Results 1 to 9 of 9

Thread: Help Please?! - Integrity Threat Detected pop up

  1. #1
    Junior Member
    Join Date
    Oct 2007
    Posts
    4

    Default Help Please?! - Integrity Threat Detected pop up

    Hi Guys,

    Can someone please help me remove the "Integrity Threat Detected" pop up please.

    here's my HijackThis Log

    Thanks!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:04:27 PM, on 29/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\SecCenter\scprot4.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
    C:\Program Files\Common Files\VideoMate\ComproRemote.exe
    C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0DFCFB5E-3974-3338-8F09-0B2552E546A8} - C:\Program Files\Egseewks\npnojpap.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v1.dll
    O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-f7ed0776fb27} - c:\program files\steganos internet anonym 2006\sia2006iep.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
    O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [uxcvoraf] rundll32.exe "C:\Program Files\uxcvoraf\kpqlwhmn.dll",Init
    O4 - HKLM\..\Run: [fgpsbepq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fgpsbepq.dll"
    O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [rqjcfglq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rqjcfglq.dll"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'Default user')
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
    O4 - Global Startup: ComproRemote.lnk = C:\Program Files\Common Files\VideoMate\ComproRemote.exe
    O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: www.highend3d.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158479117406
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1158479290906
    O20 - Winlogon Notify: vtutuvt - C:\WINDOWS\
    O20 - Winlogon Notify: winlbu32 - C:\WINDOWS\
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe

    --
    End of file - 8156 bytes

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi ricbenson

    1. Download combofix from one of these links and save it to Desktop:
    Link1
    Link2
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Post:

    - a fresh HijackThis log
    - combofix report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Oct 2007
    Posts
    4

    Default

    Hi Shaba,

    Thanks for your help. Much appreciated.

    Here's my log -

    ComboFix 07-10-28.2 - Administrator 2007-10-29 21:11:03.1 - NTFSx86
    * Created a new restore point
    .
    Rootkit driver pe386 is present. ... attempting disinfection
    pe386 ...... driver unloaded successfully.
    ADS - system32: deleted 68198 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Application Data\SKS~1
    C:\Documents and Settings\Administrator\Application Data\SKS~1\??sks\
    C:\Documents and Settings\All Users\Application Data.\rqjcfglq.dll
    C:\Program Files\SecCenter
    C:\Program Files\SecCenter\scprot4.exe
    C:\WINDOWS\system32\_000003_.tmp.dll
    C:\WINDOWS\system32\lidkfqkv
    C:\WINDOWS\system32\lidkfqkv\bg1.gif
    C:\WINDOWS\system32\lidkfqkv\bgtop.gif
    C:\WINDOWS\system32\lidkfqkv\bottom1.gif
    C:\WINDOWS\system32\lidkfqkv\essentials.gif
    C:\WINDOWS\system32\lidkfqkv\icon1.ico
    C:\WINDOWS\system32\lidkfqkv\install1.gif
    C:\WINDOWS\system32\lidkfqkv\left1.gif
    C:\WINDOWS\system32\lidkfqkv\li.gif
    C:\WINDOWS\system32\lidkfqkv\lidkfqkv2.exe
    C:\WINDOWS\system32\lidkfqkv\lidkfqkv3.exe
    C:\WINDOWS\system32\lidkfqkv\logo.gif
    C:\WINDOWS\system32\lidkfqkv\main.htm
    C:\WINDOWS\system32\lidkfqkv\mainframe.htm
    C:\WINDOWS\system32\lidkfqkv\reinstall1.gif
    C:\WINDOWS\system32\lidkfqkv\right1.gif
    C:\WINDOWS\system32\lidkfqkv\s1.htm
    C:\WINDOWS\system32\lidkfqkv\s2.htm
    C:\WINDOWS\system32\lidkfqkv\s3.htm
    C:\WINDOWS\system32\lidkfqkv\SMTop1.gif
    C:\WINDOWS\system32\lidkfqkv\SMTop2.gif
    C:\WINDOWS\system32\lidkfqkv\SMTop3.gif
    C:\WINDOWS\system32\lidkfqkv\SMTop4.gif
    C:\WINDOWS\system32\lidkfqkv\soft1_off.gif
    C:\WINDOWS\system32\lidkfqkv\soft1_off_ext.gif
    C:\WINDOWS\system32\lidkfqkv\soft1_on.gif
    C:\WINDOWS\system32\lidkfqkv\soft1_on_ext.gif
    C:\WINDOWS\system32\lidkfqkv\soft2_off.gif
    C:\WINDOWS\system32\lidkfqkv\soft2_off_ext.gif
    C:\WINDOWS\system32\lidkfqkv\soft2_on.gif
    C:\WINDOWS\system32\lidkfqkv\soft2_on_ext.gif
    C:\WINDOWS\system32\lidkfqkv\soft3_off.gif
    C:\WINDOWS\system32\lidkfqkv\soft3_off_ext.gif
    C:\WINDOWS\system32\lidkfqkv\soft3_on.gif
    C:\WINDOWS\system32\lidkfqkv\soft3_on_ext.gif
    C:\WINDOWS\system32\lidkfqkv\softbottom_off.gif
    C:\WINDOWS\system32\lidkfqkv\softbottom_on.gif
    C:\WINDOWS\system32\lidkfqkv\softleft_off.gif
    C:\WINDOWS\system32\lidkfqkv\softleft_on.gif
    C:\WINDOWS\system32\lidkfqkv\top1.gif
    C:\WINDOWS\system32\lidkfqkv\top2.gif
    C:\WINDOWS\system32\lidkfqkv\turnoff1.gif
    C:\WINDOWS\system32\lidkfqkv\turnon1.gif
    C:\WINDOWS\system32\nvrssk.dll
    C:\WINDOWS\system32\nvrssl.dll

    .
    ((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
    .

    2007-10-29 21:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-29 20:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-29 20:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
    2007-10-29 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2007-10-29 16:35 <DIR> d-------- C:\Program Files\Gabest
    2007-10-29 16:35 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2007-10-29 16:35 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
    2007-10-29 16:34 <DIR> d-------- C:\Program Files\AutoGK
    2007-10-29 15:58 <DIR> d-------- C:\Program Files\DVD Decrypter
    2007-10-29 10:41 <DIR> d-------- C:\Program Files\Egseewks
    2007-10-28 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-10-28 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
    2007-10-28 21:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
    2007-10-28 21:11 <DIR> d-------- C:\Program Files\Comodo
    2007-10-28 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-10-28 19:56 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
    2007-10-28 19:05 <DIR> d-------- C:\Program Files\E404 Helper
    2007-10-28 19:05 14,848 --a------ C:\Program Files\msc.exe
    2007-10-28 19:00 9,728 --a------ C:\Program Files\hlpsrv.exe
    2007-10-28 16:57 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-28 16:07 <DIR> d-------- C:\Program Files\Blaze Media Pro
    2007-10-28 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
    2007-10-28 15:44 <DIR> d-------- C:\Program Files\uxcvoraf
    2007-10-28 15:44 <DIR> d-------- C:\Program Files\Kukpaaug
    2007-10-28 15:44 32,256 --a------ C:\WINDOWS\system32\byxyxxx.dll
    2007-10-28 15:25 <DIR> d-------- C:\Program Files\Steganos Internet Anonym 2006
    2007-10-28 15:25 <DIR> d-------- C:\Program Files\Secure Surfing Engine
    2007-10-28 10:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-26 21:04 <DIR> d-------- C:\Program Files\RedTube Movie Ripper V1.1.1
    2007-10-26 21:04 81,920 --a------ C:\WINDOWS\system32\GkSui20.EXE
    2007-10-25 00:02 <DIR> d-------- C:\Documents and Settings\Administrator\dwhelper
    2007-10-24 23:38 <DIR> d-------- C:\Program Files\UnH Solutions
    2007-10-24 09:04 <DIR> d-------- C:\Program Files\iTunes
    2007-10-24 09:04 <DIR> d-------- C:\Program Files\iPod
    2007-10-22 23:59 <DIR> d-------- C:\etax2007
    2007-10-22 23:23 <DIR> d-------- C:\Program Files\Ares
    2007-10-22 22:54 <DIR> d-------- C:\Program Files\QuickTime
    2007-10-22 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
    2007-10-22 19:58 1,156 --a------ C:\WINDOWS\mozver.dat
    2007-10-22 00:02 <DIR> d-------- C:\Program Files\MSXML 4.0
    2007-10-20 21:11 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
    2007-10-20 21:10 <DIR> d-------- C:\Program Files\ASUS WiFi-AP Solo
    2007-10-20 21:10 175,872 --a------ C:\WINDOWS\system32\drivers\RTL8187.sys
    2007-10-20 21:10 13,532 --a------ C:\WINDOWS\system32\drivers\SjyPkt.sys
    2007-10-15 22:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ethereal
    2007-10-15 22:34 <DIR> d-------- C:\Program Files\WinPcap
    2007-10-10 18:06 <DIR> d-------- C:\Program Files\WinFF
    2007-10-10 18:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Winff
    2007-10-09 23:26 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
    2007-10-09 18:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
    2007-10-09 17:54 <DIR> d-------- C:\Program Files\XP Codec Pack
    2007-10-09 17:54 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
    2007-10-09 17:54 737,280 --a------ C:\WINDOWS\iun6002.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-29 05:55 --------- d-----w C:\Program Files\EasyDVDConverter
    2007-10-29 05:42 --------- d-----w C:\Program Files\eMule
    2007-10-28 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
    2007-10-28 06:49 --------- d-----w C:\Program Files\McAfee
    2007-10-28 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
    2007-10-22 11:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-10-20 13:10 --------- d-----w C:\Program Files\Color_Cop
    2007-10-20 11:36 --------- d-----w C:\Program Files\LimeWire
    2007-10-20 10:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-20 09:48 --------- d-----w C:\Program Files\OptusNet DSL Internet
    2007-10-09 09:09 --------- d-----w C:\Program Files\Winamp
    2007-09-26 07:37 --------- d-----w C:\Program Files\Institute of Animation - Facial Animation Toolset 1.2
    2007-09-14 11:26 --------- d-----w C:\Program Files\FLV Player
    2007-08-12 09:08 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
    2007-08-12 09:08 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
    2007-08-12 09:08 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
    2007-08-12 09:08 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
    2007-08-12 09:08 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
    2007-08-12 09:08 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
    2007-08-12 09:08 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
    2007-08-12 09:08 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
    2007-08-12 09:08 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DFCFB5E-3974-3338-8F09-0B2552E546A8}]
    2007-10-29 10:41 94208 --a------ C:\Program Files\Egseewks\npnojpap.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
    2007-10-28 19:05 15872 --a------ C:\Program Files\E404 Helper\e404.v1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 16:29]
    "nwiz"="nwiz.exe" [2006-03-09 16:29 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="NvMCTray.dll" [2006-03-09 16:29 C:\WINDOWS\system32\nvmctray.dll]
    "RegistryMechanic"="" []
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 18:34 C:\WINDOWS\RTHDCPL.exe]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
    "Ai Quicker Help"="C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe" [2006-11-09 21:29]
    "AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe" [2006-11-14 14:25]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 17:24]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-24 09:05]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-29 20:31]
    "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-10-29 20:37]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "SIA2006"="C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot

    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 01:00:00]
    Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 01:00:00]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
    ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2007-10-20 21:10:44]
    ComproRemote.lnk - C:\Program Files\Common Files\VideoMate\ComproRemote.exe [2007-07-22 21:15:56]
    ComproSchedulerDTV.lnk - C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe [2007-08-09 10:09:51]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 06:05:56]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"=1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutuvt]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlbu32]

    R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys
    R3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys
    R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
    R3 SjyPkt;SjyPkt;\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys
    R3 VMHybrid;VMHybrid service;C:\WINDOWS\system32\DRIVERS\VMHybrid.sys
    S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
    S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\NSNDIS5.SYS
    S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys

    *Newly Created Service* - SJYPKT
    .
    **************************************************************************

    catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-29 21:21:13
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-10-29 21:23:47 - machine was rebooted
    .
    --- E O F ---

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    How about a fresh HijackThis log?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Oct 2007
    Posts
    4

    Default

    hi shaba,

    here's the hijack this log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:04:57 AM, on 30/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\ASUS\ASUS DH Remote\AsDhRemote.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
    C:\Program Files\Common Files\VideoMate\ComproRemote.exe
    C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0DFCFB5E-3974-3338-8F09-0B2552E546A8} - C:\Program Files\Egseewks\npnojpap.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v1.dll
    O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-f7ed0776fb27} - c:\program files\steganos internet anonym 2006\sia2006iep.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [Ai Quicker Help] "C:\Program Files\ASUS\ASUS DH Remote\AsRc.exe"
    O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006.exe" -firstboot (User 'Default user')
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
    O4 - Global Startup: ComproRemote.lnk = C:\Program Files\Common Files\VideoMate\ComproRemote.exe
    O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: www.highend3d.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158479117406
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1158479290906
    O20 - Winlogon Notify: vtutuvt - C:\WINDOWS\
    O20 - Winlogon Notify: winlbu32 - C:\WINDOWS\
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe

    --
    End of file - 7916 bytes

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Jotti

    When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\Program Files\E404 Helper\e404.v1.dll

    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Oct 2007
    Posts
    4

    Default

    Hi Shaba,

    here's the e404 log,



    File e404.v1.dll received on 10.30.2007 11:45:36 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
    Result: 11/32 (34.38%)
    Loading server information...
    Your file is queued in position: ___.
    Estimated start time is between ___ and ___ .
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Compact
    Print results Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:

    Antivirus Version Last Update Result
    AhnLab-V3 2007.10.30.0 2007.10.30 -
    AntiVir 7.6.0.30 2007.10.30 ADSPY/Bho.DB.1
    Authentium 4.93.8 2007.10.29 -
    Avast 4.7.1074.0 2007.10.30 -
    AVG 7.5.0.503 2007.10.29 Adware Generic2.UNY
    BitDefender 7.2 2007.10.30 -
    CAT-QuickHeal 9.00 2007.10.29 AdWare.BHO.je (Not a Virus)
    ClamAV 0.91.2 2007.10.30 -
    DrWeb 4.44.0.09170 2007.10.30 -
    eSafe 7.0.15.0 2007.10.28 Suspicious File
    eTrust-Vet 31.2.5253 2007.10.30 -
    Ewido 4.0 2007.10.29 -
    FileAdvisor 1 2007.10.30 -
    Fortinet 3.11.0.0 2007.10.19 -
    F-Prot 4.3.2.48 2007.10.29 W32/Adware.YTL
    F-Secure 6.70.13030.0 2007.10.30 -
    Ikarus T3.1.1.12 2007.10.30 -
    Kaspersky 7.0.0.125 2007.10.30 not-a-virus:AdWare.Win32.BHO.je
    McAfee 5151 2007.10.29 potentially unwanted program Adware-BHO
    Microsoft 1.2908 2007.10.30 -
    NOD32v2 2626 2007.10.30 -
    Norman 5.80.02 2007.10.29 -
    Panda 9.0.0.4 2007.10.30 Suspicious file
    Prevx1 V2 2007.10.30 Heuristic: Suspicious Self Modifying File
    Rising 19.47.12.00 2007.10.30 -
    Sophos 4.23.0 2007.10.30 -
    Sunbelt 2.2.907.0 2007.10.29 VIPRE.Suspicious
    Symantec 10 2007.10.30 -
    TheHacker 6.2.9.110 2007.10.27 -
    VBA32 3.12.2.4 2007.10.28 -
    VirusBuster 4.3.26:9 2007.10.29 -
    Webwasher-Gateway 6.6.1 2007.10.30 Ad-Spyware.Bho.DB.1
    Additional information
    File size: 15872 bytes
    MD5: f114ca5f2bcd702e9874e236cc2ad75b
    SHA1: d3b3c55eb46a8eb0984a44bdb532c459d5d64405
    packers: PE_Patch.PECompact, PecBundle, PECompact
    Prevx info: http://fileinfo.prevx.com/fileinfo.a...AC3800E99EAB48
    Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Download suspicious file packer from here

    Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

    C:\Program Files\E404 Helper\e404.v1.dll

    Go to spykiller

    Press new topic, make threads title "Files for Shaba"
    Include to your message a link to here, then attach the cab/zip file to your message and post the topic
    If you cant locate it through the browse button just copy/paste the filename and path.

    Reply after that and we'll continue
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Due to the lack of feedback this Topic is closed.

    If you need this topic reopened, please request this by sending the moderating team
    a PM with the address of the thread. This applies only to the original topic starter.

    Everyone else please begin a New Topic.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •