35 769,536 ----a-w C:\Documents and Settings\Bill\Application Data\sfdnwin.dll
2007-09-08 04:29 --------- d-----w C:\Program Files\Ahead
2007-09-08 04:27 --------- d-----w C:\Program Files\Common Files\Nero
2007-09-08 04:24 --------- d-----w C:\Program Files\Common Files\Ahead
2007-09-08 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-08 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-09-07 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memo save stupid creative
.
((((((((((((((((((((((((((((( snapshot@2007-11-06_18.56.43.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-05 13:40 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E244B46B-C69B-4267-9411-C5050ECCB60D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-07 20:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuvtr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kkw_run.exe]
kkw_run.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kmw_run.exe]
kmw_run.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSWheel]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"aawservice"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WebClient"=2 (0x2)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"mnmsrvc"=3 (0x3)
"lanmanserver"=2 (0x2)
"HidServ"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"aliasdocserver"=2 (0x2)
"ALG"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"gusvc"=3 (0x3)
"Autodesk Licensing Service"=2 (0x2)
"lanmanworkstation"=2 (0x2)
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 cinemclc;CineMaster C 3.0 WDM Main Driver;C:\WINDOWS\system32\drivers\cinemclc.sys
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
R3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
R3 vdmindvd;Cinemaster C WDM DVD Driver;C:\WINDOWS\system32\drivers\vdmindvd.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S4 aliasdocserver;Alias Documentation Server;"C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf"
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 20:55:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-06 01:09:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bill.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 17:00:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-07 17:02:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-07 15:57
C:\ComboFix3.txt ... 2007-11-06 18:58
.
--- E O F ---
hjt coming on sep post
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:11 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
--
End of file - 8084 bytes
steamwiz
2007-11-08, 18:40
Hi
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
REBOOT ... run hijackthis & post a new log ..
steam
Hey Steam!
I ran the fix and here is the new hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:14 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 7714 bytes
steamwiz
2007-11-08, 21:04
Hi
Your logs are clean now :)
Please do this & let me know if your problem is resolved ?
Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
cheers
steam
Ok, I ran the program as advised. It ran fine. I rebooted.
I had previously uninstalled my lynksys wireless network card in the last step. It had an Aegis protocol listed in it's configuration.
When I reinstalled the card and software. The Aegis protocol reinstalled itself. I tried to find any documentation of this on Linksys website and I could not find anything. I found a GEMWEP.dll on linksys install disc. I think this is same name as the company that wrote the Aegis protocol, but there aren't any drivers on disc for it, but it had a driver.
Can you advise me what this is, and why it has installed itself.
Hi steam, so this thing is still not dead yet. I do appreciate all your help. Here is what I found today.
ok, so something is still trying to restart virtumonde. this is from windows defender. I currently have it quarentined
Category:
Adware
Description:
This program displays pop-up advertisements.
Advice:
Remove this software immediately.
Resources:
file:
C:\qoobox\Quarantine\C\WINDOWS\system32\xbgbkngx.dll.vir
file:
C:\System Volume Information\_restore{D44F3FC5-52AF-4F94-9AE6-40017F7D9AD6}\RP3\A0001031.dll
after I hit quarantine, my spybot tea timer brought up this warning
system startup user entry
change: value added
entry dwqueuedreporting
newdata "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe"-t
I have not allowed or denyed this yet, as I am not sure what to do.
thanks again for your help.
Bill
steamwiz
2007-11-09, 21:47
HI
dwtrig20.exe is the Watson Subscriber for SENS Network Notifications.
It is part of the Microsoft error reporting procedure ... dr watson\event log etc,
It's safe to allow ...
-
The virtumonde file found by windows defender has already been deleted\quarantined by Combofix ... & it looks like it's found it in a restore point as well ... OK as long as you don't perform a system restore ...
-
I really don't know what's happened to your internet connection ... why did you uninstall the lynksys wireless network card ?
The Aegis protocol is the wireless protocol IEEE 802.1x I believe ...
If this wireless network card connects to a wireless router, then I would suggest that you unplug the router & let it reset itself ... but this is not my area & not malware ...
Back to the malware ...
Delete this folder :- C:\qoobox & then run defender again ..
I would suggest you purge your restore points, but you may need one if you have problems with your network card ... you may want to go back to a time when it was working ... of course if you do that ... all the malware will be back ...
steam
thanks for replying. I have deleted the qoobox file and I am running defender now.
I had removed the network card because I had found a couple of ports open and I had seen the aegis protocol and I could not find any documentation this on Linksys website. I thought it might have been part of the problem. i thought it might has been part of a peer to peer program. I am probably wrong. I just am getting a bit parinoid at this point.
I can reinstall the card again. This will likely reload aegis. I just don't understand why it is not listed on the disc. I have a laptop that I am using to do this fix and It does not have aegis protocol and it is wireless, and has linksys drivers.
quick scan with defender just stopped, it was clean.
I will clear restore and reinstall my card. I will let you know if anything else pops up.
thanks
Bill
steamwiz
2007-11-10, 00:20
Hi Bill
Found this :-
http://en.wikipedia.org/wiki/AEGIS_(network)
& this :-
http://www.intel.com/support/wireless/wlan/pro3945abg/sb/cs-025428.htm
I've just checked my own wireless network connection & I have the same The AEGIS Protocol (IEEE 802.1X) checked in my connection ...
steam
Hey Steam. So far it appears everything is good. I am not having any pop ups and my antivirus and antispywear software if calm.
I loaded the driver for my network card w/o running the Linksys disc and the Aegis protocal was not installed. I see it has something to do with WAP. I have WAP on the router settings.
Let me know if there is anything else I should do to protect my computer moving forward. I appreciate your help and your time.
Thanks
Bill
steamwiz
2007-11-11, 23:30
Hey Bill
I'm sorry that first link in my previous post isn't working
Notice the bracket at the end if the URL ) ... it isn't being picked up
make sure that ) is in place when you have it in the address bar & it will go to the article I meant you to see ...
I'll try posting it again ...
http://en.wikipedia.org/wiki/AEGIS_(network)) ... I added an extra ) & now it works
I believe it is used to provide the WPA encryption for the router ...
Take a look at this article by TonyKlein for ways to help you stay safe on the net ...
http://forums.spybot.info/showthread.php?t=279
cheers
steam