Login  Malware Removal & HijackThis Logs |
| |
 Search | |
| | Thread Tools |
06-Dec-2006, 09:15 AM
#1 | |||||
| Solved: Please help My computer seems to be affected...dunno what. Thanks in advance. Here is the hijack log: Logfile of HijackThis v1.99.1 Scan saved at 9:03:37 AM, on 12/6/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\cvsnt\cvsservice.exe C:\Program Files\cvsnt\cvslock.exe C:\WINDOWS\system32\hidserv.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Canon\MultiPASS\mpservic.exe C:\WINDOWS\system32\msasvc.exe c:\PROGRA~1\NORTON~1\navapsvc.exe c:\PROGRA~1\NORTON~1\npssvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\regsvc.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Subversion\bin\SVNService.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\mspmspsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe c:\PROGRA~1\NORTON~1\alertsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\inet20000\services.exe C:\WINDOWS\System32\svchost.exe C:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE C:\program files\norton antivirus\POProxy.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\z1235.exe C:\WINDOWS\system32\nordsys.exe C:\WINDOWS\system32\kernels1118.exe C:\WINDOWS\system32\rundll32.exe C:\oggxm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\inet20000\mmx990.exe C:\Program Files\SpySheriff\SpySheriff.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\agq7oU0.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton AntiVirus\navapw32.exe C:\WINDOWS\inet20000\wpcem.exe C:\WINDOWS\inet20000\wpcem.exe C:\WINDOWS\system32\se.exe.exe C:\HiJack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.warezoracle.com/%s R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 F3 - REG:win.ini: run=C:\WINDOWS\inet20000\services.exe N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hotmail.com/"); (C:\Program Files\Netscape\Users\andrew\prefs.js) O1 - Hosts: 70.184.240.199 wws-devweb1 #was 216.177.38.163 O1 - Hosts: 70.184.240.201 wws-demo #was 216.177.38.167 O1 - Hosts: 70.184.240.203 wws-server2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20000\12614134.dll O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll O2 - BHO: (no name) - {5AA179A1-1C9A-BE1F-A12F-07DB99422510} - C:\WINDOWS\system32\qtbrjki.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Norton eMail Protect] c:\program files\norton antivirus\POProxy.exe O4 - HKLM\..\Run: [NPS Event Checker] c:\PROGRA~1\NORTON~1\npscheck.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [WINDOWS] C:\oggxm.exe O4 - HKLM\..\Run: [7v3j] C:\WINDOWS\system32\z1235.exe gdtgh O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe O4 - HKLM\..\Run: [rqbhvti.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rqbhvti.dll,hwhnoxf O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\z26065709339.exe O4 - HKCU\..\Run: [WinUpgrade] "C:\WINDOWS\system32\z26065715868.exe " O4 - HKCU\..\Run: [WinUpdate] "C:\WINDOWS\system32\z26065728016.exe " O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Norton AntiVirus\navapw32.exe O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Dell Home - {819D9520-F66E-11D3-9ECC-000102353CE7} - http://www.dellnet.com/ (file missing) (HKCU) O9 - Extra button: @Home - {FDB5FB24-7875-4372-A146-53CFD5B89353} - http://home.excite.com (file missing) (HKCU) O12 - Plugin for .au: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .mid: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .rmf: C:\Program Files\Netscape\Program\PLUGINS\NPBeatSP.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Microsoft WFC Forms Designer - file://C:\DOWNLOAD\VISUAL~1\VJ98\wfcforms.cab O16 - DPF: Visual Studio 6 Extensibility Libraries - file://C:\DOWNLOAD\VISUAL~1\VJ98\vstudio6.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.07.02-hp&http://h71016.www7.hp.com/dstore/html/interactive/nc8000/model.html?jumpid=ex_r2910_cnet/3dtours_product|nc8000notebook O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://205.150.121.13/CFIDE/classes/CFJava.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://aumail2.american.edu/iNotes6.cab O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://208.232.171.59/ProjectCentral...33/pjcintl.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://208.232.171.59/ProjectCentral...s/pjclient.cab O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://wwstudios.webex.com/client/webex/atbootie.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://msdn.one.microsoft.com/Trans...ansferCtrl.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://xopus.org/demo/msxml4install/msxml4.cab O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://69.140.47.56:85/plugin/h263ctrl.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://38.203.215.106/CFIDE/classes/CFJava.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://wwstudios.webex.com/client/la...ex/ieatgpc.cab O16 - DPF: {E19F9330-3110-11d4-991C-005004D3B3DB} (Java Runtime Environment 1.3.0_01) - O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\system32\vrtk32.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\cvsnt\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\cvsnt\cvslock.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Verity K2Server (Version 2.20pr6) (k2server) - Unknown owner - C:\CFusionMX\lib\k2server.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: NAV Alert - Symantec Corporation - c:\PROGRA~1\NORTON~1\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - c:\PROGRA~1\NORTON~1\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - c:\PROGRA~1\NORTON~1\npssvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\SVNService.exe |
| |
07-Dec-2006, 02:19 PM
#2 | ||||||
| Did you install Spy Sheriff? It is on the list of rouge list. Look in Add/Remove Programs uninstall it if found. Download (save) combofix from one of these two sites:
When finished, it will produce a log for you. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. Please post a new hijackthis log with the log from combofix in your next reply.
__________________ Microsoft MVP/Windows - Consumer Security |
08-Dec-2006, 04:53 PM
#3 | |||||
| rudebwoy - Fri 12/08/2006 16:29:46.42 Service Pack 4 ComboFix 06.11.27W - Running from: "C:\Documents and Settings\default\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\maxd641.exe ((((((((((((((((((((((((((((((( Files Created from 2006-11-08 to 2006-12-08 )))))))))))))))))))))))))))))))))) 2006-12-08 16:21 13,422 --a------ C:\WINDOWS\SYSTEM32\icf.exe 2006-12-08 16:19 6,199 --a------ C:\Documents and Settings\default\K65OLoM.exe 2006-12-08 16:18 20,480 --a------ C:\WINDOWS\SYSTEM32\z3524.dll 2006-12-06 19:02 46,592 --a------ C:\WINDOWS\SYSTEM32\zlbw.dll 2006-12-06 19:00 61,440 --a------ C:\WINDOWS\SYSTEM32\lmbsjili.exe 2006-12-06 18:59 6,199 --a------ C:\Documents and Settings\default\s0cKmfG.exe 2006-12-06 18:59 20,480 --a------ C:\WINDOWS\SYSTEM32\z3424.dll 2006-12-06 17:52 3,584 -r-hs---- C:\WINDOWS\SYSTEM32\z2974441196.exe 2006-12-06 17:52 3,584 --a------ C:\WINDOWS\SYSTEM32\z2974444851.exe 2006-12-06 16:59 20,480 --a------ C:\WINDOWS\SYSTEM32\z3806.dll 2006-12-06 16:31 3,502 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2006-12-06 16:23 <DIR> d-------- C:\smit 2006-12-06 09:02 <DIR> d-------- C:\New Folder 2006-12-06 09:01 72,192 --a------ C:\WINDOWS\SYSTEM32\z2825.exe 2006-12-06 09:01 6,199 --a------ C:\WINDOWS\agq7oU0.exe 2006-12-06 09:01 20,480 --a------ C:\WINDOWS\SYSTEM32\z318.dll 2006-12-06 08:45 20,480 --a------ C:\WINDOWS\SYSTEM32\z3743.dll 2006-12-06 08:40 20,480 --a------ C:\WINDOWS\SYSTEM32\z3760.dll 2006-12-06 08:37 <DIR> d-------- C:\HiJack 2006-12-06 08:36 <DIR> d-------- C:\Program Files\New Folder 2006-12-06 08:33 20,480 --a------ C:\WINDOWS\SYSTEM32\z3612.dll 2006-12-05 20:51 45,056 --a------ C:\Documents and Settings\default\wpcem.exe 2006-12-05 20:50 20,480 --a------ C:\WINDOWS\SYSTEM32\z3955.dll 2006-12-05 20:41 <DIR> d-------- C:\AV-CLS 2006-12-05 19:56 95,232 --a------ C:\WINDOWS\SYSTEM32\rqbhvti.dll 2006-12-05 19:56 71,680 --a------ C:\WINDOWS\SYSTEM32\qtbrjki.dll 2006-12-05 19:56 6,199 --a------ C:\WINDOWS\SYSTEM32\wQu0x76.exe 2006-12-05 19:56 6,199 --a------ C:\WINDOWS\SYSTEM32\se.exe.exe 2006-12-05 19:56 54,327 --a------ C:\WINDOWS\SYSTEM32\google.png.exe 2006-12-05 19:56 3,648 --a------ C:\WINDOWS\SYSTEM32\z2705.exe 2006-12-05 19:56 3,648 --a------ C:\WINDOWS\SYSTEM32\kernels1118.exe 2006-12-05 19:56 3,584 -r-hs---- C:\WINDOWS\SYSTEM32\z26065709339.exe 2006-12-05 19:56 3,584 --a------ C:\WINDOWS\SYSTEM32\z26065715868.exe 2006-12-05 19:56 3,584 --------- C:\WINDOWS\SYSTEM32\z26065728016.exe 2006-12-05 19:56 29,696 --a------ C:\WINDOWS\SYSTEM32\rpcc.dll 2006-12-05 19:56 15,927 --a------ C:\WINDOWS\SYSTEM32\w.exe.exe 2006-12-05 19:56 15,927 --a------ C:\WINDOWS\SYSTEM32\w.exe 2006-12-05 19:56 15,927 ---h----- C:\WINDOWS\SYSTEM32\nordsys.exe 2006-12-05 19:56 128,567 --a------ C:\WINDOWS\SYSTEM32\ss.exe.exe 2006-12-05 19:55 6,199 --a------ C:\WINDOWS\SYSTEM32\z2688.exe 2006-12-05 19:55 45,056 --a------ C:\WINDOWS\wpcem.exe 2006-12-05 19:55 23,552 --a------ C:\WINDOWS\SYSTEM32\z253.exe 2006-12-05 19:55 20,480 --a------ C:\WINDOWS\SYSTEM32\z3258.dll 2006-12-05 19:55 13,312 --a------ C:\WINDOWS\SYSTEM32\z2928.exe 2006-12-05 18:00 81,920 --a------ C:\WINDOWS\SYSTEM32\Packet.dll 2006-12-05 18:00 61,440 --a------ C:\WINDOWS\SYSTEM32\WanPacket.dll 2006-12-05 18:00 53,299 --a------ C:\WINDOWS\SYSTEM32\pthreadVC.dll 2006-12-05 18:00 32,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\npf.sys 2006-12-05 18:00 233,472 --a------ C:\WINDOWS\SYSTEM32\wpcap.dll 2006-12-05 18:00 13,312 --a------ C:\WINDOWS\SYSTEM32\z2443.exe 2006-12-05 18:00 <DIR> d-------- C:\WINDOWS\inet20000 2006-12-05 17:57 9,804 --a------ C:\WINDOWS\SYSTEM32\z1235.exe 2006-12-05 17:57 20,480 --a------ C:\WINDOWS\SYSTEM32\z3419.dll 2006-12-05 17:56 85,504 --a------ C:\oggxm.exe 2006-12-05 17:56 37,571 --a------ C:\mlgu.exe 2006-12-05 17:56 3,584 --a------ C:\WINDOWS\SYSTEM32\msasvc.exe 2006-12-05 17:56 1,024 --a------ C:\ypnolb.exe 2006-12-05 17:56 1,024 --a------ C:\ayfcf.exe 2006-11-27 09:20 465,176 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll 2006-11-27 09:20 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll 2006-11-27 09:20 194,328 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll 2006-11-27 09:20 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll 2006-11-27 09:20 173,536 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll 2006-11-27 09:20 172,312 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe 2006-11-27 09:20 127,256 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll 2006-11-27 09:20 <DIR> d-------- C:\WINDOWS\SoftwareDistribution (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) Rootkit driver pe386 is present. A rootkit scan is required 2006-12-05 19:57 34997 --a------ C:\WINDOWS\SYSTEM32\vrtk32.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="ctfmon.exe" "Nord"="C:\\WINDOWS\\system32\\nordsys.exe" "WinUpgrade"="\"C:\\WINDOWS\\system32\\z2974444851.exe \" " "WinMedia"="C:\\WINDOWS\\system32\\z2974441196.exe" "WinMedia"="C:\\WINDOWS\\system32\\z2974441196.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SystemTray"="SysTray.Exe" "Synchronization Manager"="mobsync.exe /logon" "Microsoft IntelliType Pro"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\speedkey.exe\"" "UpdReg"="C:\\WINDOWS\\Updreg.exe" "EM_EXEC"="c:\\progra~1\\logitech\\mouse\\SYSTEM\\EM_EXEC.EXE" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "LoadQM"="loadqm.exe" "nwiz"="nwiz.exe /install" "Norton eMail Protect"="c:\\program files\\norton antivirus\\POProxy.exe" "NPS Event Checker"="c:\\PROGRA~1\\NORTON~1\\npscheck.exe" "MP_STATUS_MONITOR"="\"C:\\Program Files\\Canon\\MultiPASS\\monitr32.exe\" I" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe" "WINDOWS"="C:\\oggxm.exe" "7v3j"="C:\\WINDOWS\\system32\\z1235.exe gdtgh" "Microsoft WPCEmail"="C:\\WINDOWS\\inet20000\\svchost.exe " "Nord"="C:\\WINDOWS\\system32\\nordsys.exe" "rqbhvti.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\rqbhvti.dll,hwhnoxf" "Alexa bridge"="C:\\WINDOWS\\system32\\lmbsjili.exe" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\share dtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell executehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er] "NoDriveTypeAutoRun"=dword:00000000 "CDRAutoRun"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer] "NoDriveTypeAutoRun"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceob jectdelayload] "Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "hbeUYKE"="{07D0030B-AD7A-A9A1-F41A-95064D7E0457}" "hbeUYKE"="{07D0030B-AD7A-A9A1-F41A-95064D7E0457}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job Completion time: Fri 2006-12-08 16:32:06.68 C:\ComboFix.txt ... 06-12-08 16:32 Logfile of HijackThis v1.99.1 Scan saved at 4:45:41 PM, on 12/8/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\cvsnt\cvsservice.exe C:\Program Files\cvsnt\cvslock.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\hidserv.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Canon\MultiPASS\mpservic.exe C:\WINDOWS\system32\msasvc.exe c:\PROGRA~1\NORTON~1\npssvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\regsvc.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Subversion\bin\SVNService.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\mspmspsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe c:\PROGRA~1\NORTON~1\alertsvc.exe C:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\rundll32.exe C:\oggxm.exe C:\WINDOWS\system32\lmbsjili.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\nordsys.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.warezoracle.com/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 O1 - Hosts: 70.184.240.199 wws-devweb1 #was 216.177.38.163 O1 - Hosts: 70.184.240.201 wws-demo #was 216.177.38.167 O1 - Hosts: 70.184.240.203 wws-server2 O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Norton eMail Protect] c:\program files\norton antivirus\POProxy.exe O4 - HKLM\..\Run: [NPS Event Checker] c:\PROGRA~1\NORTON~1\npscheck.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [WINDOWS] C:\oggxm.exe O4 - HKLM\..\Run: [7v3j] C:\WINDOWS\system32\z1235.exe gdtgh O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe O4 - HKLM\..\Run: [rqbhvti.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rqbhvti.dll,hwhnoxf O4 - HKLM\..\Run: [Alexa bridge] C:\WINDOWS\system32\lmbsjili.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe O4 - HKCU\..\Run: [WinUpgrade] "C:\WINDOWS\system32\z2974444851.exe " O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\z2974441196.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Norton AntiVirus\navapw32.exe O21 - SSODL: hbeUYKE - {07D0030B-AD7A-A9A1-F41A-95064D7E0457} - C:\WINDOWS\system32\pzrkd.dll |
08-Dec-2006, 05:45 PM
#4 | ||||||
| Download rustbfix.exe from here and save it to your desktop. Double click on rustbfix.exe. If a Rustock.b infection is found, you will be asked to reboot your computer. The reboot will probably take quite a while and perhaps two reboots will be needed but this will happen automatically so please be patient and allow the process to complete. After the reboot, two log files will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these log files along with a new HijackThis log.
__________________ Microsoft MVP/Windows - Consumer Security |
11-Dec-2006, 12:55 AM
#5 | |||||
| Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\xjecqlji ******************* Script file located at: \??\C:\WINDOWS\system32\lvyujksj.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Driver PE386 unloaded successfully. Program C:\Rustbfix\2run.bat successfully set up to run once on reboot. Completed script processing. ******************* Finished! Terminate. ************************* Rustock.b-fix -- By ejvindh ************************* Mon 12/11/2006 0:16:44.90 ******************* Pre-run Status of system ******************* Rootkit driver PE386 is found. Starting the unload-procedure.... Examine the Avenger-logfile in order to assess the success of the unload-procedure Rustock.b-ADS attached to the System32-folder: No streams found. ******************* Post-run Status of system ******************* Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No streams found. ******************************* End of Logfile ******************************** Logfile of HijackThis v1.99.1 Scan saved at 12:46:03 AM, on 12/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\cvsnt\cvsservice.exe C:\Program Files\cvsnt\cvslock.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\hidserv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Canon\MultiPASS\mpservic.exe C:\WINDOWS\system32\msasvc.exe c:\PROGRA~1\NORTON~1\navapsvc.exe c:\PROGRA~1\NORTON~1\npssvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\regsvc.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Subversion\bin\SVNService.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\mspmspsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe c:\PROGRA~1\NORTON~1\alertsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE C:\program files\norton antivirus\POProxy.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\z1235.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\lmbsjili.exe C:\WINDOWS\system32\ctfmon.exe C:\oggxm.exe C:\WINDOWS\system32\nordsys.exe C:\WINDOWS\system32\lmbsjili.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\z2974441196.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton AntiVirus\navapw32.exe C:\WINDOWS\inet20000\wpcem.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\BitTorrent\bittorrent.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\FxRedir.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\HiJack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.warezoracle.com/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hotmail.com/"); (C:\Program Files\Netscape\Users\andrew\prefs.js) O1 - Hosts: 70.184.240.199 wws-devweb1 #was 216.177.38.163 O1 - Hosts: 70.184.240.201 wws-demo #was 216.177.38.167 O1 - Hosts: 70.184.240.203 wws-server2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20000\12614134.dll O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll O2 - BHO: (no name) - {5AA179A1-1C9A-BE1F-A12F-07DB99422510} - C:\WINDOWS\system32\qtbrjki.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Norton eMail Protect] c:\program files\norton antivirus\POProxy.exe O4 - HKLM\..\Run: [NPS Event Checker] c:\PROGRA~1\NORTON~1\npscheck.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [WINDOWS] C:\oggxm.exe O4 - HKLM\..\Run: [7v3j] C:\WINDOWS\system32\z1235.exe gdtgh O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe O4 - HKLM\..\Run: [rqbhvti.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rqbhvti.dll,hwhnoxf O4 - HKLM\..\Run: [Alexa bridge] C:\WINDOWS\system32\lmbsjili.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe O4 - HKCU\..\Run: [WinUpgrade] "C:\WINDOWS\system32\z2974444851.exe " O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\system32\z2974441196.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Norton AntiVirus\navapw32.exe O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Dell Home - {819D9520-F66E-11D3-9ECC-000102353CE7} - http://www.dellnet.com/ (file missing) (HKCU) O9 - Extra button: @Home - {FDB5FB24-7875-4372-A146-53CFD5B89353} - http://home.excite.com (file missing) (HKCU) O12 - Plugin for .au: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .mid: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .rmf: C:\Program Files\Netscape\Program\PLUGINS\NPBeatSP.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Microsoft WFC Forms Designer - file://C:\DOWNLOAD\VISUAL~1\VJ98\wfcforms.cab O16 - DPF: Visual Studio 6 Extensibility Libraries - file://C:\DOWNLOAD\VISUAL~1\VJ98\vstudio6.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.07.02-hp&http://h71016.www7.hp.com/dstore/html/interactive/nc8000/model.html?jumpid=ex_r2910_cnet/3dtours_product|nc8000notebook O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://205.150.121.13/CFIDE/classes/CFJava.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://aumail2.american.edu/iNotes6.cab O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://208.232.171.59/ProjectCentral...33/pjcintl.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://208.232.171.59/ProjectCentral...s/pjclient.cab O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://wwstudios.webex.com/client/webex/atbootie.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://msdn.one.microsoft.com/Trans...ansferCtrl.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://xopus.org/demo/msxml4install/msxml4.cab O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://69.140.47.56:85/plugin/h263ctrl.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://38.203.215.106/CFIDE/classes/CFJava.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://wwstudios.webex.com/client/la...ex/ieatgpc.cab O16 - DPF: {E19F9330-3110-11d4-991C-005004D3B3DB} (Java Runtime Environment 1.3.0_01) - O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O21 - SSODL: hbeUYKE - {07D0030B-AD7A-A9A1-F41A-95064D7E0457} - C:\WINDOWS\system32\pzrkd.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\cvsnt\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\cvsnt\cvslock.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Verity K2Server (Version 2.20pr6) (k2server) - Unknown owner - C:\CFusionMX\lib\k2server.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: NAV Alert - Symantec Corporation - c:\PROGRA~1\NORTON~1\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - c:\PROGRA~1\NORTON~1\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - c:\PROGRA~1\NORTON~1\npssvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\SVNService.exe |
11-Dec-2006, 10:35 AM
#6 | ||||||
| Run HJT again and put a check in the following: O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20000\12614134.dll O2 - BHO: (no name) - {5AA179A1-1C9A-BE1F-A12F-07DB99422510} - C:\WINDOWS\system32\qtbrjki.dll O4 - HKLM\..\Run: [WINDOWS] C:\oggxm.exe O4 - HKLM\..\Run: [7v3j] C:\WINDOWS\system32\z1235.exe gdtgh O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe O4 - HKLM\..\Run: [rqbhvti.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rqbhvti.dll,hwhnoxf O4 - HKLM\..\Run: [Alexa bridge] C:\WINDOWS\system32\lmbsjili.exe O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe O4 - HKCU\..\Run: [WinUpgrade] "C:\WINDOWS\system32\z2974444851.exe " O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\system32\z2974441196.exe" O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {E19F9330-3110-11d4-991C-005004D3B3DB} (Java Runtime Environment 1.3.0_01) - O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O21 - SSODL: hbeUYKE - {07D0030B-AD7A-A9A1-F41A-95064D7E0457} - C:\WINDOWS\system32\pzrkd.dll O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe Close all applications and browser windows before you click "fix checked". 1. Please download The Avenger by Swandog46 to your Desktop.
2. Copy the entire contents of the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): Quote:
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, start The Avenger program by clicking on its icon on your desktop.
Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only
For Technical Support, double-click the e-mail address located at the bottom of each menu. Download and install AVG Anti-Spyware 7.5 AVG ANTI-SPYWARE IS ONLY FOR SYSTEMS RUNNING WIN 2K and XP (This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware) 1. After download, double click on the file to launch the install process. 2. Choose a language, click "OK" and then click "Next". 3. Read the "License Agreement" and click "I Agree". 4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install". 5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. 7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows". 8. Go to Start > Run and type: services.msc
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Scan with AVG Anti-Spyware as follows: 1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
3. Click "Complete System Scan" to start. 4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine. IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button? 5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 6. Exit AVG Anti-Spyware when done, reboot normally. Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection. Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this: 1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder. 2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan. Please copy/paste the contents of c:\avenger.txt, a fresh hijackthis log and the AVG Anti-Spyware report in your next reply.
__________________ Microsoft MVP/Windows - Consumer Security |
11-Dec-2006, 04:36 PM
#7 | |||||
| Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\rvwnwkgx ******************* Script file located at: \??\C:\pjnexbrd.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\msasvc.exe deleted successfully. File C:\WINDOWS\system32\z1235.exe deleted successfully. File C:\WINDOWS\system32\lmbsjili.exe deleted successfully. File C:\WINDOWS\system32\rqbhvti.dll deleted successfully. File C:\oggxm.exe deleted successfully. File C:\WINDOWS\system32\nordsys.exe deleted successfully. File C:\WINDOWS\system32\lmbsjili.exe not found! Deletion of file C:\WINDOWS\system32\lmbsjili.exe failed! Could not process line: C:\WINDOWS\system32\lmbsjili.exe Status: 0xc0000034 File C:\WINDOWS\system32\z2974441196.exe deleted successfully. File C:\WINDOWS\system32\z2974444851.exe deleted successfully. File C:\WINDOWS\system32\rpcc.dll deleted successfully. File C:\WINDOWS\system32\pzrkd.dll deleted successfully. File C:\WINDOWS\SYSTEM32\vrtk32.dll deleted successfully. Folder C:\WINDOWS\inet20000 deleted successfully. Completed script processing. ******************* Finished! Terminate. --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 4:15:45 PM 12/11/2006 + Scan result: HKU\S-1-5-21-448539723-507921405-1202660629-1000\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined). C:\WINDOWS\Downloaded Program Files\pinstall.dll -> Adware.LookMe : Cleaned with backup (quarantined). C:\WINDOWS\Downloaded Program Files\freemp3s.exe -> Adware.Lop : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/vrtk32.dll -> Backdoor.Agent.fo : Cleaned with backup (quarantined). E:\My Music\New\kazaaLite\games (1).exe -> Backdoor.SkyRat.20 : Cleaned with backup (quarantined). HKLM\SOFTWARE\IntexusDial -> Dialer.Generic : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z2443.exe -> Downloader.CWS.af : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z2928.exe -> Downloader.CWS.af : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/inet20000/services.exe -> Downloader.CWS.af : Cleaned with backup (quarantined). E:\Downloads\style XP\Style Xp 3.09 Keygeneclsxp6A.zip/cheat.exe -> Downloader.INService.ja : Cleaned with backup (quarantined). C:\Documents and Settings\default\K65OLoM.exe -> Downloader.Small.dam : Cleaned with backup (quarantined). C:\Documents and Settings\default\s0cKmfG.exe -> Downloader.Small.dam : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\wQu0x76.exe -> Downloader.Small.dam : Cleaned with backup (quarantined). C:\WINDOWS\agq7oU0.exe -> Downloader.Small.dam : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\kernels1118.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z2705.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z26065728016.exe -> Downloader.Small.ebo : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\taskdir.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z2688.exe -> Downloader.Tiny.et : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z26065709339.exe -> Downloader.Tiny.ey : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/z2974441196.exe -> Downloader.Tiny.ey : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/oggxm.exe -> Dropper.Agent.azs : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z253.exe -> Dropper.Small.atd : Cleaned with backup (quarantined). C:\Games\tiberianSun\RAZOR.EXE -> Dropper.Small.ux : Cleaned with backup (quarantined). E:\Downloads\Games\Tiberian Sun\ts1.zip/RAZOR.EXE -> Dropper.Small.ux : Cleaned with backup (quarantined). C:\HiJack\backups\backup-20061211-121843-589.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z2825.exe -> Hijacker.Costrat.e : Cleaned with backup (quarantined). E:\Downloads\CuteFTP\Cuteftp Pro v7.0 Final Incl Crack-Zeusoft.zip/patch.exe -> Hijacker.LowZones.e : Cleaned with backup (quarantined). C:\Documents and Settings\default\wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined). C:\WINDOWS\wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/inet20000/svchost.exe -> Logger.Agent.pr : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/inet20000/svchost.exe.bak -> Logger.Agent.pr : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/inet20000/wpcem.exe -> Logger.Agent.pr : Cleaned with backup (quarantined). C:\Program Files\Macromedia\Flash 6\Patch.exe -> Logger.Banker.zn : Cleaned with backup (quarantined). E:\Downloads\flash6\Patch.exe -> Logger.Banker.zn : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z318.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3258.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z339.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3419.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3424.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3524.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3612.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3743.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3760.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3806.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\z3955.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/z1235.exe -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/pzrkd.dll -> Proxy.Agent.df : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/inet20000/gif/chgif2.exe -> Proxy.Delf.an : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/rpcc.dll -> Proxy.Dlena.at : Cleaned with backup (quarantined). C:\WINDOWS\Cookies\default@cz3.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned. C:\WINDOWS\Cookies\rudebwoy@ads.link4ads[2].txt -> TrackingCookie.Link4ads : Cleaned. C:\WINDOWS\Cookies\default@preferences[2].txt -> TrackingCookie.Preferences : Cleaned. C:\avenger\backup.zip/avenger/inet20000/mmx453.exe -> Trojan.Conycspa.i : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/inet20000/mmx62.exe -> Trojan.Conycspa.i : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/inet20000/mmx990.exe -> Trojan.Conycspa.i : Cleaned with backup (quarantined). C:\ayfcf.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined). C:\ypnolb.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined). C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined). C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined). C:\avenger\backup.zip/avenger/msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\adir.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined). ::Report end Logfile of HijackThis v1.99.1 Scan saved at 4:26:21 PM, on 12/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\cvsnt\cvsservice.exe C:\Program Files\cvsnt\cvslock.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\hidserv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Canon\MultiPASS\mpservic.exe c:\PROGRA~1\NORTON~1\navapsvc.exe c:\PROGRA~1\NORTON~1\npssvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\regsvc.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Subversion\bin\SVNService.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\mspmspsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe c:\PROGRA~1\NORTON~1\alertsvc.exe C:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE C:\program files\norton antivirus\POProxy.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norton AntiVirus\navapw32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\FxRedir.EXE C:\WINDOWS\system32\wuauclt.exe C:\HiJack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.warezoracle.com/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hotmail.com/"); (C:\Program Files\Netscape\Users\andrew\prefs.js) O1 - Hosts: 70.184.240.199 wws-devweb1 #was 216.177.38.163 O1 - Hosts: 70.184.240.201 wws-demo #was 216.177.38.167 O1 - Hosts: 70.184.240.203 wws-server2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Norton eMail Protect] c:\program files\norton antivirus\POProxy.exe O4 - HKLM\..\Run: [NPS Event Checker] c:\PROGRA~1\NORTON~1\npscheck.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\system32\z2974441196.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Norton AntiVirus\navapw32.exe O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Dell Home - {819D9520-F66E-11D3-9ECC-000102353CE7} - http://www.dellnet.com/ (file missing) (HKCU) O9 - Extra button: @Home - {FDB5FB24-7875-4372-A146-53CFD5B89353} - http://home.excite.com (file missing) (HKCU) O12 - Plugin for .au: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .mid: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .rmf: C:\Program Files\Netscape\Program\PLUGINS\NPBeatSP.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Microsoft WFC Forms Designer - file://C:\DOWNLOAD\VISUAL~1\VJ98\wfcforms.cab O16 - DPF: Visual Studio 6 Extensibility Libraries - file://C:\DOWNLOAD\VISUAL~1\VJ98\vstudio6.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.07.02-hp&http://h71016.www7.hp.com/dstore/html/interactive/nc8000/model.html?jumpid=ex_r2910_cnet/3dtours_product|nc8000notebook O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://205.150.121.13/CFIDE/classes/CFJava.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://aumail2.american.edu/iNotes6.cab O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://208.232.171.59/ProjectCentral...33/pjcintl.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://208.232.171.59/ProjectCentral...s/pjclient.cab O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://wwstudios.webex.com/client/webex/atbootie.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://msdn.one.microsoft.com/Trans...ansferCtrl.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://xopus.org/demo/msxml4install/msxml4.cab O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://69.140.47.56:85/plugin/h263ctrl.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://38.203.215.106/CFIDE/classes/CFJava.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://wwstudios.webex.com/client/la...ex/ieatgpc.cab O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing) O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\system32\vrtk32.dll (file missing) O21 - SSODL: hbeUYKE - {07D0030B-AD7A-A9A1-F41A-95064D7E0457} - C:\WINDOWS\system32\pzrkd.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\cvsnt\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\cvsnt\cvslock.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Verity K2Server (Version 2.20pr6) (k2server) - Unknown owner - C:\CFusionMX\lib\k2server.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: NAV Alert - Symantec Corporation - c:\PROGRA~1\NORTON~1\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - c:\PROGRA~1\NORTON~1\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - c:\PROGRA~1\NORTON~1\npssvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\SVNService.exe |
11-Dec-2006, 05:52 PM
#8 | ||||||
| Click Here and download Killbox and save it to your desktop. Run HJT again and put a check in the following: O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\system32\z2974441196.exe" O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://69.140.47.56:85/plugin/h263ctrl.cab O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing) O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\system32\vrtk32.dll (file missing) O21 - SSODL: hbeUYKE - {07D0030B-AD7A-A9A1-F41A-95064D7E0457} - C:\WINDOWS\system32\pzrkd.dll (file missing) O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) Close all applications and browser windows before you click "fix checked". Close Hijackthis. Double-click on Killbox.exe to run it. Put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste the following line. C:\WINDOWS\system32\z2974441196.exe Click on the button that has the red circle with the X in the middle after you enter the file name. It will ask for confimation to delete the file. Click Yes. It will ask for confimation to reboot now. Click Yes. Note: It is possible that Killbox will tell you that the file does not exist. If your computer does not restart automatically then please restart it manually. If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually. Download (save) combofix from one of these two sites:
When finished, it will produce a log for you. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. Please post a new hijackthis log with the log from combofix in your next reply.
__________________ Microsoft MVP/Windows - Consumer Security |
11-Dec-2006, 06:58 PM
#9 | |||||
| rudebwoy - Mon 2006-12-11 18:47:08.64 Service Pack 4 ComboFix 06.11.27W - Running from: "C:\Documents and Settings\default\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-11-11 to 2006-12-11 )))))))))))))))))))))))))))))))))) 2006-12-11 18:39 <DIR> d-------- C:\!KillBox 2006-12-11 12:37 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2006-12-11 12:37 <DIR> d-------- C:\Program Files\Grisoft 2006-12-11 12:33 <DIR> d-------- C:\avenger 2006-12-11 12:27 60,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hktxfdkd.sys 2006-12-11 00:16 <DIR> d-------- C:\Rustbfix 2006-12-08 16:21 13,422 --a------ C:\WINDOWS\SYSTEM32\icf.exe 2006-12-06 19:02 46,592 --a------ C:\WINDOWS\SYSTEM32\zlbw.dll 2006-12-06 16:31 3,502 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2006-12-06 16:23 <DIR> d-------- C:\smit 2006-12-06 09:02 <DIR> d-------- C:\New Folder 2006-12-06 08:37 <DIR> d-------- C:\HiJack 2006-12-06 08:36 <DIR> d-------- C:\Program Files\New Folder 2006-12-05 20:41 <DIR> d-------- C:\AV-CLS 2006-12-05 19:56 71,680 --a------ C:\WINDOWS\SYSTEM32\qtbrjki.dll 2006-12-05 19:56 6,199 --a------ C:\WINDOWS\SYSTEM32\se.exe.exe 2006-12-05 19:56 54,327 --a------ C:\WINDOWS\SYSTEM32\google.png.exe 2006-12-05 19:56 3,584 --a------ C:\WINDOWS\SYSTEM32\z26065715868.exe 2006-12-05 19:56 18,015 --a------ C:\WINDOWS\SYSTEM32\w.exe 2006-12-05 19:56 15,927 --a------ C:\WINDOWS\SYSTEM32\w.exe.exe 2006-12-05 19:56 128,567 --a------ C:\WINDOWS\SYSTEM32\ss.exe.exe 2006-12-05 18:00 81,920 --a------ C:\WINDOWS\SYSTEM32\Packet.dll 2006-12-05 18:00 61,440 --a------ C:\WINDOWS\SYSTEM32\WanPacket.dll 2006-12-05 18:00 53,299 --a------ C:\WINDOWS\SYSTEM32\pthreadVC.dll 2006-12-05 18:00 32,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\npf.sys 2006-12-05 18:00 233,472 --a------ C:\WINDOWS\SYSTEM32\wpcap.dll 2006-12-05 17:56 68,968 --a------ C:\WINDOWS\SYSTEM32\lzx32.sys 2006-12-05 17:56 37,571 --a------ C:\mlgu.exe 2006-11-27 09:20 465,176 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll 2006-11-27 09:20 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll 2006-11-27 09:20 194,328 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll 2006-11-27 09:20 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll 2006-11-27 09:20 173,536 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll 2006-11-27 09:20 172,312 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe 2006-11-27 09:20 127,256 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll 2006-11-27 09:20 <DIR> d-------- C:\WINDOWS\SoftwareDistribution (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SystemTray"="SysTray.Exe" "Synchronization Manager"="mobsync.exe /logon" "Microsoft IntelliType Pro"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\speedkey.exe\"" "UpdReg"="C:\\WINDOWS\\Updreg.exe" "EM_EXEC"="c:\\progra~1\\logitech\\mouse\\SYSTEM\\EM_EXEC.EXE" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "LoadQM"="loadqm.exe" "nwiz"="nwiz.exe /install" "Norton eMail Protect"="c:\\program files\\norton antivirus\\POProxy.exe" "NPS Event Checker"="c:\\PROGRA~1\\NORTON~1\\npscheck.exe" "MP_STATUS_MONITOR"="\"C:\\Program Files\\Canon\\MultiPASS\\monitr32.exe\" I" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\share dtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell executehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er] "NoDriveTypeAutoRun"=dword:00000000 "CDRAutoRun"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer] "NoDriveTypeAutoRun"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceob jectdelayload] "Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job Completion time: Mon 2006-12-11 18:48:27.87 C:\ComboFix2.txt ... 06-12-08 16:32 C:\ComboFix.txt ... 06-12-11 18:48 Logfile of HijackThis v1.99.1 Scan saved at 6:49:30 PM, on 12/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\cvsnt\cvsservice.exe C:\Program Files\cvsnt\cvslock.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\hidserv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Canon\MultiPASS\mpservic.exe c:\PROGRA~1\NORTON~1\navapsvc.exe c:\PROGRA~1\NORTON~1\npssvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\regsvc.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Subversion\bin\SVNService.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\mspmspsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe c:\PROGRA~1\NORTON~1\alertsvc.exe C:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE C:\program files\norton antivirus\POProxy.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norton AntiVirus\navapw32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\FxRedir.EXE C:\HiJack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.warezoracle.com/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hotmail.com/"); (C:\Program Files\Netscape\Users\andrew\prefs.js) O1 - Hosts: 70.184.240.199 wws-devweb1 #was 216.177.38.163 O1 - Hosts: 70.184.240.201 wws-demo #was 216.177.38.167 O1 - Hosts: 70.184.240.203 wws-server2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Norton eMail Protect] c:\program files\norton antivirus\POProxy.exe O4 - HKLM\..\Run: [NPS Event Checker] c:\PROGRA~1\NORTON~1\npscheck.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Norton AntiVirus\navapw32.exe O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Dell Home - {819D9520-F66E-11D3-9ECC-000102353CE7} - http://www.dellnet.com/ (file missing) (HKCU) O9 - Extra button: @Home - {FDB5FB24-7875-4372-A146-53CFD5B89353} - http://home.excite.com (file missing) (HKCU) O12 - Plugin for .au: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .mid: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .rmf: C:\Program Files\Netscape\Program\PLUGINS\NPBeatSP.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Microsoft WFC Forms Designer - file://C:\DOWNLOAD\VISUAL~1\VJ98\wfcforms.cab O16 - DPF: Visual Studio 6 Extensibility Libraries - file://C:\DOWNLOAD\VISUAL~1\VJ98\vstudio6.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.07.02-hp&http://h71016.www7.hp.com/dstore/html/interactive/nc8000/model.html?jumpid=ex_r2910_cnet/3dtours_product|nc8000notebook O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://205.150.121.13/CFIDE/classes/CFJava.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://aumail2.american.edu/iNotes6.cab O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://208.232.171.59/ProjectCentral...33/pjcintl.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://208.232.171.59/ProjectCentral...s/pjclient.cab O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://wwstudios.webex.com/client/webex/atbootie.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://msdn.one.microsoft.com/Trans...ansferCtrl.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://xopus.org/demo/msxml4install/msxml4.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://38.203.215.106/CFIDE/classes/CFJava.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://wwstudios.webex.com/client/la...ex/ieatgpc.cab O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\cvsnt\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\cvsnt\cvslock.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Verity K2Server (Version 2.20pr6) (k2server) - Unknown owner - C:\CFusionMX\lib\k2server.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: NAV Alert - Symantec Corporation - c:\PROGRA~1\NORTON~1\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - c:\PROGRA~1\NORTON~1\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - c:\PROGRA~1\NORTON~1\npssvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\SVNService.exe |
11-Dec-2006, 07:27 PM
#10 | ||||||
| Run Panda ActiveScan here Once you are on the Panda site click the "Scan your PC" button. A new window will open... click the "Check Now" button. Enter your Country. Enter your State/Province. Enter your e-mail address. Select either Home User or Company. Click the big "Scan Now" button. If it wants to install an ActiveX component allow it. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes). When download is complete, click on "Local Disks" to start the scan. When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply. Post a new HiJack This log along with the results from ActiveScan.
__________________ Microsoft MVP/Windows - Consumer Security |
11-Dec-2006, 11:59 PM
#11 | |||||
| Logfile of HijackThis v1.99.1 Scan saved at 11:51:26 PM, on 12/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\cvsnt\cvsservice.exe C:\Program Files\cvsnt\cvslock.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\hidserv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Canon\MultiPASS\mpservic.exe c:\PROGRA~1\NORTON~1\navapsvc.exe c:\PROGRA~1\NORTON~1\npssvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\regsvc.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Subversion\bin\SVNService.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\mspmspsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe c:\PROGRA~1\NORTON~1\alertsvc.exe C:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE C:\program files\norton antivirus\POProxy.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norton AntiVirus\navapw32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\FxRedir.EXE C:\WINDOWS\System32\mdm.exe C:\HiJack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.warezoracle.com/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hotmail.com/"); (C:\Program Files\Netscape\Users\andrew\prefs.js) O1 - Hosts: 70.184.240.199 wws-devweb1 #was 216.177.38.163 O1 - Hosts: 70.184.240.201 wws-demo #was 216.177.38.167 O1 - Hosts: 70.184.240.203 wws-server2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Norton eMail Protect] c:\program files\norton antivirus\POProxy.exe O4 - HKLM\..\Run: [NPS Event Checker] c:\PROGRA~1\NORTON~1\npscheck.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Norton AntiVirus\navapw32.exe O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Dell Home - {819D9520-F66E-11D3-9ECC-000102353CE7} - http://www.dellnet.com/ (file missing) (HKCU) O9 - Extra button: @Home - {FDB5FB24-7875-4372-A146-53CFD5B89353} - http://home.excite.com (file missing) (HKCU) O12 - Plugin for .au: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .mid: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .rmf: C:\Program Files\Netscape\Program\PLUGINS\NPBeatSP.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Microsoft WFC Forms Designer - file://C:\DOWNLOAD\VISUAL~1\VJ98\wfcforms.cab O16 - DPF: Visual Studio 6 Extensibility Libraries - file://C:\DOWNLOAD\VISUAL~1\VJ98\vstudio6.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.07.02-hp&http://h71016.www7.hp.com/dstore/html/interactive/nc8000/model.html?jumpid=ex_r2910_cnet/3dtours_product|nc8000notebook O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://205.150.121.13/CFIDE/classes/CFJava.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://aumail2.american.edu/iNotes6.cab O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://208.232.171.59/ProjectCentral...33/pjcintl.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://208.232.171.59/ProjectCentral...s/pjclient.cab O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://wwstudios.webex.com/client/webex/atbootie.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://msdn.one.microsoft.com/Trans...ansferCtrl.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://xopus.org/demo/msxml4install/msxml4.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://38.203.215.106/CFIDE/classes/CFJava.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://wwstudios.webex.com/client/la...ex/ieatgpc.cab O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\cvsnt\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\cvsnt\cvslock.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Verity K2Server (Version 2.20pr6) (k2server) - Unknown owner - C:\CFusionMX\lib\k2server.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: NAV Alert - Symantec Corporation - c:\PROGRA~1\NORTON~1\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - c:\PROGRA~1\NORTON~1\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - c:\PROGRA~1\NORTON~1\npssvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\SVNService.exe Incident Status Location Hacktool:Rootkit/Rustock Not disinfected C:\WINDOWS\SYSTEM32\LZX32.SYS Spyware:Cookie/Preferences Not disinfected C:\WINDOWS\SYSTEM32\Perflib_Perfdata_e68.dat Virus:Trj/Lager.CY Disinfected C:\WINDOWS\SYSTEM32\google.png.exe Virus:W32/Banwarum.H.worm Disinfected C:\WINDOWS\SYSTEM32\ss.exe.exe Virus:W32/Nuwar.A.worm Disinfected C:\WINDOWS\SYSTEM32\w.exe.exe Virus:Trj/Downloader.LUD Disinfected C:\WINDOWS\SYSTEM32\z26065715868.exe Virus:Trj/Agent.DJB Disinfected C:\WINDOWS\SYSTEM32\ICF.EXE Spyware:Cookie/Outster Not disinfected C:\WINDOWS\Cookies\default@outster[1].txt Spyware:Cookie/LinkExchange Not disinfected C:\WINDOWS\Cookies\default@linkexchange[1].txt Virus:W97M/Thus.A Disinfected C:\Program Files\Netscape\Users\ANDREW\Mail\Trash[Awards Nomination Form.doc] Virus:Bck/mIRCBased.AC Disinfected C:\Program Files\mirc\mirc32.exe Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\Program Files\Serv-UFTP\Serv-U32.exe Spyware:Cookie/Statcounter Not disinfected C:\FOUND.000\FILE0013.CHK Virus:W32/Mimail.L.worm Disinfected Archive Folders\Sent Items\FW: We are going to bill your credit card\test.exe Virus:W32/Mydoom.N.worm Disinfected Archive Folders\Sent Items\FW: andrew@wwstudios.com\andrew@wwstudio...tudios.com.doc .exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\DEFAULT\Desktop\SMIT\SmitfraudFix\Process.exe Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\DEFAULT\Cookies\rudebwoy@statcounter[2].txt Potentially unwanted tool:Application/Processor Not disinfected C:\SMIT\SmitfraudFix\Process.exe Possible Virus. Not disinfected E:\Downloads\Games\Rogue Spear\Install.exe Possible Virus. Not disinfected E:\Downloads\Games\Rogue Spear\MYTRUO01.ZIP[Install.exe] Potentially unwanted tool:Application/ServUBased.A Not disinfected E:\Downloads\ServeUFTP\SUSETUP.ZIP[Setup.exe][SERV-U32.EXE] Potentially unwanted tool:Application/ServUBased.A Not disinfected E:\Downloads\ServU25\SERVU25D.ZIP[Setup.exe][SERV-U32.EXE] |
12-Dec-2006, 09:44 AM
#12 | ||||||
| Download GMER to the Desktop: http://www.gmer.net/files.php Right click the zipped file and select: Extract all Follow the Extracton Wizard prompts Double click GMER.exe If a security warning appears, allow the program to run If GMER detects rootkit activity, you are prompted to scan immediately Click Yes to begin the scan If you are not prompted to Scan: In the Rootkit tab, make sure all the boxes on the right of the screen are checked, except for "Show All" Click the Scan button. Once the scan is done, click: Copy Please post the GMER results in your reply.
__________________ Microsoft MVP/Windows - Consumer Security |
12-Dec-2006, 08:55 PM
#13 | |||||
| GMER 1.0.12.12011 - http://www.gmer.net Rootkit scan 2006-12-12 20:47:10 Windows 5.0.2195 Service Pack 4 ---- System - GMER 1.0.12 ---- SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwClose SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwFlushKey SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwOpenKey SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess ---- Kernel code sections - GMER 1.0.12 ---- .text ntdll.dll!NtClose 77F828C8 5 Bytes JMP 72033FAA .text ntdll.dll!NtCreateSection 77F85EB0 5 Bytes JMP 72033FC8 .text ntdll.dll!NtCreateProcess 77F92362 5 Bytes JMP 72034135 ---- EOF - GMER 1.0.12 ---- |
13-Dec-2006, 09:45 AM
#14 | ||||||
| 1. Please download The Avenger by Swandog46 to your Desktop.
2. Copy the entire contents of the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): Quote:
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, start The Avenger program by clicking on its icon on your desktop.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java:
__________________ Microsoft MVP/Windows - Consumer Security |
13-Dec-2006, 08:10 PM
#15 | |||||
| Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\hcsmufgt ******************* Script file located at: \??\C:\oothfcsi.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\msasvc.exe not found! Deletion of file C:\WINDOWS\system32\msasvc.exe failed! Could not process line: C:\WINDOWS\system32\msasvc.exe Status: 0xc0000034 File C:\WINDOWS\SYSTEM32\LZX32.SYS deleted successfully. Registry key \Registry\Machine\System\CurrentControlSet\Services\lzx32 not found! Unload of driver lzx32 failed! Could not process line: lzx32 Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Logfile of HijackThis v1.99.1 Scan saved at 8:03:22 PM, on 12/13/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\Program Files\cvsnt\cvsservice.exe C:\Program Files\cvsnt\cvslock.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\hidserv.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Canon\MultiPASS\mpservic.exe c:\PROGRA~1\NORTON~1\navapsvc.exe c:\PROGRA~1\NORTON~1\npssvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\regsvc.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Subversion\bin\SVNService.exe C:\Program Files\Subversion\bin\svnserve.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\mspmspsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe c:\PROGRA~1\NORTON~1\alertsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE C:\program files\norton antivirus\POProxy.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norton AntiVirus\navapw32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\HiJack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.warezoracle.com/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hotmail.com/"); (C:\Program Files\Netscape\Users\andrew\prefs.js) O1 - Hosts: 70.184.240.199 wws-devweb1 #was 216.177.38.163 O1 - Hosts: 70.184.240.201 wws-demo #was 216.177.38.167 O1 - Hosts: 70.184.240.203 wws-server2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [EM_EXEC] c:\progra~1\logitech\mouse\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Norton eMail Protect] c:\program files\norton antivirus\POProxy.exe O4 - HKLM\..\Run: [NPS Event Checker] c:\PROGRA~1\NORTON~1\npscheck.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = Norton AntiVirus\navapw32.exe O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Dell Home - {819D9520-F66E-11D3-9ECC-000102353CE7} - http://www.dellnet.com/ (file missing) (HKCU) O9 - Extra button: @Home - {FDB5FB24-7875-4372-A146-53CFD5B89353} - http://home.excite.com (file missing) (HKCU) O12 - Plugin for .au: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .mid: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll O12 - Plugin for .rmf: C:\Program Files\Netscape\Program\PLUGINS\NPBeatSP.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Microsoft WFC Forms Designer - file://C:\DOWNLOAD\VISUAL~1\VJ98\wfcforms.cab O16 - DPF: Visual Studio 6 Extensibility Libraries - file://C:\DOWNLOAD\VISUAL~1\VJ98\vstudio6.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.07.02-hp&http://h71016.www7.hp.com/dstore/html/interactive/nc8000/model.html?jumpid=ex_r2910_cnet/3dtours_product|nc8000notebook O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://205.150.121.13/CFIDE/classes/CFJava.cab O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://aumail2.american.edu/iNotes6.cab O16 - DPF: {3D679FAC-C75F-11D2-A4D6-00C04F68FE3A} (PJ9enuC Class) - http://208.232.171.59/ProjectCentral...33/pjcintl.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/995...TunesSetup.exe O16 - DPF: {484A7A26-FDB0-11D0-8D2B-00C04FB92E89} (MS Project Text Conversion Class) - http://208.232.171.59/ProjectCentral...s/pjclient.cab O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://wwstudios.webex.com/client/webex/atbootie.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://msdn.one.microsoft.com/Trans...ansferCtrl.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://xopus.org/demo/msxml4install/msxml4.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://38.203.215.106/CFIDE/classes/CFJava.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://wwstudios.webex.com/client/la...ex/ieatgpc.cab O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\cvsnt\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\cvsnt\cvslock.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Verity K2Server (Version 2.20pr6) (k2server) - Unknown owner - C:\CFusionMX\lib\k2server.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: NAV Alert - Symantec Corporation - c:\PROGRA~1\NORTON~1\alertsvc.exe O23 - Service: NAV Auto-Protect - Symantec Corporation - c:\PROGRA~1\NORTON~1\navapsvc.exe O23 - Service: Norton Program Scheduler - Symantec Corporation - c:\PROGRA~1\NORTON~1\npssvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\SVNService.exe |
| 
techguy.org/524458 |
| Smart Search |
Find your solution! |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -5. The time now is 03:02 PM. Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved. Powered by vBulletin, Copyright © 2000 - 2010, Jelsoft Enterprises Ltd. |  |
