Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

BestSeller Antivirus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby q80 » October 25th, 2007, 9:57 pm

Hello,
I've the same problem.. hope to help me too..
and that's my scan :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:55 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: 62.189.6.78 _sip._tls.sip1.callserve.com
O1 - Hosts: 62.189.6.78 _sip._ssl.sip1.callserve.com
O1 - Hosts: 62.189.6.79 _sip._tls.sip2.callserve.com
O1 - Hosts: 62.189.6.79 _sip._ssl.sip2.callserve.com
O1 - Hosts: 62.189.6.85 _sip._tls.sip5.phoneserve.com
O1 - Hosts: 62.189.6.85 _sip._ssl.sip5.phoneserve.com
O1 - Hosts: 62.189.6.86 _sip._tls.sip6.phoneserve.com
O1 - Hosts: 62.189.6.86 _sip._ssl.sip6.phoneserve.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jcwftgvp.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [54a58e5f] rundll32.exe "C:\WINDOWS\system32\nkcgylys.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtenefsu.html

--
End of file - 4843 bytes
q80
Active Member
 
Posts: 6
Joined: October 25th, 2007, 9:54 pm
Advertisement
Register to Remove

Unread postby random/random » October 26th, 2007, 5:53 pm

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby q80 » October 26th, 2007, 11:06 pm

After using the internet for awhile..I feel that the malware didn't removed yet .. thank you for helping .. hope to help me kill this malware until the final step

this is the combofix log :
ComboFix 07-10-26.4 - Sayed Hadi 2007-10-25 19:00:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.965.1033.18.444 [GMT -7:00]
Running from: C:\Documents and Settings\Sayed Hadi\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\hala\Desktop\Live Safety Center.lnk
C:\Documents and Settings\hala\Desktop\Online Security Guide.lnk
C:\Documents and Settings\hala\Favorites\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus\avtasks.dat
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus\Logs\av.log
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus\Logs\ga6Support.log
C:\Documents and Settings\Sayed Hadi\Application Data\BestsellerAntivirus\Logs\update.log
C:\Documents and Settings\Sayed Hadi\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Sayed Hadi\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Sayed Hadi\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Sayed Hadi\ResErrors.log
C:\Program Files\Common Files\uwmu
C:\Program Files\Common Files\uwmu\uwmua.lck
C:\Program Files\Common Files\uwmu\uwmud\class-barrel
C:\Program Files\Common Files\uwmu\uwmud\uwmuc.dll
C:\Program Files\Common Files\uwmu\uwmud\vocabulary
C:\Program Files\Common Files\uwmu\uwmuh
C:\Program Files\Common Files\uwmu\uwmul.exe
C:\Program Files\Common Files\uwmu\uwmul.lck
C:\Program Files\Common Files\uwmu\uwmum.lck
C:\Program Files\Common Files\uwmu\uwmup.exe
C:\Program Files\inetget2
C:\Program Files\MSN Gaming Zone\qufaqy.dll
C:\Program Files\MSN Gaming Zone\qufaqy538.dll
C:\Program Files\MSN Gaming Zone\qufaqy695.dll
C:\Program Files\MSN Gaming Zone\rtenefsu.html
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\Online Services\meso4444.dll
C:\Program Files\Online Services\meso83122.dll
C:\Program Files\svhost
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\Temp\fse
C:\Temp\xOe
C:\UGA6P
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\adccf.bak1
C:\WINDOWS\system32\adccf.bak2
C:\WINDOWS\system32\adccf.ini
C:\WINDOWS\system32\adccf.ini2
C:\WINDOWS\system32\adccf.tmp
C:\WINDOWS\system32\aixkrjqv.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\blbyhkwj.exe
C:\WINDOWS\system32\cufxcwdp.exe
C:\WINDOWS\system32\cyblhjfm.exe
C:\WINDOWS\system32\datynokx.exe
C:\WINDOWS\system32\dcrnrxcx.exe
C:\WINDOWS\system32\dhrkwjzv.dll
C:\WINDOWS\system32\dhrkwjzv.dllbox
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fccda.dll
C:\WINDOWS\system32\gircmvlm.exe
C:\WINDOWS\system32\gknohdle.dll
C:\WINDOWS\system32\gknohdle.dllbox
C:\WINDOWS\system32\gtbkibxy.dll
C:\WINDOWS\system32\gtbkibxy.dllbox
C:\WINDOWS\system32\gyimmiir.exe
C:\WINDOWS\system32\hjqookoj.exe
C:\WINDOWS\system32\husdnoro.exe
C:\WINDOWS\system32\hyixrkyr.exe
C:\WINDOWS\system32\iftkyyrk.exe
C:\WINDOWS\system32\ineprhgc.exe
C:\WINDOWS\system32\ioelsnoj.exe
C:\WINDOWS\system32\iqkhopts.exe
C:\WINDOWS\system32\jcwftgvp.dll
C:\WINDOWS\system32\jcwftgvp.dllbox
C:\WINDOWS\system32\jjriyff.dll
C:\WINDOWS\system32\jponhbcg.exe
C:\WINDOWS\system32\klrpddmp.ini
C:\WINDOWS\system32\lwmxkxji.exe
C:\WINDOWS\system32\lwutvctw.exe
C:\WINDOWS\system32\mwyhgfuf.exe
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\oTt02e\oTt02e1065.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmddprlk.dll
C:\WINDOWS\system32\pnbcivfs.exe
C:\WINDOWS\system32\pryiqioj.exe
C:\WINDOWS\system32\qcehqean.exe
C:\WINDOWS\system32\qnctbsqk.exe
C:\WINDOWS\system32\rehjgjdb.dll
C:\WINDOWS\system32\rybxsnly.exe
C:\WINDOWS\system32\sjfcldvg.exe
C:\WINDOWS\system32\sucdmsmy.exe
C:\WINDOWS\system32\tbjntnrg.exe
C:\WINDOWS\system32\tlxnmyta.exe
C:\WINDOWS\system32\tyeolmgg.exe
C:\WINDOWS\system32\uhrphsrx.dll
C:\WINDOWS\system32\uhrphsrx.dllbox
C:\WINDOWS\system32\ujqlijjm.exe
C:\WINDOWS\system32\ukuilegn.exe
C:\WINDOWS\system32\vczaikai.dll
C:\WINDOWS\system32\vczaikai.dllbox
C:\WINDOWS\system32\vectscqj.exe
C:\WINDOWS\system32\vjlcsqrv.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\wapypwcm.exe
C:\WINDOWS\system32\wbettxan.exe
C:\WINDOWS\system32\wlataqcq.exe
C:\WINDOWS\system32\wttswgzy.dll
C:\WINDOWS\system32\wttswgzy.dllbox
C:\WINDOWS\system32\wytadons.dll
C:\WINDOWS\system32\wytadons.dllbox
C:\WINDOWS\system32\xtliqyms.exe
C:\WINDOWS\system32\ybfervzi.dll
C:\WINDOWS\system32\ybfervzi.dllbox
C:\WINDOWS\system32\ygxtodos.exe
C:\WINDOWS\system32\yldltsqy.ini
C:\WINDOWS\system32\yqstldly.dll
C:\WINDOWS\system32\zngnqmsc.dll
C:\WINDOWS\system32\zngnqmsc.dllbox
C:\WINDOWS\tk58.exe
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\uwmu
C:\WINDOWS\uwmu\uwmu.dat
C:\WINDOWS\uwmu\wu

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-26 01:15 83,008 --a------ C:\WINDOWS\system32\pmioihpn.dll
2007-10-25 21:43 83,008 --a------ C:\WINDOWS\system32\palmrewc.dll
2007-10-25 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 18:42 <DIR> d-------- C:\Documents and Settings\hala\Contacts
2007-10-25 02:50 <DIR> d-------- C:\Documents and Settings\hala\Application Data\Yahoo!
2007-10-25 02:33 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-25 02:31 108,728 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-25 02:31 48,824 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-25 02:30 <DIR> d-------- C:\Documents and Settings\hala\Application Data\AdobeUM
2007-10-25 02:23 <DIR> d-------- C:\Documents and Settings\hala\Application Data\Symantec
2007-10-25 02:23 <DIR> d-------- C:\Documents and Settings\hala\Application Data\Sony Corporation
2007-10-25 02:23 <DIR> d-------- C:\Documents and Settings\hala\Application Data\Drag'n Drop CD+DVD
2007-10-24 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 18:58 84,544 --a------ C:\WINDOWS\system32\yvnaunie.dll
2007-10-23 02:16 84,544 --a------ C:\WINDOWS\system32\gdpyvvtc.dll
2007-10-20 01:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-19 00:38 <DIR> d--hs---- C:\WINDOWS\U2F5ZWQgSGFkaQ
2007-10-19 00:38 421,888 --a------ C:\WINDOWS\system32\bkinnxyt.dll
2007-10-19 00:38 118,784 --a------ C:\WINDOWS\system32\artchker.exe
2007-10-19 00:38 45,056 --a------ C:\WINDOWS\system32\katzpwwcx.exe
2007-10-19 00:38 45,056 --a------ C:\WINDOWS\system32\katzppd.exe
2007-10-19 00:38 44,922 --a------ C:\WINDOWS\system32\IKatzuUninstall.exe
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\xx1
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\od2
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\ib1
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\cp1
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\bo2
2007-10-19 00:37 <DIR> d-------- C:\WINDOWS\system32\ap1
2007-10-19 00:37 549,949 --a------ C:\temp\cilo.exe
2007-10-19 00:37 35,840 --a------ C:\WINDOWS\system32\xxyawwu.dll
2007-10-18 15:22 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-12 13:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-08 12:34 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-08 12:33 <DIR> d-------- C:\Documents and Settings\Sayed Hadi\Application Data\Talkback
2007-10-08 12:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-06 22:02 <DIR> d-------- C:\Program Files\CONEXANT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 01:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-25 09:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-25 09:41 --------- d-----w C:\Program Files\Symantec
2007-10-19 07:38 24,576 ----a-w C:\WINDOWS\system32\msxml3a.dll
2007-10-12 20:15 --------- d-----w C:\Program Files\Common Files\Real
2007-10-09 08:47 --------- d-----w C:\Program Files\Golden Al-Wafi Translator
2007-10-09 01:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-07 05:13 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-07 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-09-06 21:24 337,056 ----a-w C:\WINDOWS\system32\ENTER.scr
2007-09-06 06:29 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-29 04:30 --------- d-----w C:\Program Files\support.com
2007-08-29 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2007-08-26 08:27 --------- d-----w C:\Program Files\HP
2007-08-26 08:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-08-26 06:30 --------- d-----w C:\Program Files\Paltalk Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 01:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 01:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 01:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 01:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 01:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 01:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 01:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 01:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 01:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2005-08-02 23:46:54 187,904 --sha-r C:\WINDOWS\U2F5ZWQgSGFkaQ\asappsrv.dll
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\U2F5ZWQgSGFkaQ\oZIctqk0m3I4uk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C92B957B-4767-4E53-A63C-1E547C35F0C6}]
2007-10-19 00:37 35840 --a------ C:\WINDOWS\system32\xxyawwu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}]
2007-10-19 00:38 421888 --a------ C:\WINDOWS\system32\bkinnxyt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 08:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-28 01:34]
"54a58e5f"="C:\WINDOWS\system32\bqfjhrhq.dll" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-02 18:04]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-05-19 08:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C92B957B-4767-4E53-A63C-1E547C35F0C6}"= C:\WINDOWS\system32\xxyawwu.dll [2007-10-19 00:37 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyawwu]
xxyawwu.dll 2007-10-19 00:37 35840 C:\WINDOWS\system32\xxyawwu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\fccda.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerPanel.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerPanel.lnk
backup=C:\WINDOWS\pss\PowerPanel.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=C:\WINDOWS\pss\QuickTV.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\54a58e5f]
rundll32.exe "C:\WINDOWS\system32\gdpyvvtc.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
C:\WINDOWS\system32\artchker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\DOCUME~1\SAYEDH~1\LOCALS~1\Temp\RarSFX0\rd.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKSERV.EXE]
C:\Program Files\Sony\HotKey Utility\HKserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
C:\Program Files\Pando Networks\Pando\pando.exe /Automation

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\Propel Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sweeper.exe]
C:\Program Files\History Sweeper\sweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"Network Monitor"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"DomainService"=2 (0x2)
"Dnscache"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

S3 Cap7134;Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
S3 CSRBC01;CSRBC01.Sys CSR test driver;C:\WINDOWS\system32\Drivers\CSRBC01.sys
S3 DCamUSBSony4;Sony Visual Communication Camera;C:\WINDOWS\system32\DRIVERS\snyucam4.sys
S3 DCamUSBSonyA4;Sony USB Microphone;C:\WINDOWS\system32\drivers\snyuflt4.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca623c30-4613-11dc-bcc9-080046cc81a2}]
AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 09:50:58 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - hala.job"
"2007-10-26 02:21:38 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-10-20 10:00:38 C:\WINDOWS\Tasks\XoftSpySE.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 19:22:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 19:29:16 - machine was rebooted
.
--- E O F ---


and that's the Hijack log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:57 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [54a58e5f] rundll32.exe "C:\WINDOWS\system32\bqfjhrhq.dll",b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 5305 bytes

thanks a lot
q80
Active Member
 
Posts: 6
Joined: October 25th, 2007, 9:54 pm

Unread postby random/random » October 27th, 2007, 6:23 am

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\system32\pmioihpn.dll
    C:\WINDOWS\system32\palmrewc.dll
    C:\WINDOWS\system32\yvnaunie.dll
    C:\WINDOWS\system32\gdpyvvtc.dll
    C:\WINDOWS\system32\bkinnxyt.dll
    C:\WINDOWS\system32\artchker.exe
    C:\WINDOWS\system32\katzpwwcx.exe
    C:\WINDOWS\system32\katzppd.exe
    C:\WINDOWS\system32\IKatzuUninstall.exe
    C:\WINDOWS\system32\xxyawwu.dll
    C:\WINDOWS\system32\fccda.dll 
    C:\WINDOWS\system32\artchker.exe 
    Folder::
    C:\WINDOWS\U2F5ZWQgSGFkaQ
    C:\WINDOWS\system32\xx1
    C:\WINDOWS\system32\od2
    C:\WINDOWS\system32\ib1
    C:\WINDOWS\system32\cp1
    C:\WINDOWS\system32\bo2
    C:\WINDOWS\system32\ap1
    C:\temp
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C92B957B-4767-4E53-A63C-1E547C35F0C6}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5159DF-E413-4878-8AE2-D921D41BB942}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "54a58e5f"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{C92B957B-4767-4E53-A63C-1E547C35F0C6}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyawwu]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\54a58e5f]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "cmdService"=-
    "Network Monitor"=-
    "DomainService"=-
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby q80 » October 27th, 2007, 4:14 pm

hi again ..

this is the combo fix log ..
ComboFix 07-10-26.4 - Sayed Hadi 2007-10-26 12:56:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.965.1033.18.528 [GMT -7:00]
Running from: C:\Documents and Settings\Sayed Hadi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sayed Hadi\Desktop\CFscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\system32\bkinnxyt.dll
C:\WINDOWS\system32\fccda.dll
C:\WINDOWS\system32\gdpyvvtc.dll
C:\WINDOWS\system32\IKatzuUninstall.exe
C:\WINDOWS\system32\katzppd.exe
C:\WINDOWS\system32\katzpwwcx.exe
C:\WINDOWS\system32\palmrewc.dll
C:\WINDOWS\system32\pmioihpn.dll
C:\WINDOWS\system32\xxyawwu.dll
C:\WINDOWS\system32\yvnaunie.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Sayed Hadi\Favorites\Online Security Guide.lnk
C:\temp
C:\temp\cilo.exe
C:\temp\EFDFU\CSR\Csrbc01.inf
C:\temp\EFDFU\CSR\Csrbc01.sys
C:\temp\EFDFU\DFU\bc01b_v16.4.3_ALPS.dfu
C:\temp\EFDFU\DFU\bc01b_v16.4.3_ALPS_b102.dfu
C:\temp\EFDFU\DFU\bc02_v16.7.5_SONY.dfu
C:\temp\EFDFU\DFU\BCSP.dll
C:\temp\EFDFU\DFU\csrmfc.dll
C:\temp\EFDFU\DFU\DFUEngine.dll
C:\temp\EFDFU\DFU\DFUOneClick.exe
C:\temp\EFDFU\DFU\H4.dll
C:\temp\EFDFU\DFU\HCI.dll
C:\temp\EFDFU\DFU\libboost_threadmon.dll
C:\temp\EFDFU\DFU\PsBccmd.dll
C:\temp\EFDFU\DFU\pshelp.dll
C:\temp\EFDFU\DFU\spi.dll
C:\temp\EFDFU\DFU\spicommon.dll
C:\temp\EFDFU\DFU\spifns.dll
C:\temp\EFDFU\DFU\UnicoWS.dll
C:\temp\EFDFU\DrvUpUtil\DrvUpUtil_ChangeDrv.exe
C:\temp\EFDFU\EFDFU.exe
C:\temp\EFDFU\MS\blutooth.cat
C:\temp\EFDFU\MS\blutooth.inf
C:\temp\EFDFU\MS\blutooth.PNF
C:\temp\EFDFU\MS\bth_oobc.dll
C:\temp\EFDFU\MS\INFCACHE.1
C:\temp\EFDFU\OII\OIBTNDIS.INF
C:\temp\EFDFU\OII\OIBTNDIS.SYS
C:\temp\EFDFU\OII\OIBTPROT.SYS
C:\temp\EFDFU\OII\OIBTUSB.INF
C:\temp\EFDFU\OII\OIBTUSB.SYS
C:\temp\EFDFU\OII\OIBTVCOM.INF
C:\temp\EFDFU\OII\OIBTVCOM.SYS
C:\temp\EFDFU\Prodtest\BCSP.DLL
C:\temp\EFDFU\Prodtest\CSRMFC.DLL
C:\temp\EFDFU\Prodtest\DrvUpUtil_AftPS.exe
C:\temp\EFDFU\Prodtest\DrvUpUtil_DriverPS.exe
C:\temp\EFDFU\Prodtest\DrvUpUtil_PrePS.exe
C:\temp\EFDFU\Prodtest\Factory.dll
C:\temp\EFDFU\Prodtest\H4.DLL
C:\temp\EFDFU\Prodtest\HCI.DLL
C:\temp\EFDFU\Prodtest\libboost_threadmon.dll
C:\temp\EFDFU\Prodtest\Msvcp60.dll
C:\temp\EFDFU\Prodtest\MSVCRTD.DLL
C:\temp\EFDFU\Prodtest\TestFrame.dll
C:\temp\EFDFU\Prodtest\UnicoWS.dll
C:\temp\EFDFU\version.txt
C:\temp\EFDFU32\Prodtest\DrvUpUtil_PrePS.exe
C:\temp\EFDFU32\version.txt
C:\temp\MS\blutooth.cat
C:\temp\MS\blutooth.inf
C:\temp\MS\bth_oobc.dll
C:\temp\MS\Version.txt
C:\temp\Patch\MSBTPATCH.exe
C:\temp\QFE\q323183_wxp_sp2_x86_deu.exe
C:\temp\QFE\q323183_wxp_sp2_x86_enu.exe
C:\temp\QFE\q323183_wxp_sp2_x86_fra.exe
C:\temp\QFE\q323183_wxp_sp2_x86_ita.exe
C:\temp\QFE\q323183_wxp_sp2_x86_nld.exe
C:\temp\QFE\Q811228_WXP_SP2_x86_DEU.exe
C:\temp\QFE\Q811228_WXP_SP2_x86_ENU.exe
C:\temp\QFE\Q811228_WXP_SP2_x86_FRA.exe
C:\temp\QFE\Q811228_WXP_SP2_x86_ITA.exe
C:\temp\QFE\Q811228_WXP_SP2_x86_NLD.exe
C:\temp\VCOMM\chkcomm.dll
C:\temp\VCOMM\data1.cab
C:\temp\VCOMM\data1.hdr
C:\temp\VCOMM\data2.cab
C:\temp\VCOMM\devinst.dll
C:\temp\VCOMM\ikernel.ex_
C:\temp\VCOMM\layout.bin
C:\temp\VCOMM\Setup.exe
C:\temp\VCOMM\Setup.ini
C:\temp\VCOMM\setup.inx
C:\temp\VCOMM\setup.iss
C:\temp\VCOMM\Version.txt
C:\WINDOWS\system32\ap1
C:\WINDOWS\system32\ap1\sysmondll3.exe
C:\WINDOWS\system32\bo2
C:\WINDOWS\system32\bo2\ivdwnll2.exe
C:\WINDOWS\system32\cp1
C:\WINDOWS\system32\cp1\dode83122.exe
C:\WINDOWS\system32\fuaphkpg.dllbox
C:\WINDOWS\system32\gdpyvvtc.dll
C:\WINDOWS\system32\ib1
C:\WINDOWS\system32\ib1\rwv12drv.exe
C:\WINDOWS\system32\katzppd.exe
C:\WINDOWS\system32\od2
C:\WINDOWS\system32\palmrewc.dll
C:\WINDOWS\system32\pmioihpn.dll
C:\WINDOWS\system32\vtuuv.dll
C:\WINDOWS\system32\vuutv.bak1
C:\WINDOWS\system32\vuutv.ini
C:\WINDOWS\system32\xx1
C:\WINDOWS\system32\xx1\kotedrvr4.exe
C:\WINDOWS\system32\xxyawwu.dll
C:\WINDOWS\system32\yvnaunie.dll
C:\WINDOWS\U2F5ZWQgSGFkaQ
C:\WINDOWS\U2F5ZWQgSGFkaQ\asappsrv.dll
C:\WINDOWS\U2F5ZWQgSGFkaQ\command.exe
C:\WINDOWS\U2F5ZWQgSGFkaQ\oZIctqk0m3I4uk.vbs

.
((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-25 20:00 340,032 --a------ C:\WINDOWS\system32\fuaphkpg.dll
2007-10-25 19:59 340,032 --a------ C:\WINDOWS\system32\klcjjjth.dll
2007-10-25 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-20 01:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-18 15:22 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-12 13:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-08 12:34 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-08 12:33 <DIR> d-------- C:\Documents and Settings\Sayed Hadi\Application Data\Talkback
2007-10-08 12:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-06 22:02 <DIR> d-------- C:\Program Files\CONEXANT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 19:37 --------- d-----w C:\Program Files\Java
2007-10-26 19:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-26 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-12 20:15 --------- d-----w C:\Program Files\Common Files\Real
2007-10-09 08:47 --------- d-----w C:\Program Files\Golden Al-Wafi Translator
2007-10-09 01:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-07 05:13 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-07 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-09-06 06:29 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-29 04:30 --------- d-----w C:\Program Files\support.com
2007-08-29 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2007-08-26 08:27 --------- d-----w C:\Program Files\HP
2007-08-26 08:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-08-26 06:30 --------- d-----w C:\Program Files\Paltalk Messenger
.

((((((((((((((((((((((((((((( snapshot@2007-10-25_19.25.51.94 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-08-20 00:41:26 24,673 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 05:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-08-20 00:41:28 28,771 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 05:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-25 20:00 340032 --a------ C:\WINDOWS\system32\fuaphkpg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fuaphkpg.dll [2007-10-25 20:00 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-28 01:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-05-19 08:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fuaphkpg]
fuaphkpg.dll 2007-10-25 20:00 340032 C:\WINDOWS\system32\fuaphkpg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtuuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerPanel.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerPanel.lnk
backup=C:\WINDOWS\pss\PowerPanel.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=C:\WINDOWS\pss\QuickTV.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKSERV.EXE]
C:\Program Files\Sony\HotKey Utility\HKserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
C:\Program Files\Pando Networks\Pando\pando.exe /Automation

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\Propel Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sweeper.exe]
C:\Program Files\History Sweeper\sweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"Dnscache"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
R3 DVccUSBSony1;Sony Visual Communication Camera VCC-U01;C:\WINDOWS\system32\DRIVERS\SonyVcc.sys
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys
S3 Cap7134;Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
S3 CSRBC01;CSRBC01.Sys CSR test driver;C:\WINDOWS\system32\Drivers\CSRBC01.sys
S3 DCamUSBSony4;Sony Visual Communication Camera;C:\WINDOWS\system32\DRIVERS\snyucam4.sys
S3 DCamUSBSonyA4;Sony USB Microphone;C:\WINDOWS\system32\drivers\snyuflt4.sys
S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys
S3 oibtvcom;Bluetooth Virtual COM Port;C:\WINDOWS\system32\Drivers\oivmvcom.sys
S3 oivmctrl;VCOMM Device Controller;C:\WINDOWS\system32\Drivers\oivmctrl.sys
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca623c30-4613-11dc-bcc9-080046cc81a2}]
AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 20:06:13 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-10-20 10:00:38 C:\WINDOWS\Tasks\XoftSpySE.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 13:07:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 13:10:26 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-25 20:44
C:\ComboFix3.txt ... 2007-10-25 19:29
.
--- E O F ---

AND THATS THE HTJ LOG :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:12 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fuaphkpg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fuaphkpg.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: fuaphkpg - C:\WINDOWS\SYSTEM32\fuaphkpg.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 4661 bytes

and I still have the problem
q80
Active Member
 
Posts: 6
Joined: October 25th, 2007, 9:54 pm

Unread postby random/random » October 27th, 2007, 5:33 pm

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\system32\fuaphkpg.dll
    C:\WINDOWS\system32\klcjjjth.dll
    C:\WINDOWS\system32\vtuuv.dll 
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fuaphkpg]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby q80 » October 27th, 2007, 8:31 pm

ComboFix 07-10-26.4 - Sayed Hadi 2007-10-26 17:25:16.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.965.1033.18.458 [GMT -7:00]
Running from: C:\Documents and Settings\Sayed Hadi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sayed Hadi\Desktop\CFscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\fuaphkpg.dll
C:\WINDOWS\system32\klcjjjth.dll
C:\WINDOWS\system32\vtuuv.dll
.

((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-26 14:04 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-26 14:04 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-26 14:02 <DIR> d-------- C:\Program Files\Symantec
2007-10-26 14:02 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-26 14:02 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-25 18:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-20 01:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-18 15:22 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-12 13:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-08 12:34 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-08 12:33 <DIR> d-------- C:\Documents and Settings\Sayed Hadi\Application Data\Talkback
2007-10-08 12:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-06 22:02 <DIR> d-------- C:\Program Files\CONEXANT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 21:30 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-26 21:30 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-26 21:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-26 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-26 20:42 --------- d-----w C:\Program Files\MSN Messenger
2007-10-26 19:37 --------- d-----w C:\Program Files\Java
2007-10-19 07:38 24,576 ----a-w C:\WINDOWS\system32\msxml3a.dll
2007-10-12 20:15 --------- d-----w C:\Program Files\Common Files\Real
2007-10-09 08:47 --------- d-----w C:\Program Files\Golden Al-Wafi Translator
2007-10-09 01:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-07 05:13 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-07 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-06 21:24 337,056 ----a-w C:\WINDOWS\system32\ENTER.scr
2007-09-06 06:29 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-29 21:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-29 04:30 --------- d-----w C:\Program Files\support.com
2007-08-29 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 01:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 01:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 01:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 01:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 01:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 01:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 01:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 01:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 01:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-26 14:08 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-28 01:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 22:07]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 21:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerPanel.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerPanel.lnk
backup=C:\WINDOWS\pss\PowerPanel.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=C:\WINDOWS\pss\QuickTV.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKSERV.EXE]
C:\Program Files\Sony\HotKey Utility\HKserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
C:\Program Files\Pando Networks\Pando\pando.exe /Automation

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\Propel Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sweeper.exe]
C:\Program Files\History Sweeper\sweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"Dnscache"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
R3 DVccUSBSony1;Sony Visual Communication Camera VCC-U01;C:\WINDOWS\system32\DRIVERS\SonyVcc.sys
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 Cap7134;Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
S3 CSRBC01;CSRBC01.Sys CSR test driver;C:\WINDOWS\system32\Drivers\CSRBC01.sys
S3 DCamUSBSony4;Sony Visual Communication Camera;C:\WINDOWS\system32\DRIVERS\snyucam4.sys
S3 DCamUSBSonyA4;Sony USB Microphone;C:\WINDOWS\system32\drivers\snyuflt4.sys
S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys
S3 oibtvcom;Bluetooth Virtual COM Port;C:\WINDOWS\system32\Drivers\oivmvcom.sys
S3 oivmctrl;VCOMM Device Controller;C:\WINDOWS\system32\Drivers\oivmctrl.sys
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca623c30-4613-11dc-bcc9-080046cc81a2}]
AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 21:22:54 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Sayed Hadi.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
"2007-10-27 00:19:03 C:\WINDOWS\Tasks\XoftSpySE 2.job"
"2007-10-20 10:00:38 C:\WINDOWS\Tasks\XoftSpySE.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 17:27:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 17:29:05
C:\ComboFix2.txt ... 2007-10-26 17:22
C:\ComboFix3.txt ... 2007-10-26 13:54
.
--- E O F ---


THis is the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:43 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 5342 bytes

thanks
q80
Active Member
 
Posts: 6
Joined: October 25th, 2007, 9:54 pm

Unread postby random/random » October 28th, 2007, 6:53 am

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby q80 » October 28th, 2007, 6:35 pm

Hi again ,

this is the online scan log :

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2621 (20071028)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=bca0f1a5e39b4a428e730a47521644a6
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-10-27 10:15:11
# local_time=2007-10-27 03:15:11 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=330398
# found=12
# scan_time=7076
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application C4281C08C9951D5C894613A46A1FCA8B
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 29253A6E6649AE9F5E018FCC5BF1724E
C:\qoobox\Quarantine\C\Documents and Settings\hala\Desktop\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application 23116AF08C52D196002D8C0D9E2C1AAF
C:\qoobox\Quarantine\C\Documents and Settings\hala\Desktop\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application FF34772E97E67769F14F6E690200465F
C:\qoobox\Quarantine\C\Documents and Settings\hala\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 20F3EE418C406350EE7BE87DE18D7E14
C:\qoobox\Quarantine\C\Documents and Settings\Sayed Hadi\Desktop\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application 47FCFD36D19FE89D21A9AE735474F287
C:\qoobox\Quarantine\C\Documents and Settings\Sayed Hadi\Desktop\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application BF4AE6CF649EE691779FB8092C29DEB3
C:\qoobox\Quarantine\C\Documents and Settings\Sayed Hadi\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application F7023C9C80A28A6A6925580813DAEC8D
C:\qoobox\Quarantine\C\Program Files\Common Files\uwmu\uwmud\vocabulary.vir Win32/TrojanDownloader.TSUpdate.J trojan 7901AE90CA5D7979D4FCA52D83D420FB
C:\qoobox\Quarantine\C\temp\cilo.exe.vir multiple infiltrations 1F21B34DCA5EA4D05DC5724357C92A72
C:\qoobox\Quarantine\C\temp\cilo.exe.vir »NSIS »ivdwnll2.exe Win32/TrojanDownloader.Small.BUY trojan 00000000000000000000000000000000
C:\qoobox\Quarantine\C\temp\cilo.exe.vir »NSIS »rwv12drv.exe Win32/TrojanDownloader.Small.GCI trojan 00000000000000000000000000000000

that's the HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:11 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sweeper.exe] C:\Program Files\History Sweeper\sweeper.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 5921 bytes


I think most of the problem solved :blob8: .. and I appreciate your help :occasion2: ..
But I still think that there are some spy files especialy thos .exe that contains the [SVC]word such as ccSvcHst.exe and svchost.exe :hiding: ..
Agian and again thank you very very much .. :thumbright:
q80
Active Member
 
Posts: 6
Joined: October 25th, 2007, 9:54 pm

Unread postby random/random » October 29th, 2007, 3:39 pm

ccSvcHst.exe is part of Symantec http://www.bleepingcomputer.com/startup ... 17472.html

svchost.exe is a necessary component of windows: http://www.processlibrary.com/directory/files/svchost/

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  1. Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  2. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  3. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  4. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  5. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  6. Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  7. Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  8. Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  9. Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby askey127 » November 10th, 2007, 2:26 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware