Smitfraud-C problems

I

isiac

New member
Hello. After struggling with this a while I decided to take it here.

I've been using the latest (updated today) Spybot S&D and it tells me to come here as well.

Here's the log from Merijn's HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:09 PM, on 08/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Shuttle\XPC Tools\XPCTools.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\WINDOWS\bittorrent.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.EXE
E:\Program Files\HISP\TortoiseSVN\bin\TSVNCache.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\Program Files\Postgres\bin\pg_ctl.exe
E:\WINDOWS\system32\spoo1v.exe
E:\Program Files\Postgres\bin\postmaster.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\Program Files\Winamp\winamp.exe
E:\Documents and Settings\Eivind\Desktop\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.7322.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - E:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [XPC Tools] E:\Program Files\Shuttle\XPC Tools\XPCTools.exe RunOnStart
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Bittorrent] E:\WINDOWS\bittorrent.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jliuadmv] "E:\WINDOWS\system32\Rundll32.exe" "E:\WINDOWS\system32\cdnprh.dll",Start
O4 - HKLM\..\Run: [PRISMSVR.EXE] "E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IdnSvr] E:\Program Files\OCINS\idnsvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: 3Com Wireless 11g USB Adapter.lnk = E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Access Internet Keyword - E:\Program Files\OCINS\cnrbtn.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\Poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\Poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DHIS2 (Jetty) (DHIS2JETTY) - Unknown owner - c:\dhis2\jetty\extra\win32\Wrapper.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - Unknown owner - E:\Program Files\Postgres\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "E:\Program Files\Postgres\data\ (file missing)
O23 - Service: Windows Management Prints System (spoo1v) - Unknown owner - E:\WINDOWS\SYSTEM32\spoo1v.exe


I did a eTrust Antivirus Web Scanner-scan as well, but I never found a log. It did find 3 viruses though:

bind_50104.exe Win32/DlQQHelp!generic infected E:\Documents and Settings\Eivind\
bittorrent.exe Win32/RJump.E infected E:\WINDOWS\
fvubc.dll Win32/QQHelp.DT infected E:\WINDOWS\system32\

Thing is, or what it has seemed to me, no matter how many times I remove things with Spybot S&D or Ad-aware they always seem to come back in various versions, but Smitfraud-C is always there. Can it be the root of everything?

Thank you so much for any help. :)
 
Hey, and thanks again. Here is the log you requested.


--- Report generated: 2007-08-12 13:34 ---

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\AYimcnGuAR==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\R29udIW0AYKKAB==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\R29vAmWxAHG0AWSqcXV=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\S3WqAB==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5RXO0VH9qcoSKcnSmfD0=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5RXO0VH9qcoSKcnSmfD1kc25n

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5RXO0VH9qcoSKcnSmfD1qcnqmZ3Si

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5RXO0VH9qcoSKcnSmfD1zeX4=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5V3SidoSVbX1mMR==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5V3SidoSVbX1mMXmvbnWkeHF=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5V3SidoSVbX1mMXOwcnZ=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5V3SidoSVbX1mMYK1ch==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lMR==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lMXmvbnWkeHF=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lMXOwcnZ=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lMYK1ch==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lR291coRu

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lR291coRubX5rAXO0ZR==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lR291coRudoWv

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lR291coRuZ29vAh==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lRXO0UoWuMR==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lRXO0UoWuMXmvbnWkeHF=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lRXO0UoWuMXOwcnZ=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lRXO0UoWuMYK1ch==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lTX5lAYhu

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lTX5lAYhubX5rAXO0ZR==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lTX5lAYhudoWv

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VHWzbX9lTX5lAYhuZ29vAh==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VnWndnWabGOmdnmicD0=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VnWndnWabGOmdnmicD1kc25n

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VnWndnWabGOmdnmicD1qcnqmZ3Si

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\SHG5VHWzbX9lMx==SHG5VnWndnWabGOmdnmicD1zeX4=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\V2OwdnVwcHW2AXx=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\V2OwdnVwd3CwdoSa

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\V2OwdnVwd3SwZ2t=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\V3SidoSVbX1mMx==Snmzd3SUeHGzeB==

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\WHizAXGlTXR=

Smitfraud-C.KooWo: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\directoutput\Z29vAn5icXV=

WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-08-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-08 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-08 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-08 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-08 Includes\KeyloggersC.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-08 Includes\MalwareC.sbi (*)
2007-08-08 Includes\PUPS.sbi (*)
2007-08-08 Includes\PUPSC.sbi (*)
2007-08-08 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-08 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-08 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-08-01 Includes\Trojans.sbi (*)
2007-08-08 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
 
Hi

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

E:\WINDOWS\system32\spoo1v.exe

Please post back the results of the scan in your next post.

Repeat step for:

E:\WINDOWS\system32\cdnprh.dll
E:\Program Files\OCINS\idnsvr.exe

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
Last edited:
File: spoo1v.exe
Status:
INFECTED/MALWARE
MD5: 0ec872032f58dc3f9543147a2652810c
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 12 Aug 2007 13:19:33 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Inservice
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan.Inservice
--------------------------------

File: cdnprh.dll
Status:
INFECTED/MALWARE
MD5: 9f30a629d4814997eaa582afbaa25ee3
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 12 Aug 2007 13:21:42 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dldr.Agent.6144.2
ArcaVir
Found nothing
Avast
Found Win32:Agent-JVP
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Downloader.Agent.AOG
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.DownLoader.28041
F-Prot Antivirus
Found Possibly a new variant of W32/Downloader-Sml-based!Maximus
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found Trojan.Win32.Agent.igm
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
-------------------------------------------------

File: idnsvr.exe
Status:
INFECTED/MALWARE
MD5: 2312b02cf8c50bc32cdb0686a9c3ac96
Packers detected:
-
Bit9 reports: Not analyzed yet (more info)
Scanner results
Scan taken on 12 Aug 2007 13:23:57 (GMT)
A-Squared
Found nothing
AntiVir
Found ADSPY/BDSearch.CBT
ArcaVir
Found nothing
Avast
Found Win32:Adware-gen.
AVG Antivirus
Found Generic2.DMG
BitDefender
Found Adware.CDN.AR
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found Adware/Bdsearch
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
 
Hi

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

E:\WINDOWS\system32\spoo1v.exe
E:\WINDOWS\system32\cdnprh.dll
E:\Program Files\OCINS\idnsvr.exe

Go to spykiller

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

Reply when you have done it, we'll continue then :)
 
Hi

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that:

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.7322.com/ <--- unless it is our wanted start page
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/si...search-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/cu...search-en.html
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - E:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Bittorrent] E:\WINDOWS\bittorrent.exe
O4 - HKLM\..\Run: [jliuadmv] "E:\WINDOWS\system32\Rundll32.exe" "E:\WINDOWS\system32\cdnprh.dll",Start
O4 - HKLM\..\Run: [IdnSvr] E:\Program Files\OCINS\idnsvr.exe
O23 - Service: Windows Management Prints System (spoo1v) - Unknown owner - E:\WINDOWS\SYSTEM32\spoo1v.exe

Close all windows including browser and press fix checked.

Reboot.

Delete these:

E:\Documents and Settings\All Users\Application Data\Microsoft\PCTools
E:\WINDOWS\bittorrent.exe
E:\WINDOWS\system32\cdnprh.dll
E:\Program Files\OCINS
E:\WINDOWS\SYSTEM32\spoo1v.exe
E:\Documents and Settings\Eivind\bind_50104.exe
E:\WINDOWS\system32\fvubc.dll

Empty Recycle Bin

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
 
I was denied when trying to delete some of the files that I was asked to delete. However, here are the new logs.

Logfile of HijackThis v1.99.1
Scan saved at 6:06:52 PM, on 08/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\Program Files\Postgres\bin\pg_ctl.exe
E:\WINDOWS\system32\spoo1v.exe
E:\Program Files\Postgres\bin\postmaster.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Shuttle\XPC Tools\XPCTools.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\HISP\TortoiseSVN\bin\TSVNCache.exe
E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.EXE
E:\Program Files\iPod\bin\iPodService.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\taskmgr.exe
E:\Documents and Settings\Eivind\Desktop\downloads\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [XPC Tools] E:\Program Files\Shuttle\XPC Tools\XPCTools.exe RunOnStart
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: 3Com Wireless 11g USB Adapter.lnk = E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\Poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\Poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DHIS2 (Jetty) (DHIS2JETTY) - Unknown owner - c:\dhis2\jetty\extra\win32\Wrapper.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - Unknown owner - E:\Program Files\Postgres\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "E:\Program Files\Postgres\data\ (file missing)
O23 - Service: Windows Management Prints System (spoo1v) - Unknown owner - E:\WINDOWS\SYSTEM32\spoo1v.exe

--------------------
ComboFix 07-08-09.3 - "Eivind" 2007-08-12 17:47:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1483 [GMT 2:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\DOCUME~1\ALLUSE~1\APPLIC~1.\microsoft\pctools
E:\DOCUME~1\ALLUSE~1\APPLIC~1.\microsoft\pctools\pctools.dll
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\a1003.dat
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\b1003.dat
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\k1003.dat
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\p1003.dat
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\r1003.dat
E:\DOCUME~1\Eivind\APPLIC~1\..\ravmonlog
E:\DOCUME~1\Eivind\LOCALS~1\APPLIC~1.\baidu
E:\Program Files\baidu
E:\Program Files\baidu\bar\bang.ini
E:\Program Files\baidu\bar\BDBar_tmp\BaiduBar.dll
E:\Program Files\baidu\bar\img\imglist.bmp
E:\Program Files\baidu\bar\img\logo.bmp
E:\Program Files\baidu\bar\loadmovie.swf
E:\Program Files\Common Files\system\updaterun.exe
E:\Program Files\OCINS\austr.dll
E:\Program Files\OCINS\cndsv.dll
E:\Program Files\OCINS\cnprovh.dll
E:\Program Files\OCINS\cnstc.ini
E:\Program Files\OCINS\config.exe
E:\Program Files\OCINS\convf.dll
E:\Program Files\OCINS\convs.dll
E:\Program Files\OCINS\ctrcfg.ini
E:\Program Files\OCINS\cuscfg.dat
E:\Program Files\OCINS\idnaux.dat
E:\Program Files\OCINS\idnsvr.dll
E:\Program Files\OCINS\idnsvr.exe
E:\Program Files\OCINS\ieaux.dll
E:\Program Files\OCINS\kwacs.dat
E:\Program Files\OCINS\kwrep.dat
E:\Program Files\OCINS\ocinfo.dat
E:\Program Files\OCINS\path.dat
E:\Program Files\OCINS\uninstall.exe
E:\Program Files\OCINS\update\version.dat
E:\Program Files\OCINS\usrcfg.ini
E:\Program Files\OCINS\version.dat
E:\WINDOWS\system32\advport.dll
E:\WINDOWS\system32\BDGuard.DAT
E:\WINDOWS\system32\BDGuardS.DAT
E:\WINDOWS\system32\cnprov.dat
E:\WINDOWS\system32\d3d1caps.srg
E:\WINDOWS\system32\drivers\acpidisk.sys
E:\WINDOWS\system32\drivers\cnprov.sys
E:\WINDOWS\system32\drivers\etluc.sys
E:\WINDOWS\system32\iexp_log.txt
E:\WINDOWS\system32\mprmsgse.axz
E:\WINDOWS\system32\score.txt
E:\WINDOWS\system32\wbem\ocmor.dll
E:\WINDOWS\temp\~my1.tmp


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CNPROV
-------\LEGACY_MERCHA2
-------\LEGACY_TECH
-------\cnprov
-------\Mercha2
-------\Tech


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 17:58 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\TD
2007-08-12 17:46 51,200 --a------ E:\WINDOWS\nircmd.exe
2007-08-06 21:46 261,480 --a------ E:\WINDOWS\system32\xactengine2_7.dll
2007-08-06 21:45 443,752 --a------ E:\WINDOWS\system32\d3dx10_33.dll
2007-08-06 21:45 3,495,784 --a------ E:\WINDOWS\system32\d3dx9_33.dll
2007-08-06 21:45 255,848 --a------ E:\WINDOWS\system32\xactengine2_6.dll
2007-08-06 21:45 1,123,696 --a------ E:\WINDOWS\system32\D3DCompiler_33.dll
2007-08-03 23:21 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Prism
2007-08-03 23:18 15,781 --a------ E:\WINDOWS\system32\drivers\mdc8021x.sys
2007-08-03 23:18 <DIR> d-------- E:\Program Files\3Com
2007-08-03 23:15 344,096 --a------ E:\WINDOWS\system32\drivers\3C254G50.sys
2007-08-03 23:15 225,280 --a------ E:\WINDOWS\system32\CCU3C254.exe
2007-08-03 23:15 16,834 --a------ E:\WINDOWS\system32\CCU3C254.dll
2007-08-03 23:15 <DIR> d-------- E:\Program Files\stuff
2007-08-01 01:55 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-31 20:52 <DIR> d-------- E:\Program Files\Zoom Player
2007-07-26 02:34 <DIR> d-------- E:\DOCUME~1\Eivind\APPLIC~1\My Games
2007-07-25 18:09 <DIR> d-------- E:\DOCUME~1\Eivind\APPLIC~1\Lionhead Studios
2007-07-25 17:53 <DIR> d-------- E:\Program Files\The Movies
2007-07-25 17:53 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Lionhead Studios
2007-07-25 03:53 <DIR> d-------- E:\Program Files\uTorrent
2007-07-25 03:53 <DIR> d-------- E:\DOCUME~1\Eivind\APPLIC~1\uTorrent
2007-07-20 00:03 24,576 --------- E:\WINDOWS\UniFISH.exe
2007-07-19 20:19 <DIR> d-------- E:\Program Files\BlackIsle
2007-07-19 19:42 52,736 --a------ E:\WINDOWS\ipuninst.exe
2007-07-19 19:42 <DIR> d-------- E:\Program Files\Interplay


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 14:22 9344 --a------ E:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 14:22 8320 --a------ E:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 18:27 --------- d-------- E:\DOCUME~1\Eivind\APPLIC~1\dvdcss
2007-08-06 21:51 --------- d--h----- E:\Program Files\InstallShield Installation Information
2007-07-25 18:06 163644 --a------ E:\WINDOWS\system32\drivers\secdrv.sys
2007-07-25 03:53 --------- d-------- E:\DOCUME~1\Eivind\APPLIC~1\Azureus
2007-07-24 17:16 --------- d-------- E:\Program Files\Azureus
2007-07-04 16:56 8 --a------ E:\WINDOWS\ocinfo.dat
2007-07-01 16:09 173348 --a------ E:\WINDOWS\system32\drivers\mxdispdr.sys
2007-07-01 14:15 --------- d-------- E:\DOCUME~1\Eivind\APPLIC~1\Apple Computer
2007-06-20 18:55 --------- d-------- E:\Program Files\Winamp
2007-06-17 16:33 --------- d-------- E:\Program Files\winstat
2007-06-14 20:19 --------- d-------- E:\Program Files\Lavasoft
2007-06-14 20:19 --------- d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-06-14 17:22 --------- d-------- E:\Program Files\iTunes
2007-06-14 17:22 --------- d-------- E:\Program Files\iPod
2007-06-14 17:21 --------- d-------- E:\Program Files\QuickTime
2007-06-07 00:27 1302 --a------ E:\WINDOWS\mozver.dat
2007-05-30 16:28 188416 --a------ E:\WINDOWS\system32\spoo1v.exe
2007-05-16 17:12 86528 --a--c--- E:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:12 85504 --a--c--- E:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:12 683520 --a--c--- E:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:12 683520 --a------ E:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:12 510976 --a--c--- E:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:12 1314816 --a--c--- E:\WINDOWS\system32\dllcache\msoe.dll
2007-03-30 21:38 19552 --a------ E:\DOCUME~1\Eivind\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2006-11-07 00:55]
"nwiz"="nwiz.exe" [2006-11-07 00:55 E:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2006-11-07 00:55]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 18:23 E:\WINDOWS\RTHDCPL.exe]
"XPC Tools"="E:\Program Files\Shuttle\XPC Tools\XPCTools.exe" [2006-09-04 16:43]
"WinampAgent"="E:\Program Files\Winamp\winampa.exe" [2004-12-20 20:41]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40]
"NVIDIA nTune"="E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2006-10-31 08:27]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"PRISMSVR.EXE"="E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.exe" [2004-04-26 14:26]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-12 17:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
3Com Wireless 11g USB Adapter.lnk - E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe [2004-09-15 15:23:50]
Hurtigstart for Adobe Reader.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

R2 mxdispdr;mxdispdr;\??\E:\WINDOWS\system32\drivers\mxdispdr.sys
R2 pgsql-8.1;PostgreSQL Database Server 8.1;"E:\Program Files\Postgres\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "E:\Program Files\Postgres\data\"
R3 NVR0Dev;NVR0Dev;\??\E:\WINDOWS\nvoclock.sys
R3 XPCDriver;XPCDriver;\??\E:\WINDOWS\system32\drivers\XPCDriver.sys
S0 etluc;etlu;E:\WINDOWS\system32\DRIVERS\etluc.sys
S3 3Com_A02;3com Driver;E:\WINDOWS\system32\DRIVERS\3C254G50.sys
S3 DHIS2JETTY;DHIS2 (Jetty);c:\dhis2\jetty\extra\win32\Wrapper.exe -s c:\dhis2\jetty\\extra\win32\wrapper.conf
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;E:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR
S3 RivaTuner32;RivaTuner32;\??\E:\Program Files\RivaTuner v2.0 Final Release\RivaTuner32.sys
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;E:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ef62ab4-bd17-11db-b3b8-00301bbc08d9}]
Auto\command- bittorrent.exe e
AutoRun\command- E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39554214-83ad-11db-b388-00301bbc08d9}]
Auto\command- K:\bittorrent.exe e
AutoRun\command- E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 17:58:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 17:59:59 - machine was rebooted
E:\ComboFix-quarantined-files.txt ... 2007-08-12 17:59

--- E O F ---
 
Hi


Please click Start > Run and type in: services.msc
Click OK
In the Services window find: Windows Management Prints System (spoo1v)
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Now, go to Start > Run, and copy/paste the following into the Open box:
sc delete spoo1v
Click: OK

Reboot

Delete this:

E:\WINDOWS\SYSTEM32\spoo1v.exe

Empty Recycle Bin

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

E:\WINDOWS\system32\drivers\XPCDriver.sys

Please post back the results of the scan in your next post along with a fresh HijackThis log.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
Last edited:
File: XPCDriver.sys
Status:
OK
MD5: 42e13704d11b7e4bab7b18b6349f904f
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Aug 2007 19:05:50 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
 
Logfile of HijackThis v1.99.1
Scan saved at 7:46:59 PM, on 08/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\Program Files\Postgres\bin\pg_ctl.exe
E:\Program Files\Postgres\bin\postmaster.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Shuttle\XPC Tools\XPCTools.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\HISP\TortoiseSVN\bin\TSVNCache.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.EXE
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe
E:\WINDOWS\System32\svchost.exe
E:\PROGRA~1\Grisoft\AVG7\avgwb.dat
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\Winamp\winamp.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Games\Half-Life 2\Steam.exe
E:\Documents and Settings\Eivind\Desktop\downloads\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [XPC Tools] E:\Program Files\Shuttle\XPC Tools\XPCTools.exe RunOnStart
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: 3Com Wireless 11g USB Adapter.lnk = E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\Poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\Poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DHIS2 (Jetty) (DHIS2JETTY) - Unknown owner - c:\dhis2\jetty\extra\win32\Wrapper.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - Unknown owner - E:\Program Files\Postgres\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "E:\Program Files\Postgres\data\ (file missing)
 
Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Driver::
etluc

Save this as "CFScript"

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
- combofix report
 
Hey again!

Logfile of HijackThis v1.99.1
Scan saved at 11:12:14 PM, on 08/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
E:\Program Files\Postgres\bin\pg_ctl.exe
E:\Program Files\Postgres\bin\postmaster.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\Program Files\Postgres\bin\postgres.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Shuttle\XPC Tools\XPCTools.exe
E:\Program Files\Winamp\winampa.exe
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\HISP\TortoiseSVN\bin\TSVNCache.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.EXE
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Games\Half-Life 2\Steam.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Documents and Settings\Eivind\Desktop\downloads\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [XPC Tools] E:\Program Files\Shuttle\XPC Tools\XPCTools.exe RunOnStart
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: 3Com Wireless 11g USB Adapter.lnk = E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\Poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\Poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DHIS2 (Jetty) (DHIS2JETTY) - Unknown owner - c:\dhis2\jetty\extra\win32\Wrapper.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - Unknown owner - E:\Program Files\Postgres\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "E:\Program Files\Postgres\data\ (file missing)
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 13, 2007 11:11:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 13/08/2007
Kaspersky Anti-Virus database records: 379650
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 186175
Number of viruses found: 5
Number of infected objects: 33
Number of suspicious objects: 0
Duration of the scan process: 02:43:14

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP289\change.log Object is locked skipped
E:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Prism\90873ff0 Object is locked skipped
E:\Documents and Settings\Eivind\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\cert8.db Object is locked skipped
E:\Documents and Settings\Eivind\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\formhistory.dat Object is locked skipped
E:\Documents and Settings\Eivind\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\history.dat Object is locked skipped
E:\Documents and Settings\Eivind\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\key3.db Object is locked skipped
E:\Documents and Settings\Eivind\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\parent.lock Object is locked skipped
E:\Documents and Settings\Eivind\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\search.sqlite Object is locked skipped
E:\Documents and Settings\Eivind\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\urlclassifier2.sqlite Object is locked skipped
E:\Documents and Settings\Eivind\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\Eivind\Desktop\downloads\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Documents and Settings\Eivind\Desktop\downloads\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Documents and Settings\Eivind\Desktop\downloads\mirc621.exe NSIS: infected - 2 skipped
E:\Documents and Settings\Eivind\dodolook020.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\Documents and Settings\Eivind\dodolook020.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\Documents and Settings\Eivind\dodolook020.exe NSIS: infected - 2 skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Messenger\eivind_berg@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Messenger\eivind_berg@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Messenger\eivind_berg@hotmail.com\SharingMetadata\Working\database_2090_8765_9087_3FF0\dfsr.db Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Messenger\eivind_berg@hotmail.com\SharingMetadata\Working\database_2090_8765_9087_3FF0\fsr.log Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Messenger\eivind_berg@hotmail.com\SharingMetadata\Working\database_2090_8765_9087_3FF0\fsrtmp.log Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Messenger\eivind_berg@hotmail.com\SharingMetadata\Working\database_2090_8765_9087_3FF0\tmp.edb Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Windows Live Contacts\eivind_berg@hotmail.com\real\members.stg Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Microsoft\Windows Live Contacts\eivind_berg@hotmail.com\shadow\members.stg Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\Cache\_CACHE_001_ Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\Cache\_CACHE_002_ Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\Cache\_CACHE_003_ Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Application Data\Mozilla\Firefox\Profiles\8fnkiuid.default\Cache\_CACHE_MAP_ Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\History\History.IE5\MSHist012007081320070814\index.dat Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Temp\{0000013E-0000-0000-C000-000000000046} Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Temp\~DF3D89.tmp Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Temp\~DF3F1E.tmp Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Temp\~DF8FBA.tmp Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Temp\~DF8FCC.tmp Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Temp\~DFA6EC.tmp Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Temp\~DFA6FA.tmp Object is locked skipped
E:\Documents and Settings\Eivind\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Eivind\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\Eivind\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\pokertracker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\pokertracker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\pokertracker\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\pokertracker\NtUser.dat.LOG Object is locked skipped
E:\Games\Half-Life 2\SteamApps\trackmania united content.ncf Object is locked skipped
E:\Games\Half-Life 2\SteamApps\winui.gcf Object is locked skipped
E:\Games\Half-Life 2\SteamLogs\SteamStats.log Object is locked skipped
E:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Program Files\Postgres\data\pg_log\postgresql-2007-08-13_200853.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP226\A0022818.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP226\A0022818.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP226\A0022818.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP229\A0022920.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP229\A0022920.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP229\A0022920.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP233\A0023008.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP233\A0023008.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP233\A0023008.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP236\A0023053.exe Infected: Trojan-Dropper.Win32.Agent.ayy skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP239\A0023141.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP239\A0023141.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP239\A0023141.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP241\A0023173.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP241\A0023173.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP241\A0023173.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP241\A0023181.exe Infected: not-a-virus:AdWare.Win32.AdHelper.cm skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP242\A0023223.sys Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP245\A0023441.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP245\A0023441.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP245\A0023441.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP246\A0023455.exe Infected: Trojan-Dropper.Win32.Agent.ayy skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP283\A0026864.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP283\A0026864.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP283\A0026864.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP285\A0027020.dll Infected: not-a-virus:AdWare.Win32.AdHelper.ci skipped
E:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP289\change.log Object is locked skipped
E:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
E:\WINDOWS\SchedLgU.Txt Object is locked skipped
E:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
E:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
E:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
E:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\default Object is locked skipped
E:\WINDOWS\system32\config\default.LOG Object is locked skipped
E:\WINDOWS\system32\config\SAM Object is locked skipped
E:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
E:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\SECURITY Object is locked skipped
E:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
E:\WINDOWS\system32\config\software Object is locked skipped
E:\WINDOWS\system32\config\software.LOG Object is locked skipped
E:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\system Object is locked skipped
E:\WINDOWS\system32\config\system.LOG Object is locked skipped
E:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
E:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\WINDOWS\Temp\Perflib_Perfdata_778.dat Object is locked skipped
E:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{5230EC6A-EFDE-478A-814A-75B140176A73}\RP289\change.log Object is locked skipped

Scan process completed.
 
ComboFix 07-08-09.3 - "Eivind" 2007-08-13 19:59:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1434 [GMT 2:00]
Command switches used :: E:\Documents and Settings\Eivind\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\DOCUME~1\ALLUSE~1\APPLIC~1\td
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\a1003.dat
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\b1003.dat
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\k1003.dat
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\p1003.dat
E:\DOCUME~1\ALLUSE~1\APPLIC~1\td\r1003.dat
E:\WINDOWS\temp\~my1.tmp


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ETLUC
-------\etluc


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-12 17:46 51,200 --a------ E:\WINDOWS\nircmd.exe
2007-08-06 21:46 261,480 --a------ E:\WINDOWS\system32\xactengine2_7.dll
2007-08-06 21:45 443,752 --a------ E:\WINDOWS\system32\d3dx10_33.dll
2007-08-06 21:45 3,495,784 --a------ E:\WINDOWS\system32\d3dx9_33.dll
2007-08-06 21:45 255,848 --a------ E:\WINDOWS\system32\xactengine2_6.dll
2007-08-06 21:45 1,123,696 --a------ E:\WINDOWS\system32\D3DCompiler_33.dll
2007-08-03 23:21 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Prism
2007-08-03 23:18 15,781 --a------ E:\WINDOWS\system32\drivers\mdc8021x.sys
2007-08-03 23:18 <DIR> d-------- E:\Program Files\3Com
2007-08-03 23:15 344,096 --a------ E:\WINDOWS\system32\drivers\3C254G50.sys
2007-08-03 23:15 225,280 --a------ E:\WINDOWS\system32\CCU3C254.exe
2007-08-03 23:15 16,834 --a------ E:\WINDOWS\system32\CCU3C254.dll
2007-08-03 23:15 <DIR> d-------- E:\Program Files\stuff
2007-08-01 01:55 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-31 20:52 <DIR> d-------- E:\Program Files\Zoom Player
2007-07-26 02:34 <DIR> d-------- E:\DOCUME~1\Eivind\APPLIC~1\My Games
2007-07-25 18:09 <DIR> d-------- E:\DOCUME~1\Eivind\APPLIC~1\Lionhead Studios
2007-07-25 17:53 <DIR> d-------- E:\Program Files\The Movies
2007-07-25 17:53 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Lionhead Studios
2007-07-25 03:53 <DIR> d-------- E:\Program Files\uTorrent
2007-07-25 03:53 <DIR> d-------- E:\DOCUME~1\Eivind\APPLIC~1\uTorrent
2007-07-20 00:03 24,576 --------- E:\WINDOWS\UniFISH.exe
2007-07-19 20:19 <DIR> d-------- E:\Program Files\BlackIsle
2007-07-19 19:42 52,736 --a------ E:\WINDOWS\ipuninst.exe
2007-07-19 19:42 <DIR> d-------- E:\Program Files\Interplay


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 23:14 --------- d-------- E:\Program Files\Common Files\Error Report
2007-08-11 14:22 9344 --a------ E:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-11 14:22 8320 --a------ E:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 18:27 --------- d-------- E:\DOCUME~1\Eivind\APPLIC~1\dvdcss
2007-08-06 21:51 --------- d--h----- E:\Program Files\InstallShield Installation Information
2007-07-25 18:06 163644 --a------ E:\WINDOWS\system32\drivers\secdrv.sys
2007-07-25 03:53 --------- d-------- E:\DOCUME~1\Eivind\APPLIC~1\Azureus
2007-07-24 17:16 --------- d-------- E:\Program Files\Azureus
2007-07-04 16:56 8 --a------ E:\WINDOWS\ocinfo.dat
2007-07-01 16:09 173348 --a------ E:\WINDOWS\system32\drivers\mxdispdr.sys
2007-07-01 14:15 --------- d-------- E:\DOCUME~1\Eivind\APPLIC~1\Apple Computer
2007-06-20 18:55 --------- d-------- E:\Program Files\Winamp
2007-06-17 16:33 --------- d-------- E:\Program Files\winstat
2007-06-14 20:19 --------- d-------- E:\Program Files\Lavasoft
2007-06-14 20:19 --------- d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-06-14 17:22 --------- d-------- E:\Program Files\iTunes
2007-06-14 17:22 --------- d-------- E:\Program Files\iPod
2007-06-14 17:21 --------- d-------- E:\Program Files\QuickTime
2007-06-07 00:27 1302 --a------ E:\WINDOWS\mozver.dat
2007-05-16 17:12 86528 --a--c--- E:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:12 85504 --a--c--- E:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:12 683520 --a--c--- E:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:12 683520 --a------ E:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:12 510976 --a--c--- E:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:12 1314816 --a--c--- E:\WINDOWS\system32\dllcache\msoe.dll
2007-03-30 21:38 19552 --a------ E:\DOCUME~1\Eivind\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2006-11-07 00:55]
"nwiz"="nwiz.exe" [2006-11-07 00:55 E:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2006-11-07 00:55]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 18:23 E:\WINDOWS\RTHDCPL.exe]
"XPC Tools"="E:\Program Files\Shuttle\XPC Tools\XPCTools.exe" [2006-09-04 16:43]
"WinampAgent"="E:\Program Files\Winamp\winampa.exe" [2004-12-20 20:41]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40]
"NVIDIA nTune"="E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2006-10-31 08:27]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"PRISMSVR.EXE"="E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\PRISMSVR.exe" [2004-04-26 14:26]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-12 17:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
3Com Wireless 11g USB Adapter.lnk - E:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g USB Adapter\3ComU11gMonitor.exe [2004-09-15 15:23:50]
Hurtigstart for Adobe Reader.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

R2 mxdispdr;mxdispdr;\??\E:\WINDOWS\system32\drivers\mxdispdr.sys
R2 pgsql-8.1;PostgreSQL Database Server 8.1;"E:\Program Files\Postgres\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "E:\Program Files\Postgres\data\"
R3 NVR0Dev;NVR0Dev;\??\E:\WINDOWS\nvoclock.sys
R3 XPCDriver;XPCDriver;\??\E:\WINDOWS\system32\drivers\XPCDriver.sys
S3 3Com_A02;3com Driver;E:\WINDOWS\system32\DRIVERS\3C254G50.sys
S3 DHIS2JETTY;DHIS2 (Jetty);c:\dhis2\jetty\extra\win32\Wrapper.exe -s c:\dhis2\jetty\\extra\win32\wrapper.conf
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;E:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR
S3 RivaTuner32;RivaTuner32;\??\E:\Program Files\RivaTuner v2.0 Final Release\RivaTuner32.sys
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;E:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ef62ab4-bd17-11db-b3b8-00301bbc08d9}]
Auto\command- bittorrent.exe e
AutoRun\command- E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39554214-83ad-11db-b388-00301bbc08d9}]
Auto\command- K:\bittorrent.exe e
AutoRun\command- E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 20:09:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 20:10:56 - machine was rebooted
E:\ComboFix-quarantined-files.txt ... 2007-08-13 20:10
E:\ComboFix2.txt ... 2007-08-12 17:59

--- E O F ---
 
Hi

Delete this:

E:\Documents and Settings\Eivind\dodolook020.exe

Empty Recycle Bin

Otherwise looking good :)

Still problems?
 
Done. And seems good. :)

If this is it, I must say I'm extremely grateful! This far surpasses any help I've received at any other forum (regardless of topic). Thank you so much!
 
Hi

Almost there, yes :)

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ef62ab4-bd17-11db-b3b8-00301bbc08d9}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39554214-83ad-11db-b388-00301bbc08d9}]

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Any other issues left?
 
You must log in or register to reply here.
Back
Top