PDA

View Full Version : background downloads


Vance
2006-10-24, 13:41
Hi everyone, I was after some help.

See, my computer has been getting a lot of popups lately, on top of constantly using up my bandwidth. I don't know whether it's spyware downloading in the background or not, but it's causing the internet to run at unbearably low speeds, with popups on almost every page.

If you guys could help, that would be much appreciated. Below is the HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 9:31:37 PM, on 24/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXPSP2\System32\smss.exe
C:\WINXPSP2\SYSTEM32\WINLOGON.EXE
C:\WINXPSP2\system32\services.exe
C:\WINXPSP2\system32\lsass.exe
C:\WINXPSP2\system32\Ati2evxx.exe
C:\WINXPSP2\system32\svchost.exe
C:\WINXPSP2\SYSTEM32\SVCHOST.EXE
C:\WINXPSP2\SYSTEM32\RUNDLL32.EXE
C:\WINXPSP2\SYSTEM32\SPOOLSV.EXE
C:\WINXPSP2\Explorer.EXE
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINXPSP2\system32\ctfmon.exe
I:\Spybot\TeaTimer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINXPSP2\system32\devldr32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINXPSP2\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"-ԁO;hw!hw 8-w?w)ǀ:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Spybot\TeaTimer.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8475757-B435-415A-8204-D158C291BCA7}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: CSCSettings - C:\WINXPSP2\system32\h62o0gf3e62.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXPSP2\system32\Ati2evxx.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Thanks in advance for any help.
Shaba
2006-10-24, 16:52
Hi Vance

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Send:

- a fresh HijackThis log
- combofix report
Vance
2006-10-25, 08:10
Thanks for replying Shaba, here are the files as requested:


Jim - 06-10-25 15:53:49.79 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{A5B6842E-FB77-4AD9-A8EA-D5285B46AAD6}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A5B6842E-FB77-4AD9-A8EA-D5285B46AAD6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{A5B6842E-FB77-4AD9-A8EA-D5285B46AAD6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A5B6842E-FB77-4AD9-A8EA-D5285B46AAD6}\InprocServer32]
@="C:\\WINXPSP2\\system32\\axfsipc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{5977DB74-0E01-46E0-893B-23B21EEC92B0}]
@=""

[HKEY_CLASSES_ROOT\clsid\{5977DB74-0E01-46E0-893B-23B21EEC92B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{5977DB74-0E01-46E0-893B-23B21EEC92B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{5977DB74-0E01-46E0-893B-23B21EEC92B0}\InprocServer32]
@="C:\\WINXPSP2\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINXPSP2\system32\aaioglxx.dll
C:\WINXPSP2\system32\abphelp.dll
C:\WINXPSP2\system32\aci3d1ag.dll
C:\WINXPSP2\system32\aea20gfoe62c0.dll
C:\WINXPSP2\system32\aea6lals1dq6.dll
C:\WINXPSP2\system32\aUioglxx.dll
C:\WINXPSP2\system32\axfsipc.dll
C:\WINXPSP2\system32\axicap32.dll
C:\WINXPSP2\system32\axsldp.dll
C:\WINXPSP2\system32\Aysldp.dll
C:\WINXPSP2\system32\aza20gfoe62c0.dll
C:\WINXPSP2\system32\aza6lals1dq6.dll
C:\WINXPSP2\system32\azaolij318o.dll
C:\WINXPSP2\system32\bRsesrv.dll
C:\WINXPSP2\system32\cBbinet.dll
C:\WINXPSP2\system32\ccrsrv.dll
C:\WINXPSP2\system32\cemcat.dll
C:\WINXPSP2\system32\chcfg32.dll
C:\WINXPSP2\system32\chcui.dll
C:\WINXPSP2\system32\chmrepl.dll
C:\WINXPSP2\system32\chyptdlg.dll
C:\WINXPSP2\system32\ckyptdll.dll
C:\WINXPSP2\system32\cnodm.dll
C:\WINXPSP2\system32\cPtsrvps.dll
C:\WINXPSP2\system32\cqwmdm.dll
C:\WINXPSP2\system32\csprops.dll
C:\WINXPSP2\system32\ctpbk32.dll
C:\WINXPSP2\system32\ctyptsvc.dll
C:\WINXPSP2\system32\cuyptnet.dll
C:\WINXPSP2\system32\cvc.dll
C:\WINXPSP2\system32\cvfview.dll
C:\WINXPSP2\system32\CwInst.dll
C:\WINXPSP2\system32\cymcat.dll
C:\WINXPSP2\system32\czmcat.dll
C:\WINXPSP2\system32\danaddr.dll
C:\WINXPSP2\system32\Dcdlgs.dll
C:\WINXPSP2\system32\DevX.dll
C:\WINXPSP2\system32\dgcpsapi.dll
C:\WINXPSP2\system32\dGdim.dll
C:\WINXPSP2\system32\dgvcon32.dll
C:\WINXPSP2\system32\dgvenum.dll
C:\WINXPSP2\system32\divcon32.dll
C:\WINXPSP2\system32\djmodemx.dll
C:\WINXPSP2\system32\dn0601dse.dll
C:\WINXPSP2\system32\dn2801fue.dll
C:\WINXPSP2\system32\dn6801jue.dll
C:\WINXPSP2\system32\dn6u01j9e.dll
C:\WINXPSP2\system32\dpquery.dll
C:\WINXPSP2\system32\dqactfrm.dll
C:\WINXPSP2\system32\dQtaclen.dll
C:\WINXPSP2\system32\Dsdlgs.dll
C:\WINXPSP2\system32\dtmasf.dll
C:\WINXPSP2\system32\dtound.dll
C:\WINXPSP2\system32\dUd8.dll
C:\WINXPSP2\system32\dvmodemx.dll
C:\WINXPSP2\system32\dvvcon32.dll
C:\WINXPSP2\system32\dylay.dll
C:\WINXPSP2\system32\dylayx.dll
C:\WINXPSP2\system32\dynmodem.dll
C:\WINXPSP2\system32\dzghelp.dll
C:\WINXPSP2\system32\dzsec.dll
C:\WINXPSP2\system32\dzsshlex.dll
C:\WINXPSP2\system32\e420lefm1h2a.dll
C:\WINXPSP2\system32\e8jmli1118.dll
C:\WINXPSP2\system32\eafpixexif.dll
C:\WINXPSP2\system32\efpsrv.dll
C:\WINXPSP2\system32\enj2l11o1.dll
C:\WINXPSP2\system32\enn6l15s1.dll
C:\WINXPSP2\system32\enr2l19o1.dll
C:\WINXPSP2\system32\evfpixjpeg.dll
C:\WINXPSP2\system32\ewentlog.dll
C:\WINXPSP2\system32\ewfpixexif.dll
C:\WINXPSP2\system32\f40o0ed3eh0.dll
C:\WINXPSP2\system32\FC20.DLL
C:\WINXPSP2\system32\FE20.DLL
C:\WINXPSP2\system32\fp6m03j1e.dll
C:\WINXPSP2\system32\fp6u03j9e.dll
C:\WINXPSP2\system32\fpru0399e.dll
C:\WINXPSP2\system32\g2lm0c31ef.dll
C:\WINXPSP2\system32\g6220gfoe62c0.dll
C:\WINXPSP2\system32\gbtext.dll
C:\WINXPSP2\system32\gJlm0c31ef.dll
C:\WINXPSP2\system32\Gntuname.dll
C:\WINXPSP2\system32\goi32.dll
C:\WINXPSP2\system32\gp0ml3d11.dll
C:\WINXPSP2\system32\gp28l3fu1.dll
C:\WINXPSP2\system32\gp4sl3h71.dll
C:\WINXPSP2\system32\gpp8l37u1.dll
C:\WINXPSP2\system32\gqkrsrc.dll
C:\WINXPSP2\system32\gqtext.dll
C:\WINXPSP2\system32\GzpmVnocX.dll
C:\WINXPSP2\system32\h02o0af3ed2.dll
C:\WINXPSP2\system32\h62o0gf3e62.dll
C:\WINXPSP2\system32\hhcoin.dll
C:\WINXPSP2\system32\hL23msp.dll
C:\WINXPSP2\system32\hr8605lse.dll
C:\WINXPSP2\system32\hrp2057oe.dll
C:\WINXPSP2\system32\i406leds1h06.dll
C:\WINXPSP2\system32\i6lolg3316.dll
C:\WINXPSP2\system32\ia32_32.dll
C:\WINXPSP2\system32\ibrdbg32.dll
C:\WINXPSP2\system32\idetppui.dll
C:\WINXPSP2\system32\idsetup.dll
C:\WINXPSP2\system32\iEsrecst.dll
C:\WINXPSP2\system32\igpromon.dll
C:\WINXPSP2\system32\ijlogmsg.dll
C:\WINXPSP2\system32\iJspolcy.dll
C:\WINXPSP2\system32\ijsutil.dll
C:\WINXPSP2\system32\ijxpromn.dll
C:\WINXPSP2\system32\iketcplc.dll
C:\WINXPSP2\system32\imwdial.dll
C:\WINXPSP2\system32\ioetmib1.dll
C:\WINXPSP2\system32\ioxsap.dll
C:\WINXPSP2\system32\ir08l5du1.dll
C:\WINXPSP2\system32\ir0ol5d31.dll
C:\WINXPSP2\system32\ir20l5fm1.dll
C:\WINXPSP2\system32\irj4l51q1.dll
C:\WINXPSP2\system32\irp0l57m1.dll
C:\WINXPSP2\system32\irr4l59q1.dll
C:\WINXPSP2\system32\iseshare.dll
C:\WINXPSP2\system32\iu50_qc.dll
C:\WINXPSP2\system32\iv50_qc.dll
C:\WINXPSP2\system32\iWlolg3316.dll
C:\WINXPSP2\system32\iwq.dll
C:\WINXPSP2\system32\ixaapi.dll
C:\WINXPSP2\system32\ixrtprio.dll
C:\WINXPSP2\system32\izm32.dll
C:\WINXPSP2\system32\izpromon.dll
C:\WINXPSP2\system32\j66m0gj1e6o.dll
C:\WINXPSP2\system32\j66mlgj116o.dll
C:\WINXPSP2\system32\j8n2li5o18.dll
C:\WINXPSP2\system32\jC6mlgj116o.dll
C:\WINXPSP2\system32\JKDR500.DLL
C:\WINXPSP2\system32\jr2025fmg.dll
C:\WINXPSP2\system32\JRFS500.DLL
C:\WINXPSP2\system32\JRS3500.DLL
C:\WINXPSP2\system32\JSAD500.DLL
C:\WINXPSP2\system32\jsaw400.dll
C:\WINXPSP2\system32\jt0007dme.dll
C:\WINXPSP2\system32\jt0q07d5e.dll
C:\WINXPSP2\system32\jt2q07f5e.dll
C:\WINXPSP2\system32\jt4407hqe.dll
C:\WINXPSP2\system32\jtjm0711e.dll
C:\WINXPSP2\system32\jtr6079se.dll
C:\WINXPSP2\system32\jtrm0791e.dll
C:\WINXPSP2\system32\JUEA500.DLL
C:\WINXPSP2\system32\jymd400.dll
C:\WINXPSP2\system32\JZEA500.DLL
C:\WINXPSP2\system32\JZEM500.DLL
C:\WINXPSP2\system32\jzt500.dll
C:\WINXPSP2\system32\k0260afsed260.dll
C:\WINXPSP2\system32\k226lcfs1f26.dll
C:\WINXPSP2\system32\k4jsle171h.dll
C:\WINXPSP2\system32\kcd101b.dll
C:\WINXPSP2\system32\kcdazel.dll
C:\WINXPSP2\system32\kcdhe220.dll
C:\WINXPSP2\system32\kcdinmal.dll
C:\WINXPSP2\system32\kcdnec.dll
C:\WINXPSP2\system32\kedkaz.dll
C:\WINXPSP2\system32\kfdgae.dll
C:\WINXPSP2\system32\kgdhela2.dll
C:\WINXPSP2\system32\kgdusx.dll
C:\WINXPSP2\system32\kirml7911.dll
C:\WINXPSP2\system32\kjdfr.dll
C:\WINXPSP2\system32\kkdgr.dll
C:\WINXPSP2\system32\kkdtuf.dll
C:\WINXPSP2\system32\kldfi1.dll
C:\WINXPSP2\system32\kmdhe220.dll
C:\WINXPSP2\system32\kmdic.dll
C:\WINXPSP2\system32\kqrnel32.dll
C:\WINXPSP2\system32\krdycl.dll
C:\WINXPSP2\system32\ksdus.dll
C:\WINXPSP2\system32\kt2sl7f71.dll
C:\WINXPSP2\system32\kt6ol7j31.dll
C:\WINXPSP2\system32\ktrml7911.dll
C:\WINXPSP2\system32\kvdinbe1.dll
C:\WINXPSP2\system32\kwdinmal.dll
C:\WINXPSP2\system32\kwdit142.dll
C:\WINXPSP2\system32\kwdru.dll
C:\WINXPSP2\system32\kwdsmsno.dll
C:\WINXPSP2\system32\kzdjpn.dll
C:\WINXPSP2\system32\kzdmac.dll
C:\WINXPSP2\system32\kzdsp.dll
C:\WINXPSP2\system32\l4l60e3seh.dll
C:\WINXPSP2\system32\l86olij318o.dll
C:\WINXPSP2\system32\lcasrv.dll
C:\WINXPSP2\system32\ldrmonui.dll
C:\WINXPSP2\system32\lF6olij318o.dll
C:\WINXPSP2\system32\lmkrn13n.dll
C:\WINXPSP2\system32\lsfil13n.dll
C:\WINXPSP2\system32\ltadperf.dll
C:\WINXPSP2\system32\lv6o09j3e.dll
C:\WINXPSP2\system32\lvj6091se.dll
C:\WINXPSP2\system32\lxasrv.dll
C:\WINXPSP2\system32\m464lejq1hoe.dll
C:\WINXPSP2\system32\m4nq0e55eh.dll
C:\WINXPSP2\system32\maang.dll
C:\WINXPSP2\system32\mals31.dll
C:\WINXPSP2\system32\marating.dll
C:\WINXPSP2\system32\mavidctl.dll
C:\WINXPSP2\system32\mblogmgr.dll
C:\WINXPSP2\system32\mcimsg.dll
C:\WINXPSP2\system32\mcpatcha.dll
C:\WINXPSP2\system32\mcrdim.dll
C:\WINXPSP2\system32\mcrtdep.dll
C:\WINXPSP2\system32\mdrd2x40.dll
C:\WINXPSP2\system32\meacm.dll
C:\WINXPSP2\system32\mebsync.dll
C:\WINXPSP2\system32\meexcl40.dll
C:\WINXPSP2\system32\melapx.dll
C:\WINXPSP2\system32\mevcp60.dll
C:\WINXPSP2\system32\mhls31.dll
C:\WINXPSP2\system32\miiseq.dll
C:\WINXPSP2\system32\mjrd2x40.dll
C:\WINXPSP2\system32\mkcat32.dll
C:\WINXPSP2\system32\mkl_hp.dll
C:\WINXPSP2\system32\mkr2c.dll
C:\WINXPSP2\system32\MLCTFP.dll
C:\WINXPSP2\system32\mljtes40.dll
C:\WINXPSP2\system32\mogina.dll
C:\WINXPSP2\system32\mort.dll
C:\WINXPSP2\system32\mpvcrt.dll
C:\WINXPSP2\system32\mqc70.dll
C:\WINXPSP2\system32\mqisip.dll
C:\WINXPSP2\system32\msrui.dll
C:\WINXPSP2\system32\msupgrd.dll
C:\WINXPSP2\system32\mti.dll
C:\WINXPSP2\system32\mtwdat10.dll
C:\WINXPSP2\system32\muisip.dll
C:\WINXPSP2\system32\muvcrt20.dll
C:\WINXPSP2\system32\mv4ml9h11.dll
C:\WINXPSP2\system32\mvj6l91s1.dll
C:\WINXPSP2\system32\mvpml9711.dll
C:\WINXPSP2\system32\mWang.dll
C:\WINXPSP2\system32\mwdxmlc.dll
C:\WINXPSP2\system32\mxiwave.dll
C:\WINXPSP2\system32\mxrmsg.dll
C:\WINXPSP2\system32\mxrtdep.dll
C:\WINXPSP2\system32\mxvcrt40.dll
C:\WINXPSP2\system32\mycshext.dll
C:\WINXPSP2\system32\n0n60a5sed.dll
C:\WINXPSP2\system32\n0r2la9o1d.dll
C:\WINXPSP2\system32\ndshrui.dll
C:\WINXPSP2\system32\NFTAudioCompress2.dll
C:\WINXPSP2\system32\nhapi32.dll
C:\WINXPSP2\system32\nrmkcert.dll
C:\WINXPSP2\system32\nTn60a5sed.dll
C:\WINXPSP2\system32\nyshrui.dll
C:\WINXPSP2\system32\nzshrui.dll
C:\WINXPSP2\system32\o0840alqedqe0.dll
C:\WINXPSP2\system32\o0ro0a93ed.dll
C:\WINXPSP2\system32\o2pq0c75ef.dll
C:\WINXPSP2\system32\o8ns0i57e8.dll
C:\WINXPSP2\system32\ODTLWAB.DLL
C:\WINXPSP2\system32\oieprn.dll
C:\WINXPSP2\system32\one2nls.dll
C:\WINXPSP2\system32\OPTLWAB.DLL
C:\WINXPSP2\system32\oqbcp32r.dll
C:\WINXPSP2\system32\oruninst.dll
C:\WINXPSP2\system32\oteacc.dll
C:\WINXPSP2\system32\oytext32.dll
C:\WINXPSP2\system32\OZTLWAB.DLL
C:\WINXPSP2\system32\pacParse.dll
C:\WINXPSP2\system32\phcDevUI.dll
C:\WINXPSP2\system32\pIpgasvc.dll
C:\WINXPSP2\system32\pjcDcd.dll
C:\WINXPSP2\system32\pkwrprof.dll
C:\WINXPSP2\system32\PMDLIB32.DLL
C:\WINXPSP2\system32\pOpgasvc.dll
C:\WINXPSP2\system32\ptcDcd.dll
C:\WINXPSP2\system32\q086lals1dq6.dll
C:\WINXPSP2\system32\q6pslg7716.dll
C:\WINXPSP2\system32\q886lils18q6.dll
C:\WINXPSP2\system32\qagrprxy.dll
C:\WINXPSP2\system32\qggr.dll
C:\WINXPSP2\system32\qngr.dll
C:\WINXPSP2\system32\r0p8la7u1d.dll
C:\WINXPSP2\system32\rggapi.dll
C:\WINXPSP2\system32\rJsauto.dll
C:\WINXPSP2\system32\rspdd.dll
C:\WINXPSP2\system32\rSsppp.dll
C:\WINXPSP2\system32\rTp8la7u1d.dll
C:\WINXPSP2\system32\ruchost.dll
C:\WINXPSP2\system32\ruipxmib.dll
C:\WINXPSP2\system32\rWstapi.dll
C:\WINXPSP2\system32\s0rsla971d.dll
C:\WINXPSP2\system32\sassetup.dll
C:\WINXPSP2\system32\scgina.dll
C:\WINXPSP2\system32\SMntf16.dll
C:\WINXPSP2\system32\snrstr.dll
C:\WINXPSP2\system32\snrwvdrv.dll
C:\WINXPSP2\system32\snsvc.dll
C:\WINXPSP2\system32\srndcmsg.dll
C:\WINXPSP2\system32\sssvc.dll
C:\WINXPSP2\system32\stgina.dll
C:\WINXPSP2\system32\sTmsrv.dll
C:\WINXPSP2\system32\subcsp.dll
C:\WINXPSP2\system32\svbrccsp.dll
C:\WINXPSP2\system32\svlunirl.dll
C:\WINXPSP2\system32\svoolss.dll
C:\WINXPSP2\system32\sWfrslv.dll
C:\WINXPSP2\system32\tfflog.dll
C:\WINXPSP2\system32\tmpmon.dll
C:\WINXPSP2\system32\tUpi3.dll
C:\WINXPSP2\system32\txappcmp.dll
C:\WINXPSP2\system32\uarvoica.dll
C:\WINXPSP2\system32\ubiplat.dll
C:\WINXPSP2\system32\ugerenv.dll
C:\WINXPSP2\system32\ugrar.dll
C:\WINXPSP2\system32\uhrdpa.dll
C:\WINXPSP2\system32\unrv42a.dll
C:\WINXPSP2\system32\unrv80a.dll
C:\WINXPSP2\system32\uzdmxfrm.dll
C:\WINXPSP2\system32\VD40032.DLL
C:\WINXPSP2\system32\vxa64k.dll
C:\WINXPSP2\system32\wacsvc.dll
C:\WINXPSP2\system32\wafeman.dll
C:\WINXPSP2\system32\wahnetbs.dll
C:\WINXPSP2\system32\wbidx.dll
C:\WINXPSP2\system32\wbnnls.dll
C:\WINXPSP2\system32\wcdmtpdr.dll
C:\WINXPSP2\system32\wecsvc.dll
C:\WINXPSP2\system32\whhnetbs.dll
C:\WINXPSP2\system32\wibclnt.dll
C:\WINXPSP2\system32\wid_ci.dll
C:\WINXPSP2\system32\wkfapi.dll
C:\WINXPSP2\system32\wL2time.dll
C:\WINXPSP2\system32\wL2topl.dll
C:\WINXPSP2\system32\wmapi.dll
C:\WINXPSP2\system32\wnsdmod.dll
C:\WINXPSP2\system32\WohRm.dll
C:\WINXPSP2\system32\wonsock.dll
C:\WINXPSP2\system32\wp2_32.dll
C:\WINXPSP2\system32\wpcsapi.dll
C:\WINXPSP2\system32\wqhnetbs.dll
C:\WINXPSP2\system32\wscltui.dll
C:\WINXPSP2\system32\wuvdmoe.dll
C:\WINXPSP2\system32\wvbcheck.dll
C:\WINXPSP2\system32\WVVADVE.DLL
C:\WINXPSP2\system32\wwhatm.dll
C:\WINXPSP2\system32\WXDRMNet.dll
C:\WINXPSP2\system32\wyssvc.dll
C:\WINXPSP2\system32\wznsock.dll
C:\WINXPSP2\system32\xnidvfw.dll
C:\WINXPSP2\system32\xwlehlp.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))


2006-10-14 17:34 234,409 -r--s---- C:\WINXPSP2\system32\dxrgres.dll
2006-10-14 15:45 4 --a------ C:\WINXPSP2\IIEsv44JBS5X.dll
2006-10-14 15:45 23 --a------ C:\WINXPSP2\IIEsv44JBS5X2.dll
2006-10-14 15:45 18 --a------ C:\WINXPSP2\XMMR810eno.dll
2006-10-13 22:43 4 --a------ C:\WINXPSP2\MRsdrfesa3J2.dll
2006-10-05 06:26 7,976 --a------ C:\idjpsax.exe
2006-10-05 06:26 7,680 --a------ C:\WINXPSP2\system32\~.exe
2006-10-05 06:26 0 --a------ C:\ximeqq.exe
2006-10-05 06:26 0 --a------ C:\weqku.exe
2006-10-05 06:26 0 --a------ C:\vuhc.exe
2006-10-05 06:26 0 --a------ C:\qdpv.exe
2006-10-05 06:26 0 --a------ C:\pqiwl.exe
2006-10-05 06:26 0 --a------ C:\ogskigf.exe
2006-10-05 06:26 0 --a------ C:\jfaj.exe
2006-10-05 06:26 0 --a------ C:\itvhuyl.exe
2006-10-05 06:26 0 --a------ C:\blijdmox.exe
2006-09-25 21:33 47,360 --a------ C:\WINXPSP2\system32\drivers\pcouffin.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-24 21:29 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-19 17:59 -------- d-------- C:\Program Files\Application Data
2006-10-18 15:32 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\SlySoft
2006-10-18 15:28 -------- d-------- C:\Program Files\SlySoft
2006-10-17 20:16 -------- d-------- C:\Program Files\MSN Games
2006-10-17 19:47 675 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pl_accounts.pl_acc
2006-10-17 19:47 556 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Troll.options
2006-10-17 19:47 5188 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\froggy_scorebox
2006-10-15 17:23 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\dvdcss
2006-10-14 17:22 81920 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\ezpinst.exe
2006-10-14 17:22 7176 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.cat
2006-10-14 17:22 47360 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.sys
2006-10-14 17:22 33 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.log
2006-10-14 17:22 1144 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.inf
2006-10-14 17:22 -------- d-------- C:\Program Files\vso
2006-10-14 17:22 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Vso
2006-10-11 18:47 -------- d-------- C:\Program Files\QuickTime
2006-10-10 23:28 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\PlayFirst
2006-10-10 23:08 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Alawar
2006-10-09 18:04 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\EA
2006-10-09 17:48 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\funkitron
2006-10-09 17:47 -------- d-------- C:\Program Files\ReflexiveArcade
2006-10-05 06:26 7680 --a------ C:\WINXPSP2\system32\~.exe
2006-09-29 17:39 -------- d-------- C:\Program Files\MSN
2006-09-29 17:39 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\MSN6
2006-09-06 20:27 31248 --a------ C:\WINXPSP2\system32\drivers\tmpreflt.sys
2006-09-06 20:27 197648 --a------ C:\WINXPSP2\system32\drivers\tmxpflt.sys
2006-09-06 20:09 1051456 --a------ C:\WINXPSP2\system32\drivers\VsapiNT.sys
Vance
2006-10-25, 08:11
And here is the rest, due to character limits:


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\ctfmon.exe"
"EPSON Stylus C45 Series"="C:\\WINXPSP2\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /M \"Stylus C45\" /EF \"HKCU\"-ԁO;hw!hw 8-w?w)ǀ:"
"SpybotSD TeaTimer"="I:\\Spybot\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EPSON Stylus C45 Series"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /O6 \"USB001\" /M \"Stylus C45\""
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXPSP2^Start Menu^Programs^Startup^SiICfg.lnk]
"path"="C:\\Documents and Settings\\All Users.WINXPSP2\\Start Menu\\Programs\\Startup\\SiICfg.lnk"
"backup"="C:\\WINXPSP2\\pss\\SiICfg.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SILICO~1\\SiICfg\\SiICfg.exe "
"item"="SiICfg"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINXPSP2\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINXPSP2\tasks\XoftSpy.job

Completion time: 06-10-25 15:59:33.29
C:\ComboFix.txt ... 06-10-25 15:59

And the new HJT:


Logfile of HijackThis v1.99.1
Scan saved at 4:01:45 PM, on 25/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXPSP2\System32\smss.exe
C:\WINXPSP2\system32\winlogon.exe
C:\WINXPSP2\system32\services.exe
C:\WINXPSP2\system32\lsass.exe
C:\WINXPSP2\system32\Ati2evxx.exe
C:\WINXPSP2\system32\svchost.exe
C:\WINXPSP2\SYSTEM32\SVCHOST.EXE
C:\WINXPSP2\SYSTEM32\SPOOLSV.EXE
C:\WINXPSP2\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINXPSP2\system32\ctfmon.exe
I:\Spybot\TeaTimer.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINXPSP2\system32\devldr32.exe
C:\WINXPSP2\system32\wuauclt.exe
C:\WINXPSP2\system32\wuauclt.exe
C:\HIJACKTHIS\hj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINXPSP2\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"-ԁO;hw!hw 8-w?w)ǀ:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Spybot\TeaTimer.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8475757-B435-415A-8204-D158C291BCA7}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXPSP2\system32\Ati2evxx.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Shaba
2006-10-25, 16:56
Hi

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINXPSP2\IIEsv44JBS5X.dll
C:\WINXPSP2\IIEsv44JBS5X2.dll
C:\WINXPSP2\XMMR810eno.dll
C:\WINXPSP2\MRsdrfesa3J2.dll
C:\idjpsax.exe
C:\WINXPSP2\system32\~.exe
C:\ximeqq.exe
C:\weqku.exe
C:\vuhc.exe
C:\qdpv.exe
C:\pqiwl.exe
C:\ogskigf.exe
C:\jfaj.exe
C:\itvhuyl.exe
C:\blijdmox.exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.


Re-run combofix

Send:

- a fresh HijackThis log
- combofix report
- gmer report
Vance
2006-10-26, 11:04
Ok... A little problem. GMER will get a certain way through the scan, and then my computer restarts itself. As such, I don't have a GMER report, nor have I done a GMER scan.

But here are the other logs:


Jim - 06-10-26 18:58:22.92 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-26 to 2006-10-26 ))))))))))))))))))))))))))))))))))


2006-10-14 17:34 234,409 -r--s---- C:\WINXPSP2\system32\dxrgres.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-24 21:29 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-19 17:59 -------- d-------- C:\Program Files\Application Data
2006-10-18 15:32 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\SlySoft
2006-10-18 15:28 -------- d-------- C:\Program Files\SlySoft
2006-10-17 20:16 -------- d-------- C:\Program Files\MSN Games
2006-10-17 19:47 675 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pl_accounts.pl_acc
2006-10-17 19:47 556 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Troll.options
2006-10-17 19:47 5188 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\froggy_scorebox
2006-10-15 17:23 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\dvdcss
2006-10-14 17:22 81920 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\ezpinst.exe
2006-10-14 17:22 7176 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.cat
2006-10-14 17:22 47360 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.sys
2006-10-14 17:22 33 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.log
2006-10-14 17:22 1144 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.inf
2006-10-14 17:22 -------- d-------- C:\Program Files\vso
2006-10-14 17:22 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Vso
2006-10-11 18:47 -------- d-------- C:\Program Files\QuickTime
2006-10-10 23:28 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\PlayFirst
2006-10-10 23:08 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Alawar
2006-10-09 18:04 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\EA
2006-10-09 17:48 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\funkitron
2006-10-09 17:47 -------- d-------- C:\Program Files\ReflexiveArcade
2006-09-29 17:39 -------- d-------- C:\Program Files\MSN
2006-09-29 17:39 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\MSN6
2006-09-25 21:33 47360 --a------ C:\WINXPSP2\system32\drivers\pcouffin.sys
2006-09-06 20:27 31248 --a------ C:\WINXPSP2\system32\drivers\tmpreflt.sys
2006-09-06 20:27 197648 --a------ C:\WINXPSP2\system32\drivers\tmxpflt.sys
2006-09-06 20:09 1051456 --a------ C:\WINXPSP2\system32\drivers\VsapiNT.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\ctfmon.exe"
"EPSON Stylus C45 Series"="C:\\WINXPSP2\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /M \"Stylus C45\" /EF \"HKCU\"-ԁO;hw!hw 8-w?w)ǀ:"
"SpybotSD TeaTimer"="I:\\Spybot\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EPSON Stylus C45 Series"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /O6 \"USB001\" /M \"Stylus C45\""
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXPSP2^Start Menu^Programs^Startup^SiICfg.lnk]
"path"="C:\\Documents and Settings\\All Users.WINXPSP2\\Start Menu\\Programs\\Startup\\SiICfg.lnk"
"backup"="C:\\WINXPSP2\\pss\\SiICfg.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SILICO~1\\SiICfg\\SiICfg.exe "
"item"="SiICfg"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINXPSP2\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINXPSP2\tasks\XoftSpy.job

Completion time: 06-10-26 18:59:12.90
C:\ComboFix.txt ... 06-10-26 18:59
C:\ComboFix2.txt ... 06-10-25 16:24
C:\ComboFix3.txt ... 06-10-25 15:59


HJT:


Logfile of HijackThis v1.99.1
Scan saved at 6:57:53 PM, on 26/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXPSP2\System32\smss.exe
C:\WINXPSP2\system32\winlogon.exe
C:\WINXPSP2\system32\services.exe
C:\WINXPSP2\system32\savedump.exe
C:\WINXPSP2\system32\lsass.exe
C:\WINXPSP2\system32\Ati2evxx.exe
C:\WINXPSP2\system32\svchost.exe
C:\WINXPSP2\SYSTEM32\SVCHOST.EXE
C:\WINXPSP2\Explorer.EXE
C:\WINXPSP2\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINXPSP2\system32\ctfmon.exe
I:\Spybot\TeaTimer.exe
C:\WINXPSP2\system32\devldr32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINXPSP2\system32\wscntfy.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINXPSP2\system32\wuauclt.exe
C:\HIJACKTHIS\hj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINXPSP2\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"-ԁO;hw!hw 8-w?w)ǀ:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Spybot\TeaTimer.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8475757-B435-415A-8204-D158C291BCA7}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXPSP2\system32\Ati2evxx.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Any clue as to how to run GMER then?
Shaba
2006-10-26, 15:03
Hi

We'll use other tools then:

Open HijackThis, click do a system scan only and checkmark this:

O20 - AppInit_DLLs:

Close all windows including browser and press fix checked.

Reboot

Please download AVG Anti-Rootkit (http://www.freewarefiles.com/program_9_90_22524.html) to your desktop.

Double-click the installation file
Just click Next, let it go with default settings.
Once the installation is ready, reboot.
Run AVG Anti-Rootkit Beta.exe.
Click Search for rootkits.
When finished, click Save result to file.
Post back with the results. (Not sure where they are located, either in C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta\ folder or on your desktop.)

Post also a fresh HijackThis log.
Vance
2006-10-27, 00:05
Ok, this is going to seem like a dumb question, but do I remove the rootkit now, or do I just post the initial scan results?

I looked over your response and couldn't tell whether to remove it or not.
Shaba
2006-10-27, 16:55
Hi

Yes, remove it please :)
Vance
2006-10-28, 00:59
Ok, once AVG had finished, it prompted me to reboot, and I accidently clicked "Yes", and consequently didn't get to save a log. However, upon running another scan, it found nothing, and I found this in the AVG folder:


clean
C:\WINXPSP2\system32:lzx32.sys
\??\C:\WINXPSP2\system32:lzx32.sys
ntfs filesystem


Don't know if that helps, but it looks like it cleaned it.

And here's the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 8:55:38 AM, on 28/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXPSP2\System32\smss.exe
C:\WINXPSP2\system32\winlogon.exe
C:\WINXPSP2\system32\services.exe
C:\WINXPSP2\system32\lsass.exe
C:\WINXPSP2\system32\Ati2evxx.exe
C:\WINXPSP2\system32\svchost.exe
C:\WINXPSP2\SYSTEM32\SVCHOST.EXE
C:\WINXPSP2\Explorer.EXE
C:\WINXPSP2\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINXPSP2\system32\ctfmon.exe
I:\Spybot\TeaTimer.exe
C:\WINXPSP2\system32\devldr32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINXPSP2\system32\wscntfy.exe
C:\WINXPSP2\system32\wuauclt.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\hj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINXPSP2\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"-ԁO;hw!hw 8-w?w)ǀ:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Spybot\TeaTimer.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8475757-B435-415A-8204-D158C291BCA7}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXPSP2\system32\Ati2evxx.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thank you once again for all your help in this matter. :)
Shaba
2006-10-28, 10:36
Hi

Please re-run combofix and send its log here :)
Vance
2006-10-29, 02:03
Ok, here's the new combofix report:


Jim - 06-10-29 11:59:48.92 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-29 to 2006-10-29 ))))))))))))))))))))))))))))))))))


2006-10-14 18:34 234,409 -r--s---- C:\WINXPSP2\system32\dxrgres.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-27 08:54 -------- d-------- C:\Program Files\GRISOFT
2006-10-19 18:59 -------- d-------- C:\Program Files\Application Data
2006-10-18 16:32 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\SlySoft
2006-10-18 16:28 -------- d-------- C:\Program Files\SlySoft
2006-10-17 21:16 -------- d-------- C:\Program Files\MSN Games
2006-10-17 20:47 675 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pl_accounts.pl_acc
2006-10-17 20:47 556 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Troll.options
2006-10-17 20:47 5188 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\froggy_scorebox
2006-10-15 18:23 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\dvdcss
2006-10-14 18:22 81920 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\ezpinst.exe
2006-10-14 18:22 7176 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.cat
2006-10-14 18:22 47360 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.sys
2006-10-14 18:22 33 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.log
2006-10-14 18:22 1144 --a------ C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\pcouffin.inf
2006-10-14 18:22 -------- d-------- C:\Program Files\vso
2006-10-14 18:22 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Vso
2006-10-11 19:47 -------- d-------- C:\Program Files\QuickTime
2006-10-11 00:28 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\PlayFirst
2006-10-11 00:08 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\Alawar
2006-10-09 19:04 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\EA
2006-10-09 18:48 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\funkitron
2006-10-09 18:47 -------- d-------- C:\Program Files\ReflexiveArcade
2006-09-29 18:39 -------- d-------- C:\Program Files\MSN
2006-09-29 18:39 -------- d-------- C:\Documents and Settings\Jim.JIM-B1CA84EAEA1\Application Data\MSN6
2006-09-25 22:33 47360 --a------ C:\WINXPSP2\system32\drivers\pcouffin.sys
2006-09-06 21:27 31248 --a------ C:\WINXPSP2\system32\drivers\tmpreflt.sys
2006-09-06 21:27 197648 --a------ C:\WINXPSP2\system32\drivers\tmxpflt.sys
2006-09-06 21:09 1051456 --a------ C:\WINXPSP2\system32\drivers\VsapiNT.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\ctfmon.exe"
"EPSON Stylus C45 Series"="C:\\WINXPSP2\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /M \"Stylus C45\" /EF \"HKCU\"-ԁO;hw!hw 8-w?w)ǀ:"
"SpybotSD TeaTimer"="I:\\Spybot\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EPSON Stylus C45 Series"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /O6 \"USB001\" /M \"Stylus C45\""
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINXPSP2\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXPSP2^Start Menu^Programs^Startup^SiICfg.lnk]
"path"="C:\\Documents and Settings\\All Users.WINXPSP2\\Start Menu\\Programs\\Startup\\SiICfg.lnk"
"backup"="C:\\WINXPSP2\\pss\\SiICfg.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SILICO~1\\SiICfg\\SiICfg.exe "
"item"="SiICfg"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINXPSP2\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINXPSP2\tasks\XoftSpy.job

Completion time: 06-10-29 12:00:39.53
C:\ComboFix.txt ... 06-10-29 12:00
C:\ComboFix2.txt ... 06-10-26 19:59
C:\ComboFix3.txt ... 06-10-25 17:24


Things have been running much smoother now as well, thanks!
Shaba
2006-10-29, 11:03
Hi

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Send:

- a fresh HijackThis log
- kaspersky report
Vance
2006-10-31, 10:51
I hope you don't mind, but I made the report an attachment, as the word limit from the post was about 78000 characters, just a little over the 20000 limit...

http://www.freewebs.com/vancenet/log.txt

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:33:59 PM, on 31/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXPSP2\System32\smss.exe
C:\WINXPSP2\system32\winlogon.exe
C:\WINXPSP2\system32\services.exe
C:\WINXPSP2\system32\lsass.exe
C:\WINXPSP2\system32\Ati2evxx.exe
C:\WINXPSP2\system32\svchost.exe
C:\WINXPSP2\SYSTEM32\SVCHOST.EXE
C:\WINXPSP2\SYSTEM32\SPOOLSV.EXE
C:\WINXPSP2\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINXPSP2\system32\ctfmon.exe
I:\Spybot\TeaTimer.exe
C:\WINXPSP2\system32\devldr32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINXPSP2\system32\wscntfy.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Ahead\nero\nero.exe
C:\WINXPSP2\system32\imapi.exe
C:\HIJACKTHIS\hj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINXPSP2\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"-ԁO;hw!hw 8-w?w)ǀ:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Spybot\TeaTimer.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - I:\Poker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8475757-B435-415A-8204-D158C291BCA7}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXPSP2\system32\Ati2evxx.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Shaba
2006-10-31, 16:58
Hi

Run this (http://noahdfear.geekstogo.com/FindAWF.exe)tool

Post the contents of the report in your next reply.
Vance
2006-11-03, 12:22
Here's the report, as requested. It's linked again, due to the filesize.

http://www.freewebs.com/vancenet/awf.txt
Shaba
2006-11-03, 17:54
Hi

Malware has replaced your legit files; we'll need to restore them

Boot in safe mode

Copy these files as below:

C:\PROGRA~1\QUICKT~1\BAK\qttask.exe -> C:\PROGRA~1\QUICKT~1\ (answer yes if asked to overwrite)

C:\WINXPSP2\SYSTEM32\BAK\ctfmon.exe -> C:\WINXPSP2\SYSTEM32\ctfmon.exe

C:\PROGRA~1\CANON\EASY-P~2\BAK\BJPSMAIN.EXE -> C:\PROGRA~1\CANON\EASY-P~2

C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK\jusched.exe ->
C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK\E_S4I3T1.EXE ->
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\

Boot in normal mode.

Re-run that tool and send its log here.
Vance
2006-11-04, 02:57
http://www.freewebs.com/vancenet/awf2.txt

there's the report, and there was nothing in C:\WINXPSP2\SYSTEM32\BAK to restore, unfortunately.
Shaba
2006-11-04, 10:46
Hi

Now it looks better :)

Re-scan with kaspersky and send its log along with a fresh HijackThis log, please .
LonnyRJones
2006-11-12, 07:58
I wish you had posted the logs Shaba asked for.


Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.