Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Hijacthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My Hijacthis log

Unread postby Vaughan » September 4th, 2007, 6:53 am

Hello. I am having problems with malware. I have partly removed some of it but I cannot get rid of all of it. I would really appreciate some help from you guys..

Here is my log:


Logfile of HijackThis v1.99.1
Scan saved at 11:52:17, on 04/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67253FB7-6F82-485E-9CFF-81F0BE6833F6} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B3F8A93-933C-4DDA-B24C-AEB0697C132A} - C:\WINDOWS\system32\ssqpoop.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_S101.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0349849523
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0351403077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23DBDD94-C9D5-4C69-A847-AE5849886600}: NameServer = 194.168.4.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ssqpoop - C:\WINDOWS\SYSTEM32\ssqpoop.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wynxshgt.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Vaughan
Active Member
 
Posts: 11
Joined: September 1st, 2007, 11:20 am
Advertisement
Register to Remove

Unread postby Navigator » September 4th, 2007, 2:10 pm

Hello vaughn...welcome to Malware Removal....I will try to help you with your computer's malware problem.

You have a Vundo infection.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.


Note: It is possible that VundoFix encounters a file it can not remove. In this case, VundoFix will run again on reboot,

If this occurs, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Vaughan » September 5th, 2007, 6:52 am

Hello. Thanks for taking the time to help me with this. Here is the VundoFix log on C:\

It is worth mentioning that VundoFix came up with an error at two stages in the operation. The error was: Error: 57. Device I/O Error.

Here is the log:

-----------------------------------------------------------------------

VundoFix V6.5.7

Checking Java version...

Scan started at 08:10:48 30/08/2007

Listing files found while scanning....

C:\WINDOWS\system32\bmadlekx.dll
C:\WINDOWS\system32\gguirdjm.dll
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\mjdriugg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bmadlekx.dll
C:\WINDOWS\system32\bmadlekx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkhhh.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mjdriugg.ini
C:\WINDOWS\system32\mjdriugg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Scan started at 11:34:27 30/08/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.7

Checking Java version...

Scan started at 13:50:32 30/08/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.8

Checking Java version...

Scan started at 11:36:55 05/09/2007

Listing files found while scanning....

C:\windows\system32\drvrog.dll
C:\windows\system32\drvrogr.dll
C:\WINDOWS\system32\ssqpoop.dll

Beginning removal...

Attempting to delete C:\windows\system32\drvrog.dll
C:\windows\system32\drvrog.dll Has been deleted!

Attempting to delete C:\windows\system32\drvrogr.dll
C:\windows\system32\drvrogr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpoop.dll
C:\WINDOWS\system32\ssqpoop.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqpoop.dll
C:\WINDOWS\system32\ssqpoop.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

---------------------------------------------------------

The next part is the HiJackThis log:


----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:51:55, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67253FB7-6F82-485E-9CFF-81F0BE6833F6} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_S101.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0349849523
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0351403077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23DBDD94-C9D5-4C69-A847-AE5849886600}: NameServer = 194.168.4.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wynxshgt.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

--------------------------------------------------------------------


Thanks for any further help.
Vaughan
Active Member
 
Posts: 11
Joined: September 1st, 2007, 11:20 am

Unread postby Navigator » September 5th, 2007, 9:57 pm

Well, that helped...let's do this next:

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Vaughan » September 6th, 2007, 5:43 am

Thankyou for your continued support - I really appreciate it. Here is the ComboFix log:

ComboFix 07-08-30.3 - "-" 2007-09-06 10:30:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1570 [GMT 1:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\-\APPLIC~1\install.dat
C:\Program Files\s2f.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mllmk.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtstu.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))


2007-09-06 10:32 298,016 --a------ C:\WINDOWS\system32\vtutu.dll.vir
2007-09-06 10:32 298,016 --a------ C:\WINDOWS\system32\vtstu.dll.vir
2007-09-06 10:32 298,016 --a------ C:\WINDOWS\system32\vtstt.dll.vir
2007-09-06 10:32 298,016 --a------ C:\WINDOWS\system32\vtsqq.dll.vir
2007-09-06 10:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 21:29 244,768 --a------ C:\WINDOWS\system32\ssqrp.dll
2007-09-03 18:16 244,768 --a------ C:\WINDOWS\system32\awtqr.dll
2007-09-03 17:15 244,768 --a------ C:\WINDOWS\system32\mljgg.dll
2007-09-03 13:15 244,768 --a------ C:\WINDOWS\system32\mlljg.dll
2007-09-03 12:15 298,016 --a------ C:\WINDOWS\system32\mlljj.dll
2007-09-03 11:15 298,016 --a------ C:\WINDOWS\system32\pmkhg.dll
2007-09-02 20:16 298,016 --a------ C:\WINDOWS\system32\jkhfg.dll
2007-09-02 17:39 298,016 --a------ C:\WINDOWS\system32\ssqro.dll
2007-09-01 22:00 298,016 --a------ C:\WINDOWS\system32\awvvt.dll
2007-09-01 19:00 298,016 --a------ C:\WINDOWS\system32\awtsr.dll
2007-09-01 13:00 244,768 --a------ C:\WINDOWS\system32\pmkhf.dll
2007-09-01 11:00 298,016 --a------ C:\WINDOWS\system32\vtutu.dll
2007-09-01 09:00 298,016 --a------ C:\WINDOWS\system32\ddcyy.dll
2007-09-01 08:00 298,016 --a------ C:\WINDOWS\system32\pmnnl.dll
2007-09-01 04:00 298,016 --a------ C:\WINDOWS\system32\ddccb.dll
2007-08-31 21:05 298,016 --a------ C:\WINDOWS\system32\ssqpp.dll
2007-08-31 19:05 298,016 --a------ C:\WINDOWS\system32\vtsqn.dll
2007-08-31 17:05 298,016 --a------ C:\WINDOWS\system32\geedd.dll
2007-08-31 16:14 <DIR> d-------- C:\Program Files\Mobius
2007-08-31 16:05 244,768 --a------ C:\WINDOWS\system32\geedc.dll
2007-08-31 15:05 298,016 --a------ C:\WINDOWS\system32\awtqp.dll
2007-08-31 13:05 298,016 --a------ C:\WINDOWS\system32\jkkjk.dll
2007-08-31 11:03 298,016 --a------ C:\WINDOWS\system32\geeba.dll
2007-08-31 10:03 298,016 --a------ C:\WINDOWS\system32\ddcca.dll
2007-08-31 09:03 298,016 --a------ C:\WINDOWS\system32\ssqpm.dll
2007-08-31 08:03 298,016 --a------ C:\WINDOWS\system32\vtstt.dll
2007-08-30 21:31 298,016 --a------ C:\WINDOWS\system32\geebb.dll
2007-08-30 20:31 298,016 --a------ C:\WINDOWS\system32\jkhhg.dll
2007-08-30 19:31 298,016 --a------ C:\WINDOWS\system32\gebca.dll
2007-08-30 18:31 244,768 --a------ C:\WINDOWS\system32\vtsqo.dll
2007-08-30 17:31 244,768 --a------ C:\WINDOWS\system32\ddabc.dll
2007-08-30 15:08 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-30 11:28 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-30 10:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-08-30 10:33 <DIR> d-------- C:\{0000464D-0000-0000-22BF-2D35761CBBA6}
2007-08-30 08:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-30 08:10 <DIR> d-------- C:\VundoFix Backups
2007-08-29 09:43 913,408 --a------ C:\WINDOWS\system32\xreglib.dll
2007-08-29 08:58 <DIR> d-------- C:\DOCUME~1\-\APPLIC~1\Bitdefender
2007-08-29 08:44 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-08-29 08:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-08-28 13:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-28 13:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 13:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-27 11:29 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-26 11:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-26 09:48 <DIR> d-------- C:\WINDOWS\pss
2007-08-25 21:22 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-08-25 21:16 <DIR> d-------- C:\Program Files\EA GAMES
2007-08-25 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-25 20:14 <DIR> d-------- C:\DOCUME~1\-\.housecall6.6
2007-08-25 20:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-25 19:41 43,542 --a------ C:\WINDOWS\system32\ssqpoop.dll
2007-08-25 19:35 <DIR> d-------- C:\NVIDIA
2007-08-21 15:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-08-21 15:31 <DIR> d-------- C:\DOCUME~1\-\APPLIC~1\MSN6
2007-08-17 16:41 88,520 --a------ C:\WINDOWS\system32\Stompdll.dll
2007-08-17 16:41 398,416 --a------ C:\WINDOWS\system32\VBRUN300.DLL
2007-08-16 21:32 <DIR> d-------- C:\Program Files\Ares
2007-08-15 20:56 8,192 --------- C:\WINDOWS\system32\CoachWrp.dll
2007-08-15 20:56 5,632 --------- C:\WINDOWS\system32\CoachSti.dll
2007-08-15 20:56 46,944 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2007-08-15 20:56 44,256 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2007-08-15 20:56 41,984 --------- C:\WINDOWS\system32\CoachWia.dll
2007-08-15 20:56 32,768 --a------ C:\WINDOWS\system32\infcpy.dll
2007-08-15 20:56 2,560 --------- C:\WINDOWS\system32\CoachTW.dll
2007-08-15 20:56 16,896 --------- C:\WINDOWS\system32\CoachDlg.dll
2007-08-15 20:56 114,688 --------- C:\WINDOWS\system32\JpegCode.dll
2007-08-15 20:56 <DIR> d-------- C:\Program Files\Common Files\Digi338
2007-08-11 21:50 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-08-11 21:45 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-11 18:53 81,408 -ra------ C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-08-11 18:53 <DIR> d-------- C:\WINDOWS\OPTIONS
2007-08-11 18:53 <DIR> d-------- C:\Program Files\Realtek
2007-08-10 22:50 <DIR> d-------- C:\Program Files\Exact Audio Copy
2007-08-10 22:43 <DIR> d-------- C:\WINDOWS\vbSkinner
2007-08-10 22:38 <DIR> d-------- C:\Program Files\PFConfig
2007-08-08 11:23 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-08-07 21:28 <DIR> d-------- C:\Program Files\Quick Screen Recorder
2007-08-07 13:58 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 10:31 43542 --a------ C:\WINDOWS\system32\ssqpoop.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\vtsqn.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ssttq.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ssqro.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ssqpq.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ssqpp.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ssqpm.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\pmnno.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\pmnnl.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\pmkjg.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\pmkhg.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\mllmn.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\mllmk.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\mlljk.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\mlljj.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\jkkjk.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\jkkjh.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\jkkjg.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\jkhhg.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\jkhfg.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\jkhfc.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\geedd.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\geebx.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\geebb.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\geeba.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\gebyw.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\gebcy.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\gebcc.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\gebca.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ddcyy.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ddcyw.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ddccb.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ddcca.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\ddabb.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awvvv.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awvvu.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awvvt.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awvvs.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awtss.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awtsr.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awtsp.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awtqp.dll.vir
2007-09-06 10:31 298016 --a------ C:\WINDOWS\system32\awtqo.dll.vir
2007-09-05 23:31 --------- d-------- C:\DOCUME~1\-\APPLIC~1\uTorrent
2007-08-31 13:37 --------- d-------- C:\DOCUME~1\-\APPLIC~1\foobar2000
2007-08-29 09:41 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2007-08-29 08:58 --------- d-------- C:\DOCUME~1\-\APPLIC~1\Bitdefender
2007-08-27 19:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-21 15:31 --------- d-------- C:\DOCUME~1\-\APPLIC~1\MSN6
2007-08-09 23:06 --------- d-------- C:\DOCUME~1\-\APPLIC~1\Apple Computer
2007-08-07 18:58 --------- d-------- C:\Program Files\MSN Messenger
2007-08-03 15:20 --------- d-------- C:\Program Files\Synth1
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 17:14 708608 --a------ C:\WINDOWS\system32\CDDBUIRoxio.dll
2007-07-30 17:14 62288 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-30 17:14 57344 --a------ C:\WINDOWS\uneng.exe
2007-07-30 17:14 569344 --a------ C:\WINDOWS\system32\CDDBControlRoxio.dll
2007-07-30 17:14 49152 --a------ C:\WINDOWS\system32\INETWH32.dll
2007-07-30 17:14 49152 --a------ C:\WINDOWS\system32\cdrtc.dll
2007-07-30 17:14 45056 --a------ C:\WINDOWS\system32\cdral.dll
2007-07-30 17:14 23436 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-30 17:14 1044480 --a------ C:\WINDOWS\system32\Roboex32.dll
2007-07-30 17:14 --------- d-------- C:\Program Files\Common Files\Adaptec Shared
2007-07-30 17:14 --------- d-------- C:\Program Files\Adaptec
2007-07-28 11:13 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-07-28 11:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-07-28 11:12 24192 --a------ C:\DOCUME~1\-\usbsermptxp.sys
2007-07-28 11:12 22768 --a------ C:\DOCUME~1\-\usbsermpt.sys
2007-07-27 19:46 --------- d-------- C:\Program Files\Plogue
2007-07-18 20:07 --------- d-------- C:\Program Files\QuickTime
2007-07-18 20:07 --------- d-------- C:\Program Files\iTunes
2007-07-18 20:07 --------- d-------- C:\Program Files\iPod
2007-07-18 20:07 --------- d-------- C:\Program Files\Apple Software Update
2007-07-18 20:07 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-18 20:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-11 21:25 --------- d-------- C:\Program Files\Common Files\Digidesign
2007-07-11 21:21 --------- d-------- C:\DOCUME~1\-\APPLIC~1\WinRAR
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-07-08 17:20 --------- d-------- C:\Program Files\foobar2000
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-11-26 22:27 30589023 --a------ C:\DOCUME~1\-\GuitarRig 2.exe
2006-09-22 16:00 935362 --a------ C:\DOCUME~1\-\Rig Kontrol 2 Driver Setup.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67253FB7-6F82-485E-9CFF-81F0BE6833F6}]
C:\WINDOWS\system32\jkhhh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-08-30 18:51]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-08-30 18:51]
"CTHelper"="CTHELPER.EXE" [2006-05-24 05:20 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 05:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-08-29 09:42]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-08-29 09:42]
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-08-30 14:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-08-07 18:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winowl32]
winowl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]

R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
R3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;C:\WINDOWS\system32\Drivers\tascusb2.sys
R3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;C:\WINDOWS\system32\drivers\tscusb2m.sys
R3 TASCAM_US122L_WDM;TASCAM US-122L WDM;C:\WINDOWS\system32\drivers\tscusb2a.sys
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS
S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys
S3 emusba10;E-MU USB-Audio 1.0 Driver;C:\WINDOWS\system32\DRIVERS\emusba10.sys
S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys


Contents of the 'Scheduled Tasks' folder
2007-08-31 16:40:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-09-04 17:00:00 C:\WINDOWS\Tasks\Pareto UNS.job - C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 10:36:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 10:37:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 10:37

--- E O F ---

---------------------------------------------------------




Next I have the HiJackThis log:



-----------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 10:43:07, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67253FB7-6F82-485E-9CFF-81F0BE6833F6} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0349849523
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0351403077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23DBDD94-C9D5-4C69-A847-AE5849886600}: NameServer = 194.168.4.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Vaughan
Active Member
 
Posts: 11
Joined: September 1st, 2007, 11:20 am

Unread postby Navigator » September 6th, 2007, 11:56 am

You are welcome Vaughn....

I want to mention a few things at this point...

Your HJT log makess mention of some P2P filesharing apps, such as ares...you should understand that these programs are probably the largest source of malware we see. While the program itself may be 'clean', many of the files shared often contain malware.

While it is not my place to tell you what to do, I would recommend removing any P2P apps from your system...but the choice is obviously yours. If you want to read about P2P apps, references for the risk of these programs are here: http://www.microsoft.com/windows/ie/com ... ction.mspx here: http://www.techweb.com/wire/160500554 and here: http://www.internetworldstats.com/articles/art053.htm

You also have SpyHunter installed on your system...this program has somewhat of a dubious reputation. You can read about it here at the Spybot S&D forum: http://forums.spybot.info/showthread.php?t=7028

You can also read about the program here at SpywareWarrior's rogue-anti-spyware site: http://www.spywarewarrior.com/rogue_ant ... tm#sh_note

Is it a 'good' program or rogue? It is questionable to say the least...and with so many other known 'good' programs out there, you might want to reconsider the use of SpyHunter...but once again, that is your choice.

OK, on to more cleaning:

1. Please re-open HiJackThis and choose scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {67253FB7-6F82-485E-9CFF-81F0BE6833F6} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked.

2. Delete a Files on Reboot (this file may or may not be present...but we need to check!):

  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\Windows\System32\winowl32.dll
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "yes".

If the file is not present to delete on reboot as directed above, then close HJT, reboot your system manually and let me know in your next reply.

3. After the computer reboots, please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.


4. Copy and paste the Kaspersky scan results and a new HJT log in your next post.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Vaughan » September 6th, 2007, 2:59 pm

Hello. I have completed the first two steps of your advice as above. The file 'winowl32.dll' could not be found on this computer.

I couldn't complete step 3 using Kaspersky WebScanner because the website informs me that I need certain files. Internet Explorer has a small dialogue box which reads as follows:

'The file '002E08D9.key' on (Unknown) was not found. Type the path where the file is located, and then click OK. Copy files from:

C:\DOCUME~1\-\LOCALS~1\Temp\ICD1.tmp


Nothing happens when I click OK here. I don't know where to get this file or what it is for.

Do you still want me to get the HJT log?
Vaughan
Active Member
 
Posts: 11
Joined: September 1st, 2007, 11:20 am

Unread postby Vaughan » September 6th, 2007, 4:44 pm

Navigator, I have also sent you a private message with a quick question in it. Thanks,
Vaughan
Active Member
 
Posts: 11
Joined: September 1st, 2007, 11:20 am

Unread postby Navigator » September 6th, 2007, 6:11 pm

Vaughan wrote:Hello. I have completed the first two steps of your advice as above. The file 'winowl32.dll' could not be found on this computer.

I couldn't complete step 3 using Kaspersky WebScanner because the website informs me that I need certain files. Internet Explorer has a small dialogue box which reads as follows:

'The file '002E08D9.key' on (Unknown) was not found. Type the path where the file is located, and then click OK. Copy files from:

C:\DOCUME~1\-\LOCALS~1\Temp\ICD1.tmp


Nothing happens when I click OK here. I don't know where to get this file or what it is for.

Do you still want me to get the HJT log?


You're the second person today that told me that same problem with Kaspersky! Something may be wrong on their end...

Let's get an online scan from Panda instead, and yes, I'll need a new HJT log with the Panda Scan results:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Vaughan » September 7th, 2007, 3:37 am

Here is the Panda scan. It is not easy to read like this - I can send you the log via email in a .txt if this would be easier for you.

---------------

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.exe
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.adviva.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[server.iad.liveperson.net/hc/15816569]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.zedo.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.overture.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\-\Application Data\Mozilla\Firefox\Profiles\k8s6f1mr.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\-\Cookies\-@ads.pointroll[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\-\Cookies\-@as1.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\-\Cookies\-@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\-\Cookies\-@bs.serving-sys[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\-\Cookies\-@mediaplex[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\-\Cookies\-@xmts[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\-\Desktop\ComboFix.exe[nircmd.exe]
Virus:Generic Trojan Disinfected C:\Documents and Settings\-\My Documents\Downloads\EE 5.058-SETUP\Evidence Eliminator 5.zip[Evidence Eliminator 5.0/Crack/Key Generator (Crack 3).exe]
Virus:Generic Malware Disinfected C:\Documents and Settings\-\My Documents\Downloads\SpyHunter.2.9\Patch After Upgarding\spyhunter.2.9_Patch2.exe
Virus:Generic Malware Disinfected C:\Documents and Settings\-\My Documents\Downloads\SpyHunter.2.9\SpyHunter.2.9_Patch1.exe
Spyware:Cookie/Adrevolver Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@adrevolver[1].txt.dat[Documents and Settings/-/Cookies/-@adrevolver[1].txt]
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@adtech[2].txt.dat[Documents and Settings/-/Cookies/-@adtech[2].txt]
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@advertising[1].txt.dat[Documents and Settings/-/Cookies/-@advertising[1].txt]
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@atdmt[2].txt.dat[Documents and Settings/-/Cookies/-@atdmt[2].txt]
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@bs.serving-sys[2].txt.dat[Documents and Settings/-/Cookies/-@bs.serving-sys[2].txt]
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@doubleclick[2].txt.dat[Documents and Settings/-/Cookies/-@doubleclick[2].txt]
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@serving-sys[2].txt.dat[Documents and Settings/-/Cookies/-@serving-sys[2].txt]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@statse.webtrendslive[2].txt.dat[Documents and Settings/-/Cookies/-@statse.webtrendslive[2].txt]
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@tradedoubler[1].txt.dat[Documents and Settings/-/Cookies/-@tradedoubler[1].txt]
Spyware:Cookie/Yadro Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@yadro[2].txt.dat[Documents and Settings/-/Cookies/-@yadro[2].txt]
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@zedo[1].txt.dat[Documents and Settings/-/Cookies/-@zedo[1].txt]
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Enigma Software Group\SpyHunter\Backup\-@zedo[2].txt.dat[Documents and Settings/-/Cookies/-@zedo[2].txt]
Virus:Generic Malware Disinfected C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.2.9_Patch1.exe
Virus:Generic Malware Disinfected C:\Program Files\Enigma Software Group\SpyHunter\spyhunter.2.9_Patch2.exe
Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\catchme2007-09-06_103616.23.zip[awtss.dll]
Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\catchme2007-09-06_103616.23.zip[awvvv.dll]
Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\catchme2007-09-06_103616.23.zip[gebcc.dll]
Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\catchme2007-09-06_103616.23.zip[jkkjg.dll]
Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\catchme2007-09-06_103616.23.zip[jkkjh.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\catchme2007-09-06_103616.23.zip[vtsqq.dll]
Adware:Adware/UltimateCleaner Not disinfected C:\qoobox\Quarantine\catchme2007-09-06_103616.23.zip[s2f.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\drvrogr.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

--------------------

Here is the new HJT log after the Panda scan:


-----------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 08:35:09, on 07/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0349849523
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0351403077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23DBDD94-C9D5-4C69-A847-AE5849886600}: NameServer = 194.168.4.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Vaughan
Active Member
 
Posts: 11
Joined: September 1st, 2007, 11:20 am

Unread postby Navigator » September 7th, 2007, 7:34 pm

Hello vaughn....good job.

The HJT log is 'clean'...everything the Panda Scan found it cleaned, other than the cookies in IE and Firefox (these you can clean manually or use the ATF cleaner we used earlier).

Interesting...when reviewing the Panda Log, it shows this:

Virus:Generic Trojan Disinfected C:\Documents and Settings\-\My Documents\Downloads\EE 5.058-SETUP\Evidence Eliminator 5.zip[Evidence Eliminator 5.0/Crack/Key Generator (Crack 3).exe]

Someone on this system was trying to access cracks or a 'keygen'....this is a certain way to attract malware to your system. 'Keygen' are often associated or loaded with malware, and should be avoided (along with 'cracks' and associated 'crack' sites).

I'd like to see a HJT Uninstall List:

Open HijackThis, click Open Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

How is the system running? Any problems?
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Vaughan » September 8th, 2007, 9:16 am

Hi. Thanks for helping me to resolve this problem. You guys are doing a great service.

As for the system and whether it has had problems. Yes, it had a performance drop. It was quite noticable. I had a problem with the wireless internet connection where I think it was accessible as an open network. I believe i've corrected this. This is probably what that 'crack' thing came from along with whatever other viruses. I've deleted that infection now so hopefully it's not a problem now.

µTorrent
Ableton Live v6.0.7
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Apple Software Update
Battlefield 2(TM)
Belkin 802.11g Wireless PCI Card
Blaze Media Pro
CD-DA X-Tractor v0.24
Creative MediaSource 5
Creative Software AutoUpdate
dBpoweramp Music Converter
DivX Content Uploader
DivX Web Player
Dual Mode Digital Camera 5.0M
Easy CD Creator 5 Platinum
Enigma
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan Assistant
Exact Audio Copy 0.95b3
foobar2000 v0.9.4.3
HijackThis 1.99.1
iTunes
Java(TM) 6 Update 2
Motorola Phone Tools
Mozilla Firefox (2.0.0.6)
NVIDIA Drivers
NVIDIA WDM Drivers
Ohm Force - Ohmicide VST
Panda ActiveScan
PFConfig 1.0.159
QuickTime
REALTEK GbE & FE Ethernet PCI NIC Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Spybot - Search & Destroy 1.4
Synth1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
US-122L / US-144 driver
WAV MP3 Converter 2.3 build 703
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm

----

By the way, what is 'Windows Hotfix'? Is it necessary?
Thanks
Vaughan
Active Member
 
Posts: 11
Joined: September 1st, 2007, 11:20 am

Unread postby Navigator » September 8th, 2007, 1:15 pm

Vaughan wrote:Hi. Thanks for helping me to resolve this problem. You guys are doing a great service.


Thanks, and you are welcome.

Vaughan wrote:As for the system and whether it has had problems. Yes, it had a performance drop. It was quite noticable. I had a problem with the wireless internet connection where I think it was accessible as an open network. I believe i've corrected this. This is probably what that 'crack' thing came from along with whatever other viruses. I've deleted that infection now so hopefully it's not a problem now.


I am glad your system is working better...I am assuming the performance drop and network issue are resolved since you are talking about them in the 'past' tense.

In the HJT uninstall list, programs that I see that I would be wary about are the utorrent which as I informed you earlier is a P2P app with it's associated security risks. I also see something called PFConfig 1.0.159 which I have no idea what it is...but if I search the program name on Google, it comes up with a whole slew of 'crack' sites. Do you know what this program is, and do you use it?

I would recommend removing both of these programs, but of course the choice is yours. If you choose to remove them I would do it via Add or Remove Programs in Control Panel.

Vaughan wrote:By the way, what is 'Windows Hotfix'? Is it necessary?
Thanks


Windows Hotfixes are updates to XP, often security related, that are issued between 'major' updates/patches...like SP1 and SP2. My understanding is that when the 'major' updates or security patches are issued and installed, they remove the interval 'hotfixes' as they encompass these hotfixes and more. I would assume they are necessary and would leave them be unless you experienced some particular problem after installing one of them; if this is the case, I believe MS has a tool to remove the particular offending HotFix (information found here: http://support.microsoft.com/kb/184305 )....but absent any problems, I would leave them be.

Any other issues with the system? Let me know...if not, we can finish up.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Vaughan » September 9th, 2007, 7:28 am

Hi. Yes, the system works much better now. It is running as it was before the wireless network problem. The wireless problem was fixed after phoning up technical support ... for a long time!

I don't know what pfconfig is so I think it should be safe to delete. I'm not the only person who uses the system so I will have to check with family and maybe some of their friends who have used the computer incase it is used for somethign I don't know.

I'll leave the HotFix files alone. It looks like I shouldn't change that.

The system works normally now. Again, thanks for the help. I'll follow your advice for staying free of the nuisance software and i'll recommend the site to any friends with problems like this.
Vaughan
Active Member
 
Posts: 11
Joined: September 1st, 2007, 11:20 am

Unread postby Navigator » September 9th, 2007, 8:49 am

You are welcome!

Your HJT appears clean and I'm glad your system is running well with out problems!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • THIS IS IMPORTANT! - If you are using Windows XP then you should reset system restore to make sure there are no infected files found in a restore point and that you have a clean restore point should you need one!

    Now let's reset your restore points.

    Click Start Menu >> All Programs >> Accessories >> System Tools >> SystemRestore

    Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'.

    Next go to Start Menu >> Run, then type:

    cleanmgr


    click OK, when Disk Cleanup opens go to the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd for Zoned Out - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner by Atribune. This program is for XP and Windows 2000 only. ATF is a new, freeware, temporary file cleaner for Windows, IE, Firefox and Opera with a simple, easy-to-use interface. The main screen allows the user to either clean all temporary files, or select files for cleaning. The program also knows if Firefox and or Opera is being used, and gives the option of cleaning the temporary files associated with those applications.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein. These are excellent reads too: I'm not pulling your leg and Malware: Preventing the Infection



Remember...be careful out there!
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 65 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware