View Full Version : Virtumonde + other trojans
straightjacket
2007-11-28, 07:13
I read the sticky but unfortunately I was not able to get Kaspersky working as IE keeps on getting swamped by pop ups and other nuisance.
I have already tried to self-diagnose this laptop many times and although it seems to be better for a few days the same old problems keep on cropping up. I just ran Vundofix & this is the subsequent HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:02:35, on 28/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - C:\WINDOWS\system32\vtustur.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win367.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195224915548
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/winfixer.com/www/pages/scanner/WinFixerScannerInstall.cab
O20 - Winlogon Notify: vtustur - C:\WINDOWS\SYSTEM32\vtustur.dll
O20 - Winlogon Notify: winwim32 - C:\WINDOWS\SYSTEM32\winwim32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6868 bytes
Thanks for your help guys :)
Hello straightjacket
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Your infected with the Vundo Trojan along with a backdoor trojan that lets this garbage in
Open Hijackthis to Scan Only, close all open windows including this one , place a checkmark in the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - C:\WINDOWS\system32\vtustur.dll
O4 - HKLM\..\Run: [smgr] mgrs.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab
O20 - Winlogon Notify: vtustur - C:\WINDOWS\SYSTEM32\vtustur.dll
O20 - Winlogon Notify: winwim32 - C:\WINDOWS\SYSTEM32\winwim32.dll
Delete these files in RED
C:\WINDOWS\mgrs.exe
C:\WINDOWS\SYSTEM32\winwim32.dll
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
The thieves that have written Vundo have written it to evade a HJT scan so we need to rename it
This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
I need to see......
1. Vundofix log
2. Combofix log
3. New HJT log renamed to Scanner.exe
straightjacket
2007-11-28, 18:49
Hi ken545, thanks very much for your help.
I ran Vundofix but it did not detect anything, so I have attached the Combofix log as it is too long to post here.
This is the subsequent HJT log after I ran Combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:21, on 28/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - C:\WINDOWS\system32\vtustur.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195224915548
O20 - Winlogon Notify: vtustur - C:\WINDOWS\SYSTEM32\vtustur.dll
O21 - SSODL: E404Helper - {564c690e-cc6b-4aca-923d-3c13a27c5232} - e404d.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6038 bytes
straightjacket
2007-11-28, 18:51
Sorry, I thought I could attach the Combofix log as an attachment but it is too big. Here is it in Part 1 of the log:
ComboFix 07-11-19.4C - kathie 2007-11-28 16:24:16.1 - NTFSx86
Running from: C:\Documents and Settings\kathie.ATCM-JIDONG\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\ilgrubav.dll
C:\Documents and Settings\kathie.ATCM-JIDONG\Favorites\Online Security Guide.lnk
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\avp.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\racle~1
C:\WINDOWS\racle~1\?racle\
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif
C:\WINDOWS\SYSTEM32\ijjlm.ini2
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\SYSTEM32\qtvwa.ini
C:\WINDOWS\SYSTEM32\qtvwa.ini2
C:\WINDOWS\system32\tpcwdoia
C:\WINDOWS\system32\tpcwdoia\bg1.gif
C:\WINDOWS\system32\tpcwdoia\bgtop.gif
C:\WINDOWS\system32\tpcwdoia\bottom1.gif
C:\WINDOWS\system32\tpcwdoia\essentials.gif
C:\WINDOWS\system32\tpcwdoia\icon1.ico
C:\WINDOWS\system32\tpcwdoia\install1.gif
C:\WINDOWS\system32\tpcwdoia\left1.gif
C:\WINDOWS\system32\tpcwdoia\li.gif
C:\WINDOWS\system32\tpcwdoia\logo.gif
C:\WINDOWS\system32\tpcwdoia\main.htm
C:\WINDOWS\system32\tpcwdoia\mainframe.htm
C:\WINDOWS\system32\tpcwdoia\reinstall1.gif
C:\WINDOWS\system32\tpcwdoia\right1.gif
C:\WINDOWS\system32\tpcwdoia\s1.htm
C:\WINDOWS\system32\tpcwdoia\s2.htm
C:\WINDOWS\system32\tpcwdoia\s3.htm
C:\WINDOWS\system32\tpcwdoia\SMTop1.gif
C:\WINDOWS\system32\tpcwdoia\SMTop2.gif
C:\WINDOWS\system32\tpcwdoia\SMTop3.gif
C:\WINDOWS\system32\tpcwdoia\SMTop4.gif
C:\WINDOWS\system32\tpcwdoia\soft1_off.gif
C:\WINDOWS\system32\tpcwdoia\soft1_off_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft1_on.gif
C:\WINDOWS\system32\tpcwdoia\soft1_on_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft2_off.gif
C:\WINDOWS\system32\tpcwdoia\soft2_off_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft2_on.gif
C:\WINDOWS\system32\tpcwdoia\soft2_on_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft3_off.gif
C:\WINDOWS\system32\tpcwdoia\soft3_off_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft3_on.gif
C:\WINDOWS\system32\tpcwdoia\soft3_on_ext.gif
C:\WINDOWS\system32\tpcwdoia\softbottom_off.gif
C:\WINDOWS\system32\tpcwdoia\softbottom_on.gif
C:\WINDOWS\system32\tpcwdoia\softleft_off.gif
C:\WINDOWS\system32\tpcwdoia\softleft_on.gif
C:\WINDOWS\system32\tpcwdoia\top1.gif
C:\WINDOWS\system32\tpcwdoia\top2.gif
C:\WINDOWS\system32\tpcwdoia\tpcwdoia1.exe
C:\WINDOWS\system32\tpcwdoia\tpcwdoia2.exe
C:\WINDOWS\system32\tpcwdoia\tpcwdoia3.exe
C:\WINDOWS\system32\tpcwdoia\turnoff1.gif
C:\WINDOWS\system32\tpcwdoia\turnon1.gif
C:\WINDOWS\SYSTEM32\tstwa.ini
C:\WINDOWS\SYSTEM32\tstwa.ini2
C:\WINDOWS\SYSTEM32\vvvwa.bak1
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NWSAPAGENT
-------\nm
-------\NwSapAgent
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.
2007-11-28 05:54 41,472 --a------ C:\WINDOWS\SYSTEM32\e404d.dll
2007-11-28 05:54 114 --a------ C:\tempdel.bat
2007-11-28 04:12 <DIR> d-------- C:\VundoFix Backups
2007-11-28 04:04 <DIR> d-------- C:\Program Files\Kkukvvmp
2007-11-28 04:04 <DIR> d-------- C:\Program Files\dahwdchc
2007-11-28 04:04 102,912 --a------ C:\WINDOWS\SYSTEM32\drvxic.dll
2007-11-28 04:04 34,304 --a------ C:\WINDOWS\SYSTEM32\ssqrqop.dll
2007-11-28 02:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-28 00:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-28 00:09 <DIR> d-------- C:\Program Files\Pezztwic
2007-11-28 00:08 102,912 --a------ C:\WINDOWS\SYSTEM32\drvnik.dll
2007-11-28 00:07 34,304 --a------ C:\WINDOWS\SYSTEM32\rqrpnml.dll
2007-11-27 23:04 <DIR> d-------- C:\Program Files\Wmaxbell
2007-11-27 23:04 <DIR> d-------- C:\Program Files\tmnglqvm
2007-11-27 23:04 102,912 --a------ C:\WINDOWS\SYSTEM32\drvtos.dll
2007-11-27 23:04 34,304 --a------ C:\WINDOWS\SYSTEM32\vtustur.dll
2007-11-26 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 17:07 9,728 --------- C:\Program Files\xloader10181.exe
2007-11-23 15:59 <DIR> d-------- C:\Program Files\E404 Helper
2007-11-23 15:59 10,240 --a------ C:\Program Files\spoolsv.exe
2007-11-22 18:07 <DIR> d-------- C:\Program Files\iPod
2007-11-22 18:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-17 04:45 104,448 --a------ C:\WINDOWS\SYSTEM32\drvduh.dll
2007-11-17 01:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-16 20:40 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\AVG7
2007-11-16 20:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-16 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-16 18:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 18:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 16:01 414 --ahs---- C:\WINDOWS\SYSTEM32\ucgtfqka.ini
2007-11-16 14:41 <DIR> d-------- C:\Documents and Settings\JIDONG\Application Data\Sunbelt Software
2007-11-15 22:20 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-11-15 22:20 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-11-14 23:43 65,536 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2007-11-14 23:43 49,152 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2007-11-14 20:45 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\Moonlight
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\fwoz
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-14 20:39 <DIR> d-------- C:\Program Files\Adobe CS3
2007-11-14 17:19 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Sunbelt Software
2007-11-14 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-14 16:25 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\WinPatrol
2007-11-14 02:47 <DIR> d-------- C:\Program Files\QuickTime
2007-11-13 23:43 <DIR> d-------- C:\HJT
2007-11-13 23:14 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\.jpi_cache
2007-11-13 23:14 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\.java
2007-11-13 23:08 23,040 --a------ C:\WINDOWS\SYSTEM32\winwim32.dll
2007-11-13 21:34 <DIR> d-------- C:\Program Files\PowerISO
2007-11-13 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-13 20:16 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-13 02:00 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Jasc
2007-11-13 01:21 <DIR> d-------- C:\Program Files\YouTube Downloader
2007-11-09 00:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2007-11-08 18:42 <DIR> d-------- C:\WINDOWS\AiOTemp
2007-11-08 18:42 38,912 --a------ C:\WINDOWS\SYSTEM32\hh.exe
2007-11-08 18:42 22,139 --a------ C:\WINDOWS\SYSTEM32\hpocoi08.dll
2007-11-01 21:47 <DIR> d-------- C:\Program Files\ImTOO
2007-11-01 01:16 4 --a------ C:\WINDOWS\SYSTEM32\micr0st.dll
2007-10-31 23:32 41,476 --a------ C:\WINDOWS\SYSTEM32\OggDSuninst.exe
2007-10-31 23:32 28,160 --a------ C:\WINDOWS\SYSTEM32\tuscaenc.dll
2007-10-31 21:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 21:21 <DIR> d-------- C:\Program Files\XviD
2007-10-31 21:21 4,455 --a------ C:\WINDOWS\SYSTEM\Winaspi.dll
2007-10-31 21:19 <DIR> d-------- C:\Temp
2007-10-31 21:11 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\dvdcss
2007-10-31 21:09 45,056 --a------ C:\WINDOWS\SYSTEM32\WNASPI32.DLL
2007-10-31 20:59 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\CyberLink
2007-10-31 20:52 2,048 --a------ C:\WINDOWS\SYSTEM32\Tr_sttool.dat
2007-10-29 17:00 106,496 --a------ C:\WINDOWS\fileutil.dll
2007-10-29 16:26 1,294,336 --a------ C:\WINDOWS\SYSTEM32\vorbis.acm
2007-10-29 16:23 <DIR> d-------- C:\Program Files\Image-Line
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 05:39 --------- d-----w C:\Program Files\Java
2007-11-28 03:42 --------- d-----w C:\Program Files\Soulseek
2007-11-22 18:07 --------- d-----w C:\Program Files\iTunes
2007-11-17 01:54 --------- d-----w C:\Program Files\Jasc Software Inc
2007-11-16 21:41 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-16 14:45 --------- d-----w C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Azureus
2007-11-15 22:07 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-14 20:53 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-14 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 22:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-13 20:19 --------- d-----w C:\Program Files\DivX
2007-11-12 02:28 --------- d-----w C:\Program Files\SecondLife
2007-10-31 10:59 135,168 ----a-w C:\WINDOWS\SYSTEM32\SSup.dll
2007-10-26 13:48 --------- d-----w C:\Program Files\Azureus
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-24 00:55 --------- d-----w C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\gtk-2.0
2007-10-22 18:01 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2007-10-22 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\MAGIX
2007-09-29 02:43 823,296 ----a-w C:\WINDOWS\SYSTEM32\ppsynthesis.dll
2007-09-20 10:27 97,280 ----a-w C:\WINDOWS\SYSTEM32\ff_realaac.dll
2007-09-20 10:27 79,872 ----a-w C:\WINDOWS\SYSTEM32\ff_tremor.dll
2007-09-20 10:27 741,376 ----a-w C:\WINDOWS\SYSTEM32\audxlib.dll
2007-09-20 10:27 7,680 ----a-w C:\WINDOWS\SYSTEM32\ff_vfw.dll
2007-09-20 10:27 662,016 ----a-w C:\WINDOWS\SYSTEM32\xvidcore.dll
2007-09-20 10:27 511,488 ----a-w C:\WINDOWS\SYSTEM32\ff_x264.dll
2007-09-20 10:27 405,504 ----a-w C:\WINDOWS\SYSTEM32\libmplayer.dll
2007-09-20 10:27 40,960 ----a-w C:\WINDOWS\SYSTEM32\ff_liba52.dll
2007-09-20 10:27 38,400 ----a-w C:\WINDOWS\SYSTEM32\ff_unrar.dll
2007-09-20 10:27 3,190,784 ----a-w C:\WINDOWS\SYSTEM32\libavcodec.dll
2007-09-20 10:27 26,624 ----a-w C:\WINDOWS\SYSTEM32\ff_wmv9.dll
2007-09-20 10:27 245,760 ----a-w C:\WINDOWS\SYSTEM32\ff_libfaad2.dll
2007-09-20 10:27 221,184 ----a-w C:\WINDOWS\SYSTEM32\ff_kernelDeint.dll
2007-09-20 10:27 200,704 ----a-w C:\WINDOWS\SYSTEM32\TomsMoComp_ff.dll
2007-09-20 10:27 155,648 ----a-w C:\WINDOWS\SYSTEM32\ff_libdts.dll
2007-09-20 10:27 143,360 ----a-w C:\WINDOWS\SYSTEM32\ff_theora.dll
2007-09-20 10:27 122,880 ----a-w C:\WINDOWS\SYSTEM32\ff_samplerate.dll
2007-09-20 10:27 118,784 ----a-w C:\WINDOWS\SYSTEM32\ff_libmad.dll
2007-09-20 10:27 114,688 ----a-w C:\WINDOWS\SYSTEM32\libmpeg2_ff.dll
2004-08-15 16:19 0 -c-ha-w C:\Documents and Settings\JIDONG\hpothb07.dat
2004-03-31 01:52 32 --sha-w C:\WINDOWS\{176E6386-0B99-4165-A279-0109931090A8}.dat
2005-07-29 16:24 472 --sha-r C:\WINDOWS\SklET05H\m45HnXcJ.vbs
2004-03-31 01:52 32 --sha-w C:\WINDOWS\SYSTEM32\{C9D9E9F8-BF97-4E04-928F-A9D0E342DE29}.dat
.
straightjacket
2007-11-28, 18:52
Part 2 of Combofix log:
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}]
2007-11-27 23:04 34304 --a------ C:\WINDOWS\system32\vtustur.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-16 20:39]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}"= C:\WINDOWS\system32\vtustur.dll [2007-11-27 23:04 34304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {564c690e-cc6b-4aca-923d-3c13a27c5232} - e404d.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustur]
vtustur.dll 2007-11-27 23:04 34304 C:\WINDOWS\SYSTEM32\vtustur.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\awtst.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin 802.11g Wireless Card Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin 802.11g Wireless Card Utility.lnk
backup=C:\WINDOWS\pss\Belkin 802.11g Wireless Card Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win367.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgpkvsxu]
rundll32.exe C:\Program Files\wbcbwlwb\wdmjcvwb.dll,Init
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2003-12-02 15:11 54296 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
2003-12-02 15:11 58392 --a------ C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DRam prosessor]
rBot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 09:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e48e70c5]
rundll32.exe C:\WINDOWS\system32\akqftgcu.dll,b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2002-08-29 04:00 44032 --a------ C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdebydqr]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\kdebydqr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
C:\WINDOWS\RACLE~1\msiexec.exe -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stup.exe]
Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2003-05-02 16:15 610304 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-05-02 16:21 110592 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tmnglqvm]
rundll32.exe C:\Program Files\tmnglqvm\rglmjwtm.dll,Init
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"cmdService"=2 (0x2)
"SymWSC"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS
S3 npkycryp;npkycryp;\??\C:\Program Files\Tencent\QQ\npkycryp.sys
S3 PIXMC10;JVC Communication PIX-MC10 Driver;C:\WINDOWS\system32\Drivers\pixmc10c.sys
S3 PIXMC10A;JVC PIX-MC10 Audio Capture;C:\WINDOWS\system32\Drivers\pixmc10a.sys
S3 PIXMC10V;JVC PIX-MC10 Video Capture;C:\WINDOWS\system32\Drivers\pixmc10v.sys
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 17:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-07-27 20:45:26 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1080931666.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-11-23 20:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-28 02:59:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 16:37:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2007-11-28 16:41:36 - machine was rebooted
.
--- E O F ---
Let me tell ya, this is one heavily infected computer, its a wonder it even starts up. After we get you all cleaned up your going to have to re examine your surfing habits or your going to get whacked again and again and again.
Open Hijackthis to Scan Only, close all open windows including this one , place a checkmark in the following entries and click on Fix Checked.
O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - C:\WINDOWS\system32\vtustur.dll
O20 - Winlogon Notify: vtustur - C:\WINDOWS\SYSTEM32\vtustur.dll
O21 - SSODL: E404Helper - {564c690e-cc6b-4aca-923d-3c13a27c5232} - e404d.dll (file missing)
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\SYSTEM32\e404d.dll
C:\tempdel.bat
C:\WINDOWS\SYSTEM32\drvxic.dll
C:\WINDOWS\SYSTEM32\ssqrqop.dll
C:\WINDOWS\SYSTEM32\drvnik.dll
C:\WINDOWS\SYSTEM32\rqrpnml.dll
C:\WINDOWS\SYSTEM32\drvtos.dll
C:\WINDOWS\SYSTEM32\vtustur.dll
C:\WINDOWS\SYSTEM32\drvduh.dll
C:\WINDOWS\SYSTEM32\ucgtfqka.ini
C:\WINDOWS\SYSTEM32\winwim32.dll
C:\WINDOWS\fileutil.dll
Folder::
C:\VundoFix Backups
C:\Program Files\Kkukvvmp
C:\Program Files\dahwdchc
C:\Program Files\Pezztwic
C:\Program Files\Wmaxbell
C:\Program Files\tmnglqvm
C:\Program Files\E404 Helper
C:\Program Files\spoolsv.exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Post the new Combofix log, the SAS log and a New HJT log please
straightjacket
2007-11-28, 22:21
Combofix log:
ComboFix 07-11-19.4C - kathie 2007-11-28 18:21:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.252 [GMT 0:00]Running from: C:\Documents and Settings\kathie.ATCM-JIDONG\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kathie.ATCM-JIDONG\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\tempdel.bat
C:\WINDOWS\fileutil.dll
C:\WINDOWS\SYSTEM32\drvduh.dll
C:\WINDOWS\SYSTEM32\drvnik.dll
C:\WINDOWS\SYSTEM32\drvtos.dll
C:\WINDOWS\SYSTEM32\drvxic.dll
C:\WINDOWS\SYSTEM32\e404d.dll
C:\WINDOWS\SYSTEM32\rqrpnml.dll
C:\WINDOWS\SYSTEM32\ssqrqop.dll
C:\WINDOWS\SYSTEM32\ucgtfqka.ini
C:\WINDOWS\SYSTEM32\vtustur.dll
C:\WINDOWS\SYSTEM32\winwim32.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\dahwdchc
C:\Program Files\dahwdchc\hanmdivq.dll
C:\Program Files\E404 Helper
C:\Program Files\E404 Helper\e404.v6.dll
C:\Program Files\Kkukvvmp
C:\Program Files\Pezztwic
C:\Program Files\Pezztwic\kgqixpfy.dll
C:\Program Files\spoolsv.exe\
C:\Program Files\tmnglqvm
C:\Program Files\tmnglqvm\rglmjwtm.dll
C:\Program Files\Wmaxbell
C:\Program Files\Wmaxbell\oorkryjv.dll
C:\tempdel.bat
C:\VundoFix Backups
C:\VundoFix Backups\__c0034FA4.dat.bad
C:\VundoFix Backups\drvduhr.dll.bad
C:\VundoFix Backups\drvnikr.dll.bad
C:\VundoFix Backups\drvtosr.dll.bad
C:\VundoFix Backups\drvxicr.dll.bad
C:\VundoFix Backups\kguhcilp.dllbox.bad
C:\VundoFix Backups\knphvqdm.dllbox.bad
C:\VundoFix Backups\pejxijcc.dllbox.bad
C:\WINDOWS\fileutil.dll
C:\WINDOWS\SYSTEM32\drvduh.dll
C:\WINDOWS\SYSTEM32\drvnik.dll
C:\WINDOWS\SYSTEM32\drvtos.dll
C:\WINDOWS\SYSTEM32\drvxic.dll
C:\WINDOWS\SYSTEM32\e404d.dll
C:\WINDOWS\SYSTEM32\rqrpnml.dll
C:\WINDOWS\SYSTEM32\ssqrqop.dll
C:\WINDOWS\SYSTEM32\ucgtfqka.ini
C:\WINDOWS\SYSTEM32\vtustur.dll
C:\WINDOWS\SYSTEM32\winwim32.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.
2007-11-28 02:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 17:07 9,728 --------- C:\Program Files\xloader10181.exe
2007-11-23 15:59 10,240 --a------ C:\Program Files\spoolsv.exe
2007-11-22 18:07 <DIR> d-------- C:\Program Files\iPod
2007-11-22 18:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-17 01:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-16 20:40 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\AVG7
2007-11-16 20:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-16 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-16 18:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 18:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 14:41 <DIR> d-------- C:\Documents and Settings\JIDONG\Application Data\Sunbelt Software
2007-11-15 22:20 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-11-15 22:20 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-11-14 23:43 65,536 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2007-11-14 23:43 49,152 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2007-11-14 20:45 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\Moonlight
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\fwoz
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-14 20:39 <DIR> d-------- C:\Program Files\Adobe CS3
2007-11-14 17:19 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Sunbelt Software
2007-11-14 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-14 16:25 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\WinPatrol
2007-11-14 02:47 <DIR> d-------- C:\Program Files\QuickTime
2007-11-13 23:43 <DIR> d-------- C:\HJT
2007-11-13 23:14 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\.jpi_cache
2007-11-13 23:14 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\.java
2007-11-13 21:34 <DIR> d-------- C:\Program Files\PowerISO
2007-11-13 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-13 20:16 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-13 02:00 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Jasc
2007-11-13 01:21 <DIR> d-------- C:\Program Files\YouTube Downloader
2007-11-09 00:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2007-11-08 18:42 <DIR> d-------- C:\WINDOWS\AiOTemp
2007-11-08 18:42 38,912 --a------ C:\WINDOWS\SYSTEM32\hh.exe
2007-11-08 18:42 22,139 --a------ C:\WINDOWS\SYSTEM32\hpocoi08.dll
2007-11-01 21:47 <DIR> d-------- C:\Program Files\ImTOO
2007-11-01 01:16 4 --a------ C:\WINDOWS\SYSTEM32\micr0st.dll
2007-10-31 23:32 41,476 --a------ C:\WINDOWS\SYSTEM32\OggDSuninst.exe
2007-10-31 21:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 21:21 <DIR> d-------- C:\Program Files\XviD
2007-10-31 21:19 <DIR> d-------- C:\Temp
2007-10-31 21:11 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\dvdcss
2007-10-31 20:59 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\CyberLink
2007-10-29 16:23 <DIR> d-------- C:\Program Files\Image-Line
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 05:39 --------- d-----w C:\Program Files\Java
2007-11-28 03:42 --------- d-----w C:\Program Files\Soulseek
2007-11-22 18:07 --------- d-----w C:\Program Files\iTunes
2007-11-17 01:54 --------- d-----w C:\Program Files\Jasc Software Inc
2007-11-16 21:41 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-16 14:45 --------- d-----w C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Azureus
2007-11-15 22:07 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-14 20:53 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-14 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 22:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-13 20:19 --------- d-----w C:\Program Files\DivX
2007-11-12 02:28 --------- d-----w C:\Program Files\SecondLife
2007-10-26 13:48 --------- d-----w C:\Program Files\Azureus
2007-10-24 00:55 --------- d-----w C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\gtk-2.0
2007-10-22 18:01 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2007-10-22 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\MAGIX
2004-08-15 16:19 0 -c-ha-w C:\Documents and Settings\JIDONG\hpothb07.dat
2004-03-31 01:52 32 --sha-w C:\WINDOWS\{176E6386-0B99-4165-A279-0109931090A8}.dat
2005-07-29 16:24 472 --sha-r C:\WINDOWS\SklET05H\m45HnXcJ.vbs
2004-03-31 01:52 32 --sha-w C:\WINDOWS\SYSTEM32\{C9D9E9F8-BF97-4E04-928F-A9D0E342DE29}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-16 20:39]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustur]
vtustur.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin 802.11g Wireless Card Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin 802.11g Wireless Card Utility.lnk
backup=C:\WINDOWS\pss\Belkin 802.11g Wireless Card Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win367.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgpkvsxu]
rundll32.exe C:\Program Files\wbcbwlwb\wdmjcvwb.dll,Init
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2003-12-02 15:11 54296 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
2003-12-02 15:11 58392 --a------ C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DRam prosessor]
rBot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 09:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e48e70c5]
rundll32.exe C:\WINDOWS\system32\akqftgcu.dll,b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2002-08-29 04:00 44032 --a------ C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdebydqr]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\kdebydqr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
C:\WINDOWS\RACLE~1\msiexec.exe -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stup.exe]
Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2003-05-02 16:15 610304 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-05-02 16:21 110592 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tmnglqvm]
rundll32.exe C:\Program Files\tmnglqvm\rglmjwtm.dll,Init
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"cmdService"=2 (0x2)
"SymWSC"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS
S3 npkycryp;npkycryp;\??\C:\Program Files\Tencent\QQ\npkycryp.sys
S3 PIXMC10;JVC Communication PIX-MC10 Driver;C:\WINDOWS\system32\Drivers\pixmc10c.sys
S3 PIXMC10A;JVC PIX-MC10 Audio Capture;C:\WINDOWS\system32\Drivers\pixmc10a.sys
S3 PIXMC10V;JVC PIX-MC10 Video Capture;C:\WINDOWS\system32\Drivers\pixmc10v.sys
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 17:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-07-27 20:45:26 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1080931666.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-11-23 20:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-28 02:59:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 18:32:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2007-11-28 18:34:53 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-28 16:41
.
--- E O F ---
straightjacket
2007-11-28, 22:22
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/28/2007 at 08:02 PM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type : Complete Scan
Total Scan Time : 01:24:36
Memory items scanned : 338
Memory threats detected : 0
Registry items scanned : 5938
Registry threats detected : 5
File items scanned : 51116
File threats detected : 38
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{669751ED-D558-49AE-B01A-3B374CC7910E}
HKCR\CLSID\{669751ED-D558-49AE-B01A-3B374CC7910E}
HKCR\CLSID\{669751ED-D558-49AE-B01A-3B374CC7910E}
HKCR\CLSID\{669751ED-D558-49AE-B01A-3B374CC7910E}\InprocServer32
HKCR\CLSID\{669751ED-D558-49AE-B01A-3B374CC7910E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSUP.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP346\A0118639.EXE
Trojan.Downloader-NoName
C:\PROGRAM FILES\SPOOLSV.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP363\A0138414.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP364\A0140449.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP366\A0141600.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP367\A0141758.EXE
C:\WINDOWS\Prefetch\SPOOLSV.EXE-295F420E.pf
Malware.Ultimate Defender
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\UCLEANER_SETUP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FIBAGBIA\FIBAGBIA1.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FIBAGBIA\FIBAGBIA2.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FIBAGBIA\FIBAGBIA3.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TPCWDOIA\TPCWDOIA1.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TPCWDOIA\TPCWDOIA2.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TPCWDOIA\TPCWDOIA3.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP345\A0115493.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP345\A0115494.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP345\A0115495.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP354\A0122373.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP359\A0122845.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP367\A0141760.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0142764.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0142765.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0142766.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0142767.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0142768.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0142769.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0142775.EXE
Trojan.Downloader-Gen/AVP
C:\QOOBOX\QUARANTINE\C\WINDOWS\AVP.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP367\A0142743.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0142777.EXE
Spyware.Melkosoft (CoolWebSearch Variant)
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\E404D.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP369\A0142838.DLL
Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP345\A0115491.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP350\A0120793.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP366\A0140536.VBS
C:\WINDOWS\SKLET05H\M45HNXCJ.VBS
Trojan.Downloader-CREW
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP354\A0122380.DLL
straightjacket
2007-11-28, 22:24
Let me tell ya, this is one heavily infected computer, its a wonder it even starts up. After we get you all cleaned up your going to have to re examine your surfing habits or your going to get whacked again and again and again.
Yes I know, unfortunately I am the fourth user to receive this quite neglected family laptop so am trying to start afresh.
This is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:19:52, on 28/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195224915548
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 5985 bytes
We have a lot more to do, first run the tool to get rid of the SDbot worm.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
straightjacket
2007-11-29, 03:19
Thanks for all your help so far!
SDFix log:
SDFix: Version 1.116
Run by kathie on 29/11/2007 at 00:52
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 01:04:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:39,20,86,72,a9,2a,c4,2c,b4,84,20,11,9f,ae,2d,12,d4,98,da,65,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:39,20,86,72,a9,2a,c4,2c,b4,84,20,11,9f,ae,2d,12,d4,98,da,65,8d,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
Files with Hidden Attributes:
Sun 15 Aug 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 15 Aug 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Sun 3 Oct 2004 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sun 3 Oct 2004 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sun 3 Oct 2004 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Fri 27 Feb 2004 233,472 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP336\A0109149.dll"
Thu 15 Nov 2007 40,183 A.SH. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP354\A0121921.exe"
Sun 29 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 4 Apr 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sun 4 Apr 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Thu 5 Jul 2007 2,097,152 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP355\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP355\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 5 Jul 2007 2,097,152 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP356\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP356\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 5 Jul 2007 2,097,152 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP357\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP357\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP359\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP360\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP361\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP362\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP363\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP364\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP365\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP366\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP367\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP369\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Thu 25 Nov 2004 262,144 A..H. --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP370\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3178344922-3586573385-2529054937-1011.bak"
Tue 10 Jan 2006 27,648 A..H. --- "C:\Documents and Settings\JIDONG\My Documents\Key-backup\CSCM\~WRL2600.tmp"
Thu 25 Mar 2004 33,280 A..H. --- "C:\Documents and Settings\JIDONG\My Documents\Letter\Removable Disk (E)\05 TCM Exams\~WRL1297.tmp"
Tue 12 Dec 2000 23,040 A..H. --- "C:\Documents and Settings\JIDONG\My Documents\Letter\Removable Disk (E)\USB Drive BACKUP\My Documents\~WRL0001.tmp"
Sat 16 Sep 2000 19,968 A..H. --- "C:\Documents and Settings\JIDONG\My Documents\Letter\Removable Disk (E)\USB Drive BACKUP\My Documents\~WRL0003.tmp"
Finished!
and the follow HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:16:59, on 29/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195224915548
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6018 bytes
Super Anti Spyware may have removed some of those files.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Back up your registry with this program.
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\Program Files\spoolsv.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\akqftgcu.dll
C:\WINDOWS\system32\awtst.dll
C:\Documents and Settings\All Users\Application Data\kdebydqr.dll
Folder::
C:\Program Files\wbcbwlwb
C:\Program Files\tmnglqvm
C:\Program Files\SecCenter
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustur]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgpkvsxu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DRam prosessor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e48e70c5]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdebydqr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tmnglqvm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
See if you can use the windows search , find these files and delete them.
mgrs.exe
rBot.exe
C:\Program Files\TENCENT <-- What can you tell me about this program?
Let me see the Combofix log and a New HJT log please
straightjacket
2007-11-29, 14:54
See if you can use the windows search , find these files and delete them.
mgrs.exe
rBot.exe
I was unable to find those files using Windows search unfortunately.
C:\Program Files\TENCENT <-- What can you tell me about this program?
Tencent (http://en.wikipedia.org/wiki/QQ) is a program similar to MSN Messenger which I have already tried to uninstall many many times but to no avail.
COMBOFIX LOG:
ComboFix 07-11-19.4C - kathie 2007-11-29 12:33:16.3 - NTFSx86
Running from: C:\Documents and Settings\kathie.ATCM-JIDONG\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kathie.ATCM-JIDONG\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\All Users\Application Data\kdebydqr.dll
C:\Program Files\spoolsv.exe
C:\WINDOWS\system32\akqftgcu.dll
C:\WINDOWS\system32\awtst.dll
C:\Windows\xpupdate.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.
2007-11-29 00:50 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-28 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-28 18:36 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\SUPERAntiSpyware.com
2007-11-28 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-28 02:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-28 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 17:07 9,728 --------- C:\Program Files\xloader10181.exe
2007-11-22 18:07 <DIR> d-------- C:\Program Files\iPod
2007-11-22 18:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-17 01:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-16 20:40 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\AVG7
2007-11-16 20:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-16 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-16 18:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 18:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 14:41 <DIR> d-------- C:\Documents and Settings\JIDONG\Application Data\Sunbelt Software
2007-11-15 22:20 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-11-15 22:20 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-11-14 23:43 65,536 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2007-11-14 23:43 49,152 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2007-11-14 20:45 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\Moonlight
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\fwoz
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-11-14 20:39 <DIR> d-------- C:\Program Files\Adobe CS3
2007-11-14 17:19 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Sunbelt Software
2007-11-14 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-14 16:25 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\WinPatrol
2007-11-14 02:47 <DIR> d-------- C:\Program Files\QuickTime
2007-11-13 23:43 <DIR> d-------- C:\HJT
2007-11-13 23:14 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\.jpi_cache
2007-11-13 23:14 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\.java
2007-11-13 21:34 <DIR> d-------- C:\Program Files\PowerISO
2007-11-13 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-13 20:16 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-13 02:00 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Jasc
2007-11-13 01:21 <DIR> d-------- C:\Program Files\YouTube Downloader
2007-11-09 00:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2007-11-08 18:42 <DIR> d-------- C:\WINDOWS\AiOTemp
2007-11-08 18:42 38,912 --a------ C:\WINDOWS\SYSTEM32\hh.exe
2007-11-08 18:42 22,139 --a------ C:\WINDOWS\SYSTEM32\hpocoi08.dll
2007-11-01 21:47 <DIR> d-------- C:\Program Files\ImTOO
2007-11-01 01:16 4 --a------ C:\WINDOWS\SYSTEM32\micr0st.dll
2007-10-31 23:32 41,476 --a------ C:\WINDOWS\SYSTEM32\OggDSuninst.exe
2007-10-31 21:22 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 21:21 <DIR> d-------- C:\Program Files\XviD
2007-10-31 21:19 <DIR> d-------- C:\Temp
2007-10-31 21:11 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\dvdcss
2007-10-31 20:59 <DIR> d-------- C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\CyberLink
2007-10-29 16:23 <DIR> d-------- C:\Program Files\Image-Line
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 05:39 --------- d-----w C:\Program Files\Java
2007-11-28 03:42 --------- d-----w C:\Program Files\Soulseek
2007-11-22 18:07 --------- d-----w C:\Program Files\iTunes
2007-11-17 01:54 --------- d-----w C:\Program Files\Jasc Software Inc
2007-11-16 21:41 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-16 14:45 --------- d-----w C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\Azureus
2007-11-15 22:07 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-14 20:53 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-14 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 22:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-13 20:19 --------- d-----w C:\Program Files\DivX
2007-11-12 02:28 --------- d-----w C:\Program Files\SecondLife
2007-10-26 13:48 --------- d-----w C:\Program Files\Azureus
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-24 00:55 --------- d-----w C:\Documents and Settings\kathie.ATCM-JIDONG\Application Data\gtk-2.0
2007-10-22 18:01 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2007-10-22 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\MAGIX
2007-09-29 02:43 823,296 ----a-w C:\WINDOWS\SYSTEM32\ppsynthesis.dll
2007-09-20 10:27 97,280 ----a-w C:\WINDOWS\SYSTEM32\ff_realaac.dll
2007-09-20 10:27 79,872 ----a-w C:\WINDOWS\SYSTEM32\ff_tremor.dll
2007-09-20 10:27 741,376 ----a-w C:\WINDOWS\SYSTEM32\audxlib.dll
2007-09-20 10:27 7,680 ----a-w C:\WINDOWS\SYSTEM32\ff_vfw.dll
2007-09-20 10:27 662,016 ----a-w C:\WINDOWS\SYSTEM32\xvidcore.dll
2007-09-20 10:27 511,488 ----a-w C:\WINDOWS\SYSTEM32\ff_x264.dll
2007-09-20 10:27 405,504 ----a-w C:\WINDOWS\SYSTEM32\libmplayer.dll
2007-09-20 10:27 40,960 ----a-w C:\WINDOWS\SYSTEM32\ff_liba52.dll
2007-09-20 10:27 38,400 ----a-w C:\WINDOWS\SYSTEM32\ff_unrar.dll
2007-09-20 10:27 3,190,784 ----a-w C:\WINDOWS\SYSTEM32\libavcodec.dll
2007-09-20 10:27 26,624 ----a-w C:\WINDOWS\SYSTEM32\ff_wmv9.dll
2007-09-20 10:27 245,760 ----a-w C:\WINDOWS\SYSTEM32\ff_libfaad2.dll
2007-09-20 10:27 221,184 ----a-w C:\WINDOWS\SYSTEM32\ff_kernelDeint.dll
2007-09-20 10:27 200,704 ----a-w C:\WINDOWS\SYSTEM32\TomsMoComp_ff.dll
2007-09-20 10:27 155,648 ----a-w C:\WINDOWS\SYSTEM32\ff_libdts.dll
2007-09-20 10:27 143,360 ----a-w C:\WINDOWS\SYSTEM32\ff_theora.dll
2007-09-20 10:27 122,880 ----a-w C:\WINDOWS\SYSTEM32\ff_samplerate.dll
2007-09-20 10:27 118,784 ----a-w C:\WINDOWS\SYSTEM32\ff_libmad.dll
2007-09-20 10:27 114,688 ----a-w C:\WINDOWS\SYSTEM32\libmpeg2_ff.dll
2004-08-15 16:19 0 -c-ha-w C:\Documents and Settings\JIDONG\hpothb07.dat
2004-03-31 01:52 32 --sha-w C:\WINDOWS\{176E6386-0B99-4165-A279-0109931090A8}.dat
2004-03-31 01:52 32 --sha-w C:\WINDOWS\SYSTEM32\{C9D9E9F8-BF97-4E04-928F-A9D0E342DE29}.dat
.
((((((((((((((((((((((((((((( snapshot@2007-11-28_16.38.55.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 18:53:00 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-29 00:50:55 3,911,680 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-11-29 00:50:55 118,784 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-28 18:53:00 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-29 00:50:32 3,911,680 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-11-29 00:50:32 118,784 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-11-28 18:36:40 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-28 18:36:40 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-28 18:36:40 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-16 20:39]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin 802.11g Wireless Card Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin 802.11g Wireless Card Utility.lnk
backup=C:\WINDOWS\pss\Belkin 802.11g Wireless Card Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win367.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2003-12-02 15:11 54296 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
2003-12-02 15:11 58392 --a------ C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 09:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2002-08-29 04:00 44032 --a------ C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
C:\WINDOWS\RACLE~1\msiexec.exe -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stup.exe]
Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2003-05-02 16:15 610304 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-05-02 16:21 110592 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"cmdService"=2 (0x2)
"SymWSC"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS
S3 npkycryp;npkycryp;\??\C:\Program Files\Tencent\QQ\npkycryp.sys
S3 PIXMC10;JVC Communication PIX-MC10 Driver;C:\WINDOWS\system32\Drivers\pixmc10c.sys
S3 PIXMC10A;JVC PIX-MC10 Audio Capture;C:\WINDOWS\system32\Drivers\pixmc10a.sys
S3 PIXMC10V;JVC PIX-MC10 Video Capture;C:\WINDOWS\system32\Drivers\pixmc10v.sys
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 17:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-07-27 20:45:26 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1080931666.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-11-23 20:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-28 18:59:03 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 12:38:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2007-11-29 12:40:31
C:\ComboFix2.txt ... 2007-11-28 18:34
.
--- E O F ---
straightjacket
2007-11-29, 14:54
HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:32, on 29/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195224915548
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6018 bytes
Once again, thanks for all your help!
Hello,
Once again, thanks for all your help!Your very welcome :bigthumb:
C:\Program Files\TENCENT <-- Go to your Add Remove Programs in the Control Panel and see if its listed and try to uninstall it.
If no luck, you can pop it into Combofix.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
Folder::
C:\Program Files\TENCENT
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stup.exe]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Run this system cleaner.
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Your log looks great :bigthumb: How is everything running now????
straightjacket
2007-11-30, 02:36
Your log looks great :bigthumb: How is everything running now????
Perfect! Faster than ever before, I cannot thank you enough.
Just wondering now about staying safe, which antivirus software would you recommend? Previously I had downloaded AVG but I found it rather clunky and irritating so had it disabled more often than running. I have just downloaded avast! which seems to be doing the job quite well and inconspicuously. Also what sort of scanning routine would you recommend in terms of frequency and kind e.g. daily/weekly... Temp folders/Harddrive etc.
Glad things are running well:bigthumb: Here are links to tips for staying safe and also links to free tools to install to help keep you more secure.
As far as the scans, you can run them once a week or so, you don't have to get fanatical about it but do run them often, always check for updates first.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken