Command Service and other stuff

jzaza · Jun 24, 2007

Hi - I've been using spybot, vundo.exe and adaware and i can't completely clear my machine. Can someone please help? Here's my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:53:16 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\ggnsifki.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\qndddsnA.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\s?stem\m?iexec.exe
C:\PROGRA~1\FNTS~1\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\retadpu77.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by TMP Worldwide
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08EEC37C-DD2E-4482-9968-6B794F206B1A} - C:\Program Files\Windows Media Player\hopew43855.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58FE4633-3D0A-4464-BD5B-939C19B57011} - C:\WINDOWS\system32\drivern.dll
O2 - BHO: (no name) - {661A6EFE-A418-ACEB-4B11-F98DBF2C82CB} - C:\WINDOWS\system32\zafal.dll (file missing)
O2 - BHO: (no name) - {6D1964D8-A038-DDBA-1A15-F88DBA518392} - C:\WINDOWS\system32\rnxpgrr.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O2 - BHO: (no name) - {9E47F351-889C-4FC4-A8BE-2AD9C1EBFBAC} - C:\Program Files\Windows Media Player\hopew83122.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {F3FE5A45-2202-42FB-BCB5-EB28C6EDC5DF} - C:\WINDOWS\system32\oppoo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Microsoft Visual Studio .NET Components] msvcr61.exe /setup /all
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [qndddsnA] C:\WINDOWS\qndddsnA.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [SecureWeb] C:\WINDOWS\system32\3MytCS68.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\RunOnce: [checkregistry] C:\WINDOWS\system32\monterreyn_ingen.exe driverm.dll driverm.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Xhol] "C:\Program Files\s?stem\m?iexec.exe"
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\FNTS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\RunOnce: [checkregistry] C:\WINDOWS\system32\monterreyn_ingen.exe driverm.dll driverm.exe r
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1230921A-10E7-44F9-A31F-DA7E811FB3A6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C1DE932-8D89-4C07-BF9C-D8627EDB4849} (Siebel High Interactivity Framework) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_HI_Client.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172111006824
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\Software\..\Telephony: DomainName = prod.corp.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.corp.ad
O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ggnsifki.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Shaba · Jun 25, 2007

Hi jzaza

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

jzaza · Jun 25, 2007

combo and HJT logs

Thank you for your help.

Combo Log:
"JZeinieh" - 2007-06-25 14:56:11 - ComboFix 07-06-23.5 - Service Pack 2 NTFS

/wow section not completed

((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))

2007-06-25 09:56 1,156 --a------ C:\WINDOWS\mozver.dat
2007-06-25 09:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 09:00 60,928 --a------ C:\WINDOWS\system32\daqawhdb.dll
2007-06-23 19:50 <DIR> d-------- C:\WINDOWS\pss
2007-06-23 10:44 <DIR> d-------- C:\WINDOWS\zfff
2007-06-23 10:44 <DIR> d-------- C:\Program Files\Common Files\zfff
2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yapta
2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-06-23 10:29 <DIR> d--hs---- C:\WINDOWS\VE1QIFdvcmxkd2lkZQ
2007-06-22 13:22 <DIR> d-------- C:\VundoFix Backups
2007-06-22 13:18 107,520 --a------ C:\VundoFix.exe
2007-06-21 22:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-21 21:18 122,880 --a------ C:\WINDOWS\xmlhelper2.dll
2007-06-21 21:07 20,544 --a------ C:\WINDOWS\system32\3MytCS68.exe
2007-06-21 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-21 19:53 <DIR> d-------- C:\hjt
2007-06-21 19:33 122,900 --a------ C:\WINDOWS\system32\dreadavk.exe
2007-06-21 10:04 122,900 --a------ C:\WINDOWS\system32\ggnsifki.exe
2007-06-21 09:41 79,872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys
2007-06-21 09:41 501,920 -r-hs---- C:\WINDOWS\qndddsnA.exe
2007-06-21 09:41 46,592 --a------ C:\WINDOWS\qndddsn.exe
2007-06-21 09:40 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-21 09:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-21 09:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-06-21 09:40 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-21 09:40 <DIR> d-------- C:\Temp
2007-06-21 07:21 0 --ah----- C:\WINDOWS\system32\pifpaf.pif
2007-06-20 08:36 97,280 --a------ C:\WINDOWS\monterreyn_ingen.exe
2007-06-20 08:35 97,280 --a------ C:\WINDOWS\system32\monterreyn_ingen.exe
2007-06-19 10:53 22,528 --a------ C:\Program Files\Common Files\winctl.dll
2007-06-19 10:02 <DIR> d-------- C:\WINDOWS\system32\msvcr61
2007-06-18 19:26 97,792 --a-s---- C:\WINDOWS\system32\monterreym_ingen.exe
2007-06-18 16:01 45,056 --a------ C:\syssoit.exe
2007-06-13 11:43 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-05-27 18:41 <DIR> d-------- C:\Program Files\Yapta
2007-05-27 18:41 <DIR> d-------- C:\DOCUME~1\jzeinieh\APPLIC~1\Yapta
2007-05-26 17:11 262,144 --ah----- C:\DOCUME~1\TEMP\NTUSER.DAT
2007-05-26 17:11 <DIR> d--h----- C:\DOCUME~1\TEMP\WLANProfiles

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 14:26:13 -------- d-----w C:\Program Files\Messenger
2007-05-23 19:08:04 -------- d-----w C:\Program Files\Google
2007-05-09 03:23:35 -------- d-----w C:\DOCUME~1\jzeinieh\APPLIC~1\SecondLife
2007-05-09 03:23:22 -------- d-----w C:\Program Files\SecondLife
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-02 19:10:45 199,751 ----a-w C:\WINDOWS\system32\atasnt40.dll
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\VE1QIFdvcmxkd2lkZQ\pHYkKIxSwAU4xZ54tk.vbs

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{08EEC37C-DD2E-4482-9968-6B794F206B1A}=C:\Program Files\Windows Media Player\hopew43855.dll [2007-06-14 06:54]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{63196F8F-F73E-8EBD-1A15-F88DBA5181C0}=C:\WINDOWS\system32\daqawhdb.dll [2007-06-20 09:49]
{661A6EFE-A418-ACEB-4B11-F98DBF2C82CB}=C:\WINDOWS\system32\zafal.dll []
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll [2007-06-21 21:18]
{9E47F351-889C-4FC4-A8BE-2AD9C1EBFBAC}=C:\Program Files\Windows Media Player\hopew83122.dll [2007-06-18 13:59]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-22 12:05]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-05-22 12:05]
{F3FE5A45-2202-42FB-BCB5-EB28C6EDC5DF}=C:\WINDOWS\system32\oppoo.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Visual Studio .NET Components"="msvcr61.exe" [2007-06-25 14:58 C:\WINDOWS\system32\.]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 18:32]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 14:49]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 09:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50]
"RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\faxctrl.exe" [2002-07-24 18:57]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 12:05]
"Xhol"="C:\Program Files\s?stem\m?iexec.exe" []
"Tair"="C:\PROGRA~1\FNTS~1\javaw.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)
"NoAutoUpdate"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\prokyfsov.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{009541A0-3B00-1F1C-00F3-040224009C02}"="C:\Program Files\Common Files\winctl.dll" [2007-06-18 17:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1219070818-4200922009-2982726761-329357\Scripts\Logon\0\0]
"Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\0\0]
"Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\1\0]
"Script"=\\prod.corp.ad\NETLOGON\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

Contents of the 'Scheduled Tasks' folder
2007-06-22 05:00:30 C:\WINDOWS\tasks\At1.job
2007-06-25 14:01:42 C:\WINDOWS\tasks\At10.job
2007-06-25 15:01:46 C:\WINDOWS\tasks\At11.job
2007-06-25 16:00:30 C:\WINDOWS\tasks\At12.job
2007-06-25 17:00:35 C:\WINDOWS\tasks\At13.job
2007-06-25 18:00:30 C:\WINDOWS\tasks\At14.job
2007-06-25 19:00:30 C:\WINDOWS\tasks\At15.job
2007-06-24 20:00:30 C:\WINDOWS\tasks\At16.job
2007-06-24 21:00:31 C:\WINDOWS\tasks\At17.job
2007-06-24 22:00:31 C:\WINDOWS\tasks\At18.job
2007-06-24 23:00:30 C:\WINDOWS\tasks\At19.job
2007-06-22 02:07:11 C:\WINDOWS\tasks\At2.job
2007-06-25 00:00:31 C:\WINDOWS\tasks\At20.job
2007-06-25 01:00:30 C:\WINDOWS\tasks\At21.job
2007-06-22 02:07:19 C:\WINDOWS\tasks\At22.job
2007-06-22 03:01:34 C:\WINDOWS\tasks\At23.job
2007-06-22 04:00:32 C:\WINDOWS\tasks\At24.job
2007-06-22 02:07:12 C:\WINDOWS\tasks\At3.job
2007-06-22 02:07:12 C:\WINDOWS\tasks\At4.job
2007-06-22 02:07:13 C:\WINDOWS\tasks\At5.job
2007-06-22 02:07:13 C:\WINDOWS\tasks\At6.job
2007-06-22 02:07:13 C:\WINDOWS\tasks\At7.job
2007-06-22 02:07:13 C:\WINDOWS\tasks\At8.job
2007-06-22 02:07:13 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 14:58:58
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\msvcr61
C:\WINDOWS\system32\msvcr61.dll
C:\WINDOWS\system32\msvcr61.exe

scan completed successfully
hidden files: 3

**************************************************************************

Completion time: 2007-06-25 14:59:42
C:\ComboFix-quarantined-files.txt ... 2007-06-25 14:59

--- E O F ---

*******************************************************

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 15:03, on 2007-06-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08EEC37C-DD2E-4482-9968-6B794F206B1A} - C:\Program Files\Windows Media Player\hopew43855.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63196F8F-F73E-8EBD-1A15-F88DBA5181C0} - C:\WINDOWS\system32\daqawhdb.dll
O2 - BHO: (no name) - {661A6EFE-A418-ACEB-4B11-F98DBF2C82CB} - C:\WINDOWS\system32\zafal.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O2 - BHO: (no name) - {9E47F351-889C-4FC4-A8BE-2AD9C1EBFBAC} - C:\Program Files\Windows Media Player\hopew83122.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {F3FE5A45-2202-42FB-BCB5-EB28C6EDC5DF} - C:\WINDOWS\system32\oppoo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Visual Studio .NET Components] msvcr61.exe /setup /all
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Xhol] "C:\Program Files\s?stem\m?iexec.exe"
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\FNTS~1\javaw.exe" -vt ndrv
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1230921A-10E7-44F9-A31F-DA7E811FB3A6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C1DE932-8D89-4C07-BF9C-D8627EDB4849} (Siebel High Interactivity Framework) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_HI_Client.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172111006824
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\Software\..\Telephony: DomainName = prod.corp.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.corp.ad
O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Shaba · Jun 26, 2007

Hi

Please post also contents of C:\ComboFix-quarantined-files.txt

jzaza · Jun 26, 2007

Quarantined files log

Here you go:

Code:

2007-01-12 15:00      18031    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
2007-03-06 10:59      34494    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\outerinfo.ico.vir
2007-04-24 11:21      9248    --a------    C:\Qoobox\Quarantine\C\Temp\0b9\tmpTF.log.vir
2007-05-21 23:26      212992    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\S1\bk53.exe.vir
2007-06-05 07:51      123544    --a------    C:\Qoobox\Quarantine\C\WINDOWS\b136.exe.vir
2007-06-06 10:35      618496    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe.vir
2007-06-12 02:53      32768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\o02PrEz\o02PrEz1065.exe.vir
2007-06-12 03:01      32768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\o09PrEz\o09PrEz1099.exe.vir
2007-06-12 03:12      99855    --a------    C:\Qoobox\Quarantine\C\WINDOWS\b122.exe.vir
2007-06-16 17:13      86056    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\S4\wen2.exe.vir
2007-06-19 01:00      115606    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\S2\mwspasrt83122.exe.vir
2007-06-19 05:38      143    --a------    C:\Qoobox\Quarantine\C\Program Files\Messenger\prokyfsov.html.vir
2007-06-20 09:50      229888    --a------    C:\Qoobox\Quarantine\C\Program Files\SSTEM~1\m?iexec.exe.vir
2007-06-20 09:51      111640    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir
2007-06-20 09:55      10838    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\S7\wr620.exe.vir
2007-06-21 09:35      36352    --a------    C:\Qoobox\Quarantine\C\WINDOWS\poolsv.exe.vir
2007-06-21 09:39      10828    --a------    C:\Qoobox\Quarantine\C\Program Files\poolsv\wr-1-0000077.exe.vir
2007-06-21 09:39      38400    --a------    C:\Qoobox\Quarantine\C\Program Files\poolsv\svhost.exe.vir
2007-06-21 09:39      38400    --a------    C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir
2007-06-21 09:40      109574    --a------    C:\Qoobox\Quarantine\C\Program Files\poolsv\k11u72.exe.vir
2007-06-21 09:40      186600    --a------    C:\Qoobox\Quarantine\C\Program Files\poolsv\YazzleBundle-1549.exe.vir
2007-06-21 09:40      72704    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\SKS~1\scanregw.exe.vir
2007-06-21 09:41      0    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\err.log.vir
2007-06-21 09:41      34816    --a------    C:\Qoobox\Quarantine\C\WINDOWS\rau001978.exe.vir
2007-06-21 09:41      65536    --a------    C:\Qoobox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir
2007-06-21 20:22      8424    --a------    C:\Qoobox\Quarantine\C\WINDOWS\cs_cache.ini.vir
2007-06-21 21:12      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnoljg.dll.vir
2007-06-21 21:13      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\byxvspp.dll.vir
2007-06-21 21:13      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\iifdcca.dll.vir
2007-06-21 21:13      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkjiij.dll.vir
2007-06-21 21:13      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jkklihf.dll.vir
2007-06-21 21:15      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rqrrppn.dll.vir
2007-06-21 21:15      930    --a------    C:\Qoobox\Quarantine\C\Temp\iee\tmpZTF.log.vir
2007-06-21 21:16      20    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode.vir
2007-06-21 21:16      5    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr.vir
2007-06-23 10:59      32177    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir
2007-06-23 16:35      71680    --a------    C:\Qoobox\Quarantine\C\Program Files\FNTS~1\javaw.exe.vir
2007-06-25 09:00      10828    --a------    C:\Qoobox\Quarantine\C\Program Files\svhost\wr-1-0000077.exe.vir
2007-06-25 09:00      152576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivern.dll.vir
2007-06-25 09:00      1591    --a------    C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-06-25 09:00      2    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wnscpisv32.exe.vir
2007-06-25 09:00      40960    --a------    C:\Qoobox\Quarantine\C\WINDOWS\retadpu77.exe.vir
2007-06-25 09:00      97792    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivern.exe.vir
2007-06-25 09:26      1004    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-06-25 09:26      1098    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
2007-06-25 09:26      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-06-25 09:26      544    --a------    C:\Qoobox\Quarantine\Registry_backups\services_cmdService.reg.cf
2007-06-25 09:26      832    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
2007-06-25 09:26      862    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
2007-06-25 09:26      950    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf


Folder PATH listing
Volume serial number is FCB4-CF60
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOCUME~1
    |   |   \---ALLUSE~1
    |   |       \---APPLIC~1
    |   |           \---WinAntiSpyware 2007
    |   |               \---Data
    |   |                       Abbr.vir
    |   |                       ProductCode.vir
    |   |                       
    |   +---Program Files
    |   |   +---Common Files
    |   |   |   |   Yazzle1122OinUninstaller.exe.vir
    |   |   |   |   
    |   |   |   \---WinAntiSpyware 2007
    |   |   |           err.log.vir
    |   |   |           WAS7Mon.exe.vir
    |   |   |           
    |   |   +---FNTS~1
    |   |   |       javaw.exe.vir
    |   |   |       
    |   |   +---Messenger
    |   |   |       prokyfsov.html.vir
    |   |   |       
    |   |   +---Outerinfo
    |   |   |       OiUninstaller.exe.vir
    |   |   |       outerinfo.ico.vir
    |   |   |       Terms.rtf.vir
    |   |   |       
    |   |   +---poolsv
    |   |   |       k11u72.exe.vir
    |   |   |       svhost.exe.vir
    |   |   |       wr-1-0000077.exe.vir
    |   |   |       YazzleBundle-1549.exe.vir
    |   |   |       
    |   |   +---SSTEM~1
    |   |   |       m?iexec.exe.vir
    |   |   |       
    |   |   \---svhost
    |   |           wr-1-0000077.exe.vir
    |   |           
    |   +---Temp
    |   |   +---0b9
    |   |   |       tmpTF.log.vir
    |   |   |       
    |   |   \---iee
    |   |           tmpZTF.log.vir
    |   |           
    |   \---WINDOWS
    |       |   b122.exe.vir
    |       |   b136.exe.vir
    |       |   cs_cache.ini.vir
    |       |   dls0523pmw.exe.vir
    |       |   poolsv.exe.vir
    |       |   rau001978.exe.vir
    |       |   retadpu77.exe.vir
    |       |   svhost.exe.vir
    |       |   wr.txt.vir
    |       |   
    |       \---system32
    |           |   byxvspp.dll.vir
    |           |   drivern.dll.vir
    |           |   drivern.exe.vir
    |           |   iifdcca.dll.vir
    |           |   jkkjiij.dll.vir
    |           |   jkklihf.dll.vir
    |           |   pmnoljg.dll.vir
    |           |   rqrrppn.dll.vir
    |           |   wnscpisv32.exe.vir
    |           |   
    |           +---o02PrEz
    |           |       o02PrEz1065.exe.vir
    |           |       
    |           +---o09PrEz
    |           |       o09PrEz1099.exe.vir
    |           |       
    |           +---S1
    |           |       bk53.exe.vir
    |           |       
    |           +---S2
    |           |       mwspasrt83122.exe.vir
    |           |       
    |           +---S4
    |           |       wen2.exe.vir
    |           |       
    |           +---S7
    |           |       wr620.exe.vir
    |           |       
    |           \---SKS~1
    |                   scanregw.exe.vir
    |                   
    \---Registry_backups
            LEGACY_CMDSERVICE.reg.cf
            LEGACY_CORE.reg.cf
            LEGACY_DOMAINSERVICE.reg.cf
            LEGACY_NETWORK_MONITOR.reg.cf
            LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
            services_cmdService.reg.cf
            services_DomainService.reg.cf

Shaba · Jun 26, 2007

Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {08EEC37C-DD2E-4482-9968-6B794F206B1A} - C:\Program Files\Windows Media Player\hopew43855.dll
O2 - BHO: (no name) - {63196F8F-F73E-8EBD-1A15-F88DBA5181C0} - C:\WINDOWS\system32\daqawhdb.dll
O2 - BHO: (no name) - {661A6EFE-A418-ACEB-4B11-F98DBF2C82CB} - C:\WINDOWS\system32\zafal.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll
O2 - BHO: (no name) - {9E47F351-889C-4FC4-A8BE-2AD9C1EBFBAC} - C:\Program Files\Windows Media Player\hopew83122.dll
O2 - BHO: (no name) - {F3FE5A45-2202-42FB-BCB5-EB28C6EDC5DF} - C:\WINDOWS\system32\oppoo.dll (file missing)
O4 - HKCU\..\Run: [Xhol] "C:\Program Files\s?stem\m?iexec.exe"
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\FNTS~1\javaw.exe" -vt ndrv

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\daqawhdb.dll
C:\WINDOWS\system32\3MytCS68.exe
C:\WINDOWS\system32\dreadavk.exe
C:\WINDOWS\system32\ggnsifki.exe
C:\WINDOWS\system32\drivers\FOPN.sys
C:\WINDOWS\qndddsnA.exe
C:\WINDOWS\qndddsn.exe
C:\WINDOWS\system32\pifpaf.pif
C:\WINDOWS\monterreyn_ingen.exe
C:\WINDOWS\system32\monterreyn_ingen.exe
C:\Program Files\Common Files\winctl.dll
C:\WINDOWS\system32\monterreym_ingen.exe
C:\syssoit.exe
C:\WINDOWS\xmlhelper2.dll
C:\Program Files\Windows Media Player\hopew43855.dll
C:\Program Files\Windows Media Player\hopew83122.dll

Folder::
C:\WINDOWS\zfff
C:\Program Files\Common Files\zfff
C:\WINDOWS\VE1QIFdvcmxkd2lkZQ
C:\WINDOWS\system32\msvcr61

Registry::
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

jzaza · Jun 26, 2007

updated logs

"JZeinieh" - 2007-06-26 10:12:36 - ComboFix 07-06-26.8 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\jzeinieh\Desktop\ComboFix-Do.txt

/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\winctl.dll
C:\Program Files\Common Files\zfff
C:\Program Files\Common Files\zfff\zfffa.lck
C:\Program Files\Common Files\zfff\zfffd\class-barrel
C:\Program Files\Common Files\zfff\zfffd\vocabulary
C:\Program Files\Common Files\zfff\zfffh
C:\Program Files\Common Files\zfff\zfffl.lck
C:\Program Files\Common Files\zfff\zfffm.lck
C:\Program Files\Windows Media Player\hopew43855.dll
C:\Program Files\Windows Media Player\hopew83122.dll
C:\syssoit.exe
C:\WINDOWS\qndddsn.exe
C:\WINDOWS\qndddsnA.exe
C:\WINDOWS\system32\daqawhdb.dll
C:\WINDOWS\system32\msvcr61
C:\WINDOWS\system32\msvcr61\cfg.ini
C:\WINDOWS\system32\msvcr61\in
C:\WINDOWS\system32\msvcr61\perflibs__
C:\WINDOWS\system32\msvcr61\red
C:\WINDOWS\system32\pifpaf.pif
C:\WINDOWS\VE1QIFdvcmxkd2lkZQ
C:\WINDOWS\VE1QIFdvcmxkd2lkZQ\pHYkKIxSwAU4xZ54tk.vbs
C:\WINDOWS\zfff
C:\WINDOWS\zfff\wu
C:\WINDOWS\zfff\zfff.dat

((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:35, on 2007-06-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\ComboFix\catchme.cfexe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Visual Studio .NET Components] msvcr61.exe /setup /all
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1230921A-10E7-44F9-A31F-DA7E811FB3A6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C1DE932-8D89-4C07-BF9C-D8627EDB4849} (Siebel High Interactivity Framework) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_HI_Client.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172111006824
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\Software\..\Telephony: DomainName = prod.corp.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.corp.ad
O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Shaba · Jun 26, 2007

Hi

Combofix log isn't complete. Please re-send it

jzaza · Jun 26, 2007

complete log

sorry about that

"JZeinieh" - 2007-06-26 13:04:48 - ComboFix 07-06-26.8 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\jzeinieh\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\winctl.dll
C:\WINDOWS\system32\msvcr61
C:\WINDOWS\system32\msvcr61\cfg.ini
C:\WINDOWS\system32\msvcr61\in
C:\WINDOWS\system32\msvcr61\l.dat
C:\WINDOWS\system32\msvcr61\perflibs__
C:\WINDOWS\system32\msvcr61\red

((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))

2007-06-26 10:37 23,552 --a------ C:\op.dll
2007-06-25 09:56 1,156 --a------ C:\WINDOWS\mozver.dat
2007-06-25 09:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-23 19:50 <DIR> d-------- C:\WINDOWS\pss
2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yapta
2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-06-22 13:22 <DIR> d-------- C:\VundoFix Backups
2007-06-22 13:18 107,520 --a------ C:\VundoFix.exe
2007-06-21 22:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-21 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-21 19:53 <DIR> d-------- C:\hjt
2007-06-21 09:40 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-21 09:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-21 09:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-06-21 09:40 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-21 09:40 <DIR> d-------- C:\Temp
2007-06-13 11:43 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-05-27 18:41 <DIR> d-------- C:\Program Files\Yapta
2007-05-27 18:41 <DIR> d-------- C:\DOCUME~1\jzeinieh\APPLIC~1\Yapta
2007-05-26 17:11 262,144 --ah----- C:\DOCUME~1\TEMP\NTUSER.DAT
2007-05-26 17:11 <DIR> d--h----- C:\DOCUME~1\TEMP\WLANProfiles

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 14:26:13 -------- d-----w C:\Program Files\Messenger
2007-05-23 19:08:04 -------- d-----w C:\Program Files\Google
2007-05-09 03:23:35 -------- d-----w C:\DOCUME~1\jzeinieh\APPLIC~1\SecondLife
2007-05-09 03:23:22 -------- d-----w C:\Program Files\SecondLife
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-02 19:10:45 199,751 ----a-w C:\WINDOWS\system32\atasnt40.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-22 12:05]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-05-22 12:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Visual Studio .NET Components"="msvcr61.exe" [2007-06-26 13:06 C:\WINDOWS\system32\.]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 18:32]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 14:49]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 09:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50]
"RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\faxctrl.exe" [2002-07-24 18:57]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 12:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)
"NoAutoUpdate"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{009541A0-3B00-1F1C-00F3-040224009C02}"="C:\Program Files\Common Files\winctl.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1219070818-4200922009-2982726761-329357\Scripts\Logon\0\0]
"Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\0\0]
"Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\1\0]
"Script"=\\prod.corp.ad\NETLOGON\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

Contents of the 'Scheduled Tasks' folder
2007-06-26 14:01:34 C:\WINDOWS\tasks\At10.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 13:06:39
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\msvcr61.dll
C:\WINDOWS\system32\msvcr61.exe

scan completed successfully
hidden files: 2

**************************************************************************

Completion time: 2007-06-26 13:07:15
C:\ComboFix-quarantined-files.txt ... 2007-06-26 13:07
C:\ComboFix2.txt ... 2007-06-26 09:45
C:\ComboFix3.txt ... 2007-06-25 14:59

--- E O F ---

Shaba · Jun 27, 2007

Hi

Have you installed this by yourself?

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Open HijackThis, click do a system scan only and checkmark this:

O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply along with a fresh HijackThis log.

jzaza · Jun 27, 2007

gmer - part one (size limitations)

yes, winvnc is something i installed.

IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\USER32.dll [ntdll.dll!NtQuerySystemInformation] [10002DA3] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtQuerySystemInformation] [10002DA3] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] [10002DBC] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\system32\msvcr61.dll
IAT C:\Program Files\iPod\bin\iPodService.exe[2180] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\system32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQuerySystemInformation] [10002DA3] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] [10002DBC] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtResumeThread] [10003269] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] [100032F2] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!RtlGetNativeSystemInformation] [10002DA3] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USER32.dll [ntdll.dll!NtQuerySystemInformation] [10002DA3] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtQuerySystemInformation] [10002DA3] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\RPCRT4.dll [ntdll.dll!NtQuerySystemInformation] [10002DA3] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!NtQuerySystemInformation] [10002DA3] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] [10002DBC] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!NtQuerySystemInformation] [10002DA3] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [100031CB] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [1000322D] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [10003116] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [1000324B] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [100031FC] C:\WINDOWS\System32\msvcr61.dll
IAT C:\WINDOWS\system32\alg.exe[2996] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW]

jzaza · Jun 27, 2007

gmer part 2 of 3

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F8669980] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F86699A0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F8669A00] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F86699E0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F86699C0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8669980] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F86699A0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F8669A00] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86699E0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F86699C0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8669980] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F86699A0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F8669A00] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86699E0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F86699C0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8669980] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F86699A0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION

jzaza · Jun 27, 2007

gmer part 3 of 3.5

[F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F8669A00] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86699E0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F86699C0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8669980] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F86699A0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F8669A00] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86699E0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F86699C0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F8669980] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F86699A0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F8669A00] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86699E0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F86699C0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F8669980] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE

jzaza · Jun 27, 2007

gmer final piece and hjt log

[F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F86699A0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F8669A00] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86699E0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F86699C0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F8669980] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F86699A0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F8669A00] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F86699E0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F86699C0] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F8669400] mvstdi5x.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F8669400] mvstdi5x.sys

---- Files - GMER 1.0.13 ----

File C:\WINDOWS\system32\msvcr61
File C:\WINDOWS\system32\msvcr61\cfg.ini
File C:\WINDOWS\system32\msvcr61\in
File C:\WINDOWS\system32\msvcr61\l.dat
File C:\WINDOWS\system32\msvcr61\perflibs__
File C:\WINDOWS\system32\msvcr61\red
File C:\WINDOWS\system32\msvcr61.dll
File C:\WINDOWS\system32\msvcr61.exe

---- EOF - GMER 1.0.13 ----
Logfile of HijackThis v1.99.1
Scan saved at 11:26:08 AM, on 6/27/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\jzeinieh\Desktop\gmer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Visual Studio .NET Components] msvcr61.exe /setup /all
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1230921A-10E7-44F9-A31F-DA7E811FB3A6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C1DE932-8D89-4C07-BF9C-D8627EDB4849} (Siebel High Interactivity Framework) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_HI_Client.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172111006824
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\Software\..\Telephony: DomainName = prod.corp.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.corp.ad
O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Shaba · Jun 27, 2007

Hi

Looks like there are baddies.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\msvcr61.dll

Please post back the results of the scan in your next post.

Do the same for C:\WINDOWS\system32\msvcr61.exe

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html

jzaza · Jun 27, 2007

can't find msvcr61

just finding msvcr71.

Shaba · Jun 28, 2007

Hi

Ok, then we do this:

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\msvcr61.dll
C:\WINDOWS\system32\msvcr61.exe

Folder::
C:\WINDOWS\system32\msvcr61

Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Those files should be now here -> C:\Qoobox\Quarantine\C\WINDOWS\system32\

Upload them to virustotal/jotti, if you can find them.

jzaza · Jun 28, 2007

new HJT log - still can't find the miles for jotti

Logfile of HijackThis v1.99.1
Scan saved at 09:36, on 2007-06-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Visual Studio .NET Components] msvcr61.exe /setup /all
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {1230921A-10E7-44F9-A31F-DA7E811FB3A6} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C1DE932-8D89-4C07-BF9C-D8627EDB4849} (Siebel High Interactivity Framework) - http://crm.beacon.tmp.com/sales_enu/18372/applets/SiebelAx_HI_Client.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172111006824
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\Software\..\Telephony: DomainName = prod.corp.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prod.corp.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = prod.corp.ad
O21 - SSODL: WinCTL - {009541A0-3B00-1F1C-00F3-040224009C02} - C:\Program Files\Common Files\winctl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

jzaza · Jun 28, 2007

new combofix log

ComboFix 07-06-18.2 - C:\Documents and Settings\jzeinieh\Desktop\ComboFix.exe
"JZeinieh" - 2007-06-28 9:32:07 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\jzeinieh\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\msvcr61
C:\WINDOWS\system32\msvcr61\cfg.ini
C:\WINDOWS\system32\msvcr61\in
C:\WINDOWS\system32\msvcr61\l.dat
C:\WINDOWS\system32\msvcr61\perflibs__
C:\WINDOWS\system32\msvcr61\red

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))

2007-06-27 11:09 23,552 --a------ C:\Program Files\Common Files\winctl.dll
2007-06-25 09:56 1,156 --a------ C:\WINDOWS\mozver.dat
2007-06-25 09:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-23 19:50 <DIR> d-------- C:\WINDOWS\pss
2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yapta
2007-06-23 10:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-06-22 13:22 <DIR> d-------- C:\VundoFix Backups
2007-06-22 13:18 107,520 --a------ C:\VundoFix.exe
2007-06-21 22:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-21 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-21 19:53 <DIR> d-------- C:\hjt
2007-06-21 09:40 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-21 09:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-21 09:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-06-21 09:40 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-21 09:40 <DIR> d-------- C:\Temp
2007-06-13 11:43 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 14:26:13 -------- d-----w C:\Program Files\Messenger
2007-06-24 00:24:39 -------- d-----w C:\Program Files\Yapta
2007-05-27 23:41:17 -------- d-----w C:\DOCUME~1\jzeinieh\APPLIC~1\Yapta
2007-05-23 19:08:04 -------- d-----w C:\Program Files\Google
2007-05-09 03:23:35 -------- d-----w C:\DOCUME~1\jzeinieh\APPLIC~1\SecondLife
2007-05-09 03:23:22 -------- d-----w C:\Program Files\SecondLife
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-02 19:10:45 199,751 ----a-w C:\WINDOWS\system32\atasnt40.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-05-22 12:05]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-05-22 12:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Visual Studio .NET Components"="msvcr61.exe" [2007-06-28 09:34 C:\WINDOWS\system32\.]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 18:32]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 14:49]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 09:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50]
"RightFAX Print-to-Fax Driver"="C:\Program Files\RightFax\faxctrl.exe" [2002-07-24 18:57]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 12:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)
"NoAutoUpdate"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{009541A0-3B00-1F1C-00F3-040224009C02}"="C:\Program Files\Common Files\winctl.dll" [2007-06-26 10:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1219070818-4200922009-2982726761-329357\Scripts\Logon\0\0]
"Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\0\0]
"Script"=\\prod.corp.ad\SysVol\prod.corp.ad\scripts\prod_users.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1650719277-3554570390-3493197080-4155\Scripts\Logon\1\0]
"Script"=\\prod.corp.ad\NETLOGON\Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

Contents of the 'Scheduled Tasks' folder
2007-06-28 14:00:01 C:\WINDOWS\tasks\At10.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 09:34:22
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\msvcr61.dll
C:\WINDOWS\system32\msvcr61.exe

scan completed successfully
hidden files: 2

**************************************************************************

Completion time: 2007-06-28 9:34:57
C:\ComboFix-quarantined-files.txt ... 2007-06-28 09:34
C:\ComboFix2.txt ... 2007-06-26 13:07
C:\ComboFix3.txt ... 2007-06-26 09:45

--- E O F ---

Shaba · Jun 28, 2007

Hi

Yes that rootkit looks stubborn.

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\system32\msvcr61.dll
Now click Delete
Also do that with these files:

C:\WINDOWS\system32\msvcr61.exe
C:\Program Files\Common Files\winctl.dll

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer

Re-run combofix like before (with that same ComboFix-Do.txt)

Post:

- a fresh HijackThis log
- gmer log
- combofix report

Command Service and other stuff

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus