Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] trojan virtumunde et all

Started by Kryss , Dec 02 2007 06:59 PM

  • This topic is locked This topic is locked
14 replies to this topic

#1 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 02 December 2007 - 06:59 PM

Hello,

:(
I have removed, I think, all of the Virtumonde stuff but fear there is more. I want to ensure it is gone so I can resume my life. I appreciate any help I can get.

Software used PCSpyware Doctor, vundofix

It has rendered my trend micro useless and i have no internet on that pc at all, using another at the moment.

here is the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:52 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server2.holly...us/dbnetoffice/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [Magentic] "C:\PROGRA~1\Magentic\bin\Magentic.exe" /c
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kryss\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\Program Files\SmartWhois\swmsie.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\Program Files\SmartWhois\swmsie.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\Program Files\SmartWhois\swmsie.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1162873592062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162874339609
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai..../couponsbar.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.2.1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: ljjkjhi - ljjkjhi.dll (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 9958 bytes



Thanks for the Help
Kryss

Edited by Kryss, 03 December 2007 - 10:48 AM.

    Advertisements

Register to Remove

#2 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 December 2007 - 07:24 PM

I am sorry to bump this, but I really need to know if anyone is assisting me, if not, I will need to go elsewhere. I really need help pretty please K

#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 December 2007 - 08:58 PM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#4 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 December 2007 - 09:16 PM

Thank you so much.

Here is the combofix log

ComboFix 07-12-02.6 - Kryss 2007-12-03 19:04:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.583 [GMT -8:00]
Running from: C:\Documents and Settings\Kryss\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Kryss\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Kryss\ResErrors.log
C:\WINDOWS\system32\buaknojs.dll
C:\WINDOWS\system32\cbxxust.dll
C:\WINDOWS\system32\hggfghf.dll
C:\WINDOWS\system32\nnnolig.dll
C:\WINDOWS\system32\sjonkaub.ini
C:\WINDOWS\system32\tstwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-02 15:52 . 2007-12-02 16:23 <DIR> d-------- C:\VundoFix Backups
2007-12-02 12:38 . 2007-12-02 15:37 594 ---hs---- C:\WINDOWS\system32\rrigjkvt.ini
2007-12-02 11:42 . 2007-12-03 17:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-02 11:42 . 2007-12-02 11:42 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\PC Tools
2007-12-02 11:42 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-02 11:42 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-02 11:42 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-02 11:42 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-02 11:42 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\Program Files\YourPlace
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\Program Files\The Learning Company
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Jasc Software Inc
2007-11-30 09:38 . 2007-11-30 09:39 <DIR> d-------- C:\TEMP\ext37558
2007-11-29 16:06 . 2007-10-01 16:24 219,448 --a------ C:\WINDOWS\system32\WRLogonNtf(2)(2).dll
2007-11-28 21:33 . 2007-11-29 10:20 97 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-28 19:22 . 2007-12-02 11:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 10:25 . 2007-11-28 10:25 0 --a----t- C:\_wdsuef.dmp
2007-11-28 10:12 . 2007-11-28 10:12 <DIR> d-------- C:\WINDOWS\Performance
2007-11-28 10:12 . 2007-11-28 10:12 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2007-11-28 10:12 . 2007-11-28 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-11-28 10:08 . 2007-11-28 10:26 2,187 --a------ C:\WINDOWS\diagerr.xml
2007-11-28 10:08 . 2007-11-28 10:26 1,887 --a------ C:\WINDOWS\diagwrn.xml
2007-11-26 17:13 . 2007-11-26 17:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-26 17:13 . 2007-11-26 17:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-26 17:10 . 2007-11-26 17:14 <DIR> d-------- C:\Program Files\Zune
2007-11-23 16:39 . 2007-11-23 16:39 <DIR> d-------- C:\Program Files\MoRUN.net
2007-11-23 16:07 . 2007-11-23 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Games
2007-11-23 15:28 . 2006-03-24 17:32 4,882,432 --a------ C:\WINDOWS\system32\stacgui.cpl
2007-11-23 15:28 . 2006-03-22 17:52 1,052,672 --a------ C:\WINDOWS\system32\stlang.dll
2007-11-23 15:28 . 2006-03-24 17:30 282,624 --a------ C:\WINDOWS\stsystra.exe
2007-11-23 15:27 . 2007-11-23 15:27 <DIR> d-------- C:\Program Files\SigmaTel
2007-11-23 15:27 . 2006-03-24 17:34 1,156,648 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2007-11-23 15:27 . 2006-03-24 17:31 208,896 --a------ C:\WINDOWS\system32\stacapi.dll
2007-11-23 15:27 . 2006-03-24 17:32 112,128 --a------ C:\WINDOWS\system32\staco.dll
2007-11-22 07:35 . 2007-11-22 07:35 <DIR> d-------- C:\Program Files\Innovatools
2007-11-21 13:05 . 2007-11-23 16:08 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Microsoft Games
2007-11-21 12:35 . 2007-11-23 15:55 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-19 13:22 . 2007-11-19 13:23 <DIR> d-------- C:\Program Files\QuickTime
2007-11-18 10:54 . 2007-11-18 11:08 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Corel
2007-11-18 10:54 . 2007-11-18 10:54 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-18 10:54 . 2007-11-18 10:54 88 -r-hs---- C:\WINDOWS\system32\F38C0297AF.sys
2007-11-18 10:51 . 2007-11-18 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-11-18 10:50 . 2007-11-18 10:51 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-11-18 10:50 . 2007-11-18 10:50 476,752 --a------ C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-11-18 10:39 . 2007-11-18 10:50 <DIR> d-------- C:\Program Files\Corel
2007-11-18 10:04 . 2007-11-18 10:25 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Download Manager
2007-11-15 21:51 . 2007-11-15 21:51 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-15 21:51 . 2007-11-15 21:51 155,552 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-15 21:51 . 2007-11-15 21:51 80,288 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-15 21:51 . 2007-11-15 21:51 72,608 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-15 21:51 . 2007-11-15 21:51 59,296 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-15 21:51 . 2007-11-15 21:51 45,472 --a------ C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-15 21:38 . 2007-11-15 21:38 40,832 --a------ C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-15 16:43 . 2007-11-15 16:43 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\j2 Messenger
2007-11-15 16:43 . 2007-11-15 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\j2 Messenger 4.2 Setup
2007-11-15 16:42 . 2007-11-15 16:44 <DIR> d-------- C:\Program Files\j2 Messenger 4.2
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-09 13:42 . 2007-11-09 13:48 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-11-08 16:25 . 2007-11-08 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-08 16:22 . 2007-11-28 19:15 <DIR> d-------- C:\Program Files\Jasc Software Inc
2007-11-07 14:58 . 2007-11-07 14:58 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Snapfish

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 05:50 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-02 23:37 --------- d-----w C:\Program Files\Webroot
2007-12-02 22:46 --------- d-----w C:\Documents and Settings\Kryss\Application Data\Webroot
2007-11-30 03:31 --------- d--h--w C:\Documents and Settings\Kryss\Application Data\Move Networks
2007-11-29 05:40 --------- d-----w C:\Program Files\Trend Micro
2007-11-24 18:17 5 ----a-w C:\WINDOWS\system32\drivers\DELL_WOR_M65.MRK
2007-11-24 18:17 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_WOR_M65.MRK
2007-11-24 00:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 22:13 --------- d-----w C:\Program Files\Paltalk Messenger
2007-11-21 22:13 --------- d-----w C:\Documents and Settings\Kryss\Application Data\Paltalk
2007-11-21 22:08 --------- d-----w C:\Program Files\Apple Software Update
2007-11-15 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-09 21:43 --------- d-----w C:\Documents and Settings\Kryss\Application Data\uTorrent
2007-11-09 00:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-19 18:23 --------- d-----w C:\Program Files\Cucusoft
2007-10-19 17:22 --------- d-----w C:\Documents and Settings\Kryss\Application Data\HP
2007-10-18 19:56 --------- d-----w C:\Documents and Settings\Mark\Application Data\HP
2007-10-17 17:22 --------- d-----w C:\Program Files\MSBuild
2007-10-17 17:22 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-17 04:54 --------- d-----w C:\Program Files\uTorrent
2007-10-16 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Magentic"="C:\PROGRA~1\Magentic\bin\Magentic.exe" [2007-05-30 13:03]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 12:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 10:25]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:00]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 16:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkjhi]
ljjkjhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-10-06 19:56 11504 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^j2 4.2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\j2 4.2.lnk
backup=C:\WINDOWS\pss\j2 4.2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SSH Tectia Connection Broker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SSH Tectia Connection Broker.lnk
backup=C:\WINDOWS\pss\SSH Tectia Connection Broker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kryss^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Kryss\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kryss^Start Menu^Programs^Startup^Shortcut to Order Counter.lnk]
path=C:\Documents and Settings\Kryss\Start Menu\Programs\Startup\Shortcut to Order Counter.lnk
backup=C:\WINDOWS\pss\Shortcut to Order Counter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60288e22]
rundll32.exe C:\WINDOWS\system32\buaknojs.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-10 21:46 624248 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-10-07 14:13 176128 -ra------ C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-16 19:04 139264 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 09:08 1347584 --a------ C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 02:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-09 20:29 49152 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo Project]
C:\Program Files\Gizmo Project\Gizmo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo Project for LJ Talk]
C:\Program Files\Gizmo Project for LJ Talk\Gizmo-LJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 00:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 01:41 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-05-17 09:52 505368 --a------ C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2006-10-06 19:55 303864 --a------ C:\Program Files\LogMeIn\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-08-13 16:04 5562368 --a------ C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
rundll32.exe nvHotkey.dll,Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
2006-08-18 12:06 315392 --a------ C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 15:07 49263 --a------ C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
2005-08-08 13:49 1110016 --a------ C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2007-11-15 21:51 166304 --a------ c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=3 (0x3)
"wwSecSvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"usnjsvc"=3 (0x3)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PcScnSrv"=3 (0x3)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\RaInfo.sys
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe
R3 guardian2;guardian2;C:\WINDOWS\system32\Drivers\oz776.sys
R3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
S3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 02:22:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 19:11:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 19:14:43 - machine was rebooted
.
--- E O F ---

#5 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 December 2007 - 09:18 PM

and here is my new Hijack this log

thank you again for looking

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:54 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server2.holly...us/dbnetoffice/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [Magentic] "C:\PROGRA~1\Magentic\bin\Magentic.exe" /c
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kryss\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\Program Files\SmartWhois\swmsie.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\Program Files\SmartWhois\swmsie.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\Program Files\SmartWhois\swmsie.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1162873592062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162874339609
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai..../couponsbar.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.2.1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: ljjkjhi - ljjkjhi.dll (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 9772 bytes

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 December 2007 - 09:29 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\VundoFix Backups
C:\WINDOWS\system32\rrigjkvt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\_wdsuef.dmp
C:\WINDOWS\system32\F38C0297AF.sys
C:\WINDOWS\system32\buaknojs.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkjhi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60288e22]


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 December 2007 - 09:40 PM

thank you so much, here is my new combofix

ComboFix 07-12-02.6 - Kryss 2007-12-03 19:33:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.602 [GMT -8:00]
Running from: C:\Documents and Settings\Kryss\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kryss\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\_wdsuef.dmp
C:\VundoFix Backups
C:\WINDOWS\system32\buaknojs.dll
C:\WINDOWS\system32\F38C0297AF.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rrigjkvt.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_wdsuef.dmp
C:\WINDOWS\system32\F38C0297AF.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rrigjkvt.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-02 15:52 . 2007-12-02 16:23 <DIR> d-------- C:\VundoFix Backups
2007-12-02 11:42 . 2007-12-03 17:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-02 11:42 . 2007-12-02 11:42 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\PC Tools
2007-12-02 11:42 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-02 11:42 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-02 11:42 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-02 11:42 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-02 11:42 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\Program Files\YourPlace
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\Program Files\The Learning Company
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2007-12-02 11:19 . 2007-12-02 11:19 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Jasc Software Inc
2007-11-30 09:38 . 2007-11-30 09:39 <DIR> d-------- C:\TEMP\ext37558
2007-11-29 16:06 . 2007-10-01 16:24 219,448 --a------ C:\WINDOWS\system32\WRLogonNtf(2)(2).dll
2007-11-28 19:22 . 2007-12-02 11:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 10:12 . 2007-11-28 10:12 <DIR> d-------- C:\WINDOWS\Performance
2007-11-28 10:12 . 2007-11-28 10:12 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2007-11-28 10:12 . 2007-11-28 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-11-28 10:08 . 2007-11-28 10:26 2,187 --a------ C:\WINDOWS\diagerr.xml
2007-11-28 10:08 . 2007-11-28 10:26 1,887 --a------ C:\WINDOWS\diagwrn.xml
2007-11-26 17:13 . 2007-11-26 17:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-26 17:13 . 2007-11-26 17:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-26 17:10 . 2007-11-26 17:14 <DIR> d-------- C:\Program Files\Zune
2007-11-23 16:39 . 2007-11-23 16:39 <DIR> d-------- C:\Program Files\MoRUN.net
2007-11-23 16:07 . 2007-11-23 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Games
2007-11-23 15:28 . 2006-03-24 17:32 4,882,432 --a------ C:\WINDOWS\system32\stacgui.cpl
2007-11-23 15:28 . 2006-03-22 17:52 1,052,672 --a------ C:\WINDOWS\system32\stlang.dll
2007-11-23 15:28 . 2006-03-24 17:30 282,624 --a------ C:\WINDOWS\stsystra.exe
2007-11-23 15:27 . 2007-11-23 15:27 <DIR> d-------- C:\Program Files\SigmaTel
2007-11-23 15:27 . 2006-03-24 17:34 1,156,648 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2007-11-23 15:27 . 2006-03-24 17:31 208,896 --a------ C:\WINDOWS\system32\stacapi.dll
2007-11-23 15:27 . 2006-03-24 17:32 112,128 --a------ C:\WINDOWS\system32\staco.dll
2007-11-22 07:35 . 2007-11-22 07:35 <DIR> d-------- C:\Program Files\Innovatools
2007-11-21 13:05 . 2007-11-23 16:08 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Microsoft Games
2007-11-21 12:35 . 2007-11-23 15:55 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-19 13:22 . 2007-11-19 13:23 <DIR> d-------- C:\Program Files\QuickTime
2007-11-18 10:54 . 2007-11-18 11:08 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Corel
2007-11-18 10:54 . 2007-11-18 10:54 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-18 10:51 . 2007-11-18 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-11-18 10:50 . 2007-11-18 10:51 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-11-18 10:50 . 2007-11-18 10:50 476,752 --a------ C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-11-18 10:39 . 2007-11-18 10:50 <DIR> d-------- C:\Program Files\Corel
2007-11-18 10:04 . 2007-11-18 10:25 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Download Manager
2007-11-15 21:51 . 2007-11-15 21:51 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-15 21:51 . 2007-11-15 21:51 155,552 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-15 21:51 . 2007-11-15 21:51 80,288 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-15 21:51 . 2007-11-15 21:51 72,608 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-15 21:51 . 2007-11-15 21:51 59,296 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-15 21:51 . 2007-11-15 21:51 45,472 --a------ C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-15 21:38 . 2007-11-15 21:38 40,832 --a------ C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-15 16:43 . 2007-11-15 16:43 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\j2 Messenger
2007-11-15 16:43 . 2007-11-15 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\j2 Messenger 4.2 Setup
2007-11-15 16:42 . 2007-11-15 16:44 <DIR> d-------- C:\Program Files\j2 Messenger 4.2
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-09 13:42 . 2007-11-09 13:48 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-11-08 16:25 . 2007-11-08 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-08 16:22 . 2007-11-28 19:15 <DIR> d-------- C:\Program Files\Jasc Software Inc
2007-11-07 14:58 . 2007-11-07 14:58 <DIR> d-------- C:\Documents and Settings\Kryss\Application Data\Snapfish

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 05:50 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-02 23:37 --------- d-----w C:\Program Files\Webroot
2007-12-02 22:46 --------- d-----w C:\Documents and Settings\Kryss\Application Data\Webroot
2007-11-30 03:31 --------- d--h--w C:\Documents and Settings\Kryss\Application Data\Move Networks
2007-11-29 05:40 --------- d-----w C:\Program Files\Trend Micro
2007-11-24 18:17 5 ----a-w C:\WINDOWS\system32\drivers\DELL_WOR_M65.MRK
2007-11-24 18:17 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL_WOR_M65.MRK
2007-11-24 00:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 22:13 --------- d-----w C:\Program Files\Paltalk Messenger
2007-11-21 22:13 --------- d-----w C:\Documents and Settings\Kryss\Application Data\Paltalk
2007-11-21 22:08 --------- d-----w C:\Program Files\Apple Software Update
2007-11-15 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-09 21:43 --------- d-----w C:\Documents and Settings\Kryss\Application Data\uTorrent
2007-11-09 00:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-19 18:23 --------- d-----w C:\Program Files\Cucusoft
2007-10-19 17:22 --------- d-----w C:\Documents and Settings\Kryss\Application Data\HP
2007-10-18 21:09 1,419,232 ----a-w C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-10-18 19:56 --------- d-----w C:\Documents and Settings\Mark\Application Data\HP
2007-10-17 17:22 --------- d-----w C:\Program Files\MSBuild
2007-10-17 17:22 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-17 04:54 --------- d-----w C:\Program Files\uTorrent
2007-10-16 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Magentic"="C:\PROGRA~1\Magentic\bin\Magentic.exe" [2007-05-30 13:03]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 12:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 10:25]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:00 C:\WINDOWS\system32\rundll32.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:00]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 16:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-10-06 19:56 11504 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^j2 4.2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\j2 4.2.lnk
backup=C:\WINDOWS\pss\j2 4.2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SSH Tectia Connection Broker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SSH Tectia Connection Broker.lnk
backup=C:\WINDOWS\pss\SSH Tectia Connection Broker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kryss^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Kryss\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kryss^Start Menu^Programs^Startup^Shortcut to Order Counter.lnk]
path=C:\Documents and Settings\Kryss\Start Menu\Programs\Startup\Shortcut to Order Counter.lnk
backup=C:\WINDOWS\pss\Shortcut to Order Counter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-10 21:46 624248 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-10-07 14:13 176128 -ra------ C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-16 19:04 139264 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 09:08 1347584 --a------ C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 02:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-09 20:29 49152 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo Project]
C:\Program Files\Gizmo Project\Gizmo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo Project for LJ Talk]
C:\Program Files\Gizmo Project for LJ Talk\Gizmo-LJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 00:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 01:41 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-05-17 09:52 505368 --a------ C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2006-10-06 19:55 303864 --a------ C:\Program Files\LogMeIn\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-08-13 16:04 5562368 --a------ C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
rundll32.exe nvHotkey.dll,Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
2006-08-18 12:06 315392 --a------ C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 15:07 49263 --a------ C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
2005-08-08 13:49 1110016 --a------ C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2007-11-15 21:51 166304 --a------ c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=3 (0x3)
"wwSecSvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"usnjsvc"=3 (0x3)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PcScnSrv"=3 (0x3)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\RaInfo.sys
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe
R3 guardian2;guardian2;C:\WINDOWS\system32\Drivers\oz776.sys
R3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
S3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 03:22:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 19:36:59
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 19:38:26
C:\ComboFix2.txt ... 2007-12-03 19:14
.
--- E O F ---

#8 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 December 2007 - 09:41 PM

Here is the new hijack this log as well

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:47 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server2.holly...us/dbnetoffice/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [Magentic] "C:\PROGRA~1\Magentic\bin\Magentic.exe" /c
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kryss\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\Program Files\SmartWhois\swmsie.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\Program Files\SmartWhois\swmsie.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\Program Files\SmartWhois\swmsie.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1162873592062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162874339609
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai..../couponsbar.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.2.1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 9707 bytes

#9 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 December 2007 - 09:44 PM

my computer seems to run a tad faster but the my documents folder keeps crashing. I can open it, but then it promptly hangs and closes after 5-10 seconds. thanks again for all your assistance

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 December 2007 - 09:46 PM

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#11 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 04 December 2007 - 01:28 PM

sorry for the delay, it took a while... and my docs is still hanging. : ( Here is the DrWeb Report inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.1;Probably BACKDOOR.Trojan;Incurable.Moved.; aolsetup.exe;C:\Program Files\AIM6\services\softwareUpdate\ver2_13_13_7;Probably BACKDOOR.Trojan;Incurable.Moved.; buaknojs.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.232;Deleted.; cbxxust.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.244;Deleted.; hggfghf.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.244;Deleted.; nnnolig.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.244;Deleted.; A0110924.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Trojan.DownLoader.26570;Deleted.; A0110930.exe\data002;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327\A0110930.exe;Trojan.DownLoader.origin;; A0110930.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Archive contains infected objects;Moved.; A0110958.sys;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Program.Winfixer - read error;; A0110959.sys;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Program.Winfixer - read error;; A0110970.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Trojan.Fakealert.352;Deleted.; A0110977.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Trojan.Virtumod.232;Deleted.; A0110983.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Trojan.Fakealert.372;Deleted.; A0110984.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Trojan.EzulaAd;Deleted.; A0110995.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP327;Trojan.Fakealert.372;Deleted.; A0113115.reg;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.StartPage.1505;Deleted.; A0113188.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.Virtumod.232;Deleted.; A0113189.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.DownLoader.26570;Deleted.; A0113191.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.EzulaAd;Deleted.; A0113244.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.DownLoader.26570;Deleted.; A0113246.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.Virtumod.232;Deleted.; A0113277.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.Fakealert.372;Deleted.; A0113278.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.EzulaAd;Deleted.; A0113530.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP331;Trojan.Fakealert.372;Deleted.; A0114064.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP339;Trojan.Fakealert.372;Deleted.; A0114065.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP339;Trojan.EzulaAd;Deleted.; A0114090.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP339;Trojan.Fakealert.372;Deleted.; A0114411.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP341;Trojan.Virtumod.232;Deleted.; A0114412.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP341;Trojan.DownLoader.26570;Deleted.; A0118959.exe;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP341;Trojan.EzulaAd;Deleted.; A0118962.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP341;Trojan.Virtumod.244;Deleted.; A0119970.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP343;Trojan.Virtumod.232;Deleted.; A0119972.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP343;Trojan.Fakealert.372;Deleted.; A0119973.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP343;Trojan.Fakealert.372;Deleted.; A0121264.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP347;Trojan.Virtumod.232;Deleted.; A0121265.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP347;Trojan.Virtumod.244;Deleted.; A0121266.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP347;Trojan.Virtumod.244;Deleted.; A0121267.dll;C:\System Volume Information\_restore{92574E50-2E70-4073-9FAD-2B4C97288C7C}\RP347;Trojan.Virtumod.244;Deleted.; bmibsxta.dll.bad;C:\VundoFix Backups;Trojan.Fakealert.372;Deleted.; dkovpdks.dll.bad;C:\VundoFix Backups;Trojan.Fakealert.372;Deleted.; CouponBarIE.dll;C:\WINDOWS;Adware.SearchIt.origin;Incurable.Moved.;

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 December 2007 - 01:40 PM

Can you make a new folder and move your doc's there to see what happens?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#13 Kryss

Kryss

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 04 December 2007 - 01:56 PM

new folder made, but I cannot get it to stay open long enough to transfer stuff before Dr Watson comes to visit me

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 December 2007 - 08:40 PM

You can use windows sfc (system file checker) You'd need your XP CD to make this work.
Click Start> Run> type sfc /scannow Note the space.
(Note that there is a space between sfc and /scannow)

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 December 2007 - 09:00 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·