My computer has been acting up lately...

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

naroth

Thread Starter
Joined
Jul 6, 2007
Messages
9
Hi,
My computer seems to have been infected by a couple of trojans but BitDefender can't seem to get it at its source as it keeps coming back. I read another thread and did some of the steps. I ran vundofix and combofix but it still has me paranoid and I was wondering if someone could please look over the hijackthis log and tell me how I'm doing. Thanks

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:20:31 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6426
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - file://E:\LTOCX14N.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 5770 bytes
 
Joined
Sep 8, 2005
Messages
9,113
Welcome to TSG :)

Please post the combofix log, you can find it here C:\Combofix.txt
 

naroth

Thread Starter
Joined
Jul 6, 2007
Messages
9
Here's the combofix log. Thanks for the help
"Owner" - 2007-07-06 23:18:41 - ComboFix 07-07-04.4 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))


2007-07-06 18:47 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-06 18:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-06 18:38 <DIR> d-------- C:\VundoFix Backups
2007-07-06 18:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-06 18:21 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-06 01:33 528 --a------ C:\WINDOWS\eReg.dat
2007-07-06 01:33 <DIR> d-------- C:\Program Files\Maxis
2007-07-06 00:12 144,896 --a------ C:\WINDOWS\system32\schannel.dll
2007-07-05 19:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-05 19:28 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\SUPERAntiSpyware.com
2007-07-05 19:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-05 19:11 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\.housecall6.6
2007-07-05 18:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-05 18:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-05 18:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-05 03:25 <DIR> d-------- C:\Program Files\sXe Injected
2007-07-05 03:06 <DIR> d-------- C:\Program Files\Counter-Strike 1.6
2007-07-01 06:06 1,872,812 ---hs---- C:\WINDOWS\system32\gjkkj.ini2
2007-06-30 20:53 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-30 20:53 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-30 20:53 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-30 20:53 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-30 20:53 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-30 20:53 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-30 20:53 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\PC Tools
2007-06-30 20:52 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-30 20:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Help
2007-06-30 20:32 <DIR> d-------- C:\WINDOWS\pss
2007-06-30 19:07 <DIR> d-------- C:\Program Files\Easy SpyRemover
2007-06-28 15:17 64,808 --a------ C:\WINDOWS\War3Unin.dat
2007-06-28 15:17 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-06-28 15:17 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-06-28 15:16 <DIR> d-------- C:\Program Files\Warcraft III
2007-06-27 23:01 <DIR> d-------- C:\temp_dvd
2007-06-27 23:01 <DIR> d-------- C:\Program Files\Dvd-cloner
2007-06-27 22:56 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Webroot
2007-06-27 22:17 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-06-27 22:12 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Bitdefender
2007-06-27 22:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-06-27 16:10 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Systweak
2007-06-27 16:07 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2007-06-26 14:50 56 -r-hs---- C:\WINDOWS\system32\B1FF19A1E2.sys
2007-06-26 14:50 1,890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-26 14:49 <DIR> d-------- C:\Program Files\Enterbrain
2007-06-26 14:49 <DIR> d-------- C:\Program Files\Common Files\Enterbrain
2007-06-26 13:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Ahead
2007-06-26 13:42 <DIR> d-------- C:\Program Files\Nero
2007-06-26 13:42 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-26 13:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-26 13:24 <DIR> d-------- C:\Program Files\LimeWire
2007-06-26 13:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\Incomplete
2007-06-26 13:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\LimeWire
2007-06-25 20:20 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-25 18:10 <DIR> d-------- C:\divx
2007-06-24 14:32 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\DivX
2007-06-24 14:29 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-24 14:29 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-24 14:29 <DIR> d-------- C:\Program Files\DivX
2007-06-24 12:07 967 --a------ C:\WINDOWS\ScUnin.pif
2007-06-24 12:07 70,656 --a------ C:\WINDOWS\ScUnin.exe
2007-06-24 12:07 32,845 --a------ C:\WINDOWS\scunin.dat
2007-06-24 12:07 <DIR> d-------- C:\Program Files\Starcraft
2007-06-24 12:04 <DIR> d-------- C:\Program Files\Trillian
2007-06-24 12:04 <DIR> d-------- C:\Program Files\Alex Feinman
2007-06-24 12:01 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\WhenU
2007-06-24 02:35 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-24 01:45 <DIR> d-------- C:\Program Files\Vstplugins
2007-06-24 01:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Publish Providers
2007-06-24 01:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\NetMedia Providers
2007-06-24 01:43 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-06-24 01:43 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-06-24 01:43 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Sony
2007-06-24 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony
2007-06-24 01:42 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-06-24 01:40 <DIR> d-------- C:\Program Files\Sony
2007-06-24 01:39 <DIR> d-------- C:\Program Files\Sony Setup
2007-06-23 23:27 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Azureus
2007-06-23 23:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-23 23:26 <DIR> d-------- C:\Program Files\Azureus
2007-06-23 04:33 1,156 --a------ C:\WINDOWS\mozver.dat
2007-06-11 23:14 <DIR> d-------- C:\WINDOWS\vbSkinner
2007-06-11 23:11 <DIR> d-------- C:\Program Files\PFConfig
2007-06-11 22:50 <DIR> d-------- C:\Program Files\WinMX
2007-06-09 19:31 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\CyberLink
2007-06-09 19:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 06:37:29 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-05 04:32:21 -------- d-----w C:\Program Files\Soulseek
2007-07-01 01:11:49 -------- d-----w C:\Program Files\Google
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 18:49:05 -------- d-----w C:\Program Files\XBCD
2007-05-29 07:17:41 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\AdobeUM
2007-05-29 01:20:28 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Roxio
2007-05-29 01:15:32 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-05-29 01:14:07 -------- d-----w C:\Program Files\Roxio
2007-05-29 00:25:12 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Viewpoint
2007-05-28 00:32:10 -------- d-----w C:\Program Files\Pure Networks
2007-05-27 11:20:38 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-27 11:17:52 -------- d-----w C:\Program Files\Winamp
2007-05-27 11:11:39 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-27 11:11:24 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\AOL
2007-05-27 10:14:32 -------- d-----w C:\Program Files\BigFix
2007-05-26 23:17:37 -------- d-----w C:\Program Files\Safer Networking
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 06:39:03 2,250 ----a-w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\wklnhst.dat
2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 03:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 03:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-06-27 23:19]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 01:48]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjg]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c7245e7-936a-11db-9fa6-00e0b8b6ed76}]
AutoRun\command- explorer.exe /select,"\Diagnostic"

*Newly Created Service* - APPMGMT
*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 23:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
**************************************************************************

Completion time: 2007-07-06 23:24:05
C:\ComboFix-quarantined-files.txt ... 2007-07-06 23:24
C:\ComboFix2.txt ... 2007-07-06 19:04
C:\ComboFix3.txt ... 2007-07-06 18:52

--- E O F ---
 
Joined
Sep 8, 2005
Messages
9,113
Please download the attached file named CFScript.txt and Save it to your Desktop.



Refering to the picture above, drag CFScript.txt into ComboFix.exe


In your next reply, please post a fresh Combofix log and a fresh Hijackthis log.


Do not run on any other computer!!!! The Attached file CFScript.txt is created for this specfic computer. Running it on another system could cause it to crash or worse.


==================================

Please perform a scan with Kaspersky Webscan Online Virus Scanner
1. Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
2. Read the Requirements and Privacy statement, then select "Accept".
3. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
4. Click "Yes or select "Install" to download the ActiveX controls that allows ActiveScan to run.
5. When the download is complete it will say ready, click "Next".
6. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
7. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
8. Click "OK".
9. Under "Select a target to scan", click on "My Computer".
10. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!


In your next reply, please include the log from Kaspersky. Thanks
 

Attachments

naroth

Thread Starter
Joined
Jul 6, 2007
Messages
9
Hijackthis log-
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:23:06 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6426
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - file://E:\LTOCX14N.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 5710 bytes

combofix log-
"Owner" - 2007-07-07 20:00:39 - ComboFix 07-07-04.4 - Service Pack 2
Command switches used :: C:\Documents and Settings\Owner.YOUR-B65D9311C0\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\gjkkj.ini2


((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


2007-07-07 17:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-07 17:23 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-07 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-06 18:47 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-06 18:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-06 18:38 <DIR> d-------- C:\VundoFix Backups
2007-07-06 18:22 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-06 18:21 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-06 01:33 528 --a------ C:\WINDOWS\eReg.dat
2007-07-06 01:33 <DIR> d-------- C:\Program Files\Maxis
2007-07-06 00:12 144,896 --a------ C:\WINDOWS\system32\schannel.dll
2007-07-05 19:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-05 19:28 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\SUPERAntiSpyware.com
2007-07-05 19:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-05 19:11 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\.housecall6.6
2007-07-05 18:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-05 18:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-05 18:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-05 03:25 <DIR> d-------- C:\Program Files\sXe Injected
2007-07-05 03:06 <DIR> d-------- C:\Program Files\Counter-Strike 1.6
2007-06-30 20:53 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-30 20:53 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-30 20:53 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-30 20:53 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-30 20:53 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-30 20:53 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-30 20:53 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\PC Tools
2007-06-30 20:52 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-30 20:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Help
2007-06-30 20:32 <DIR> d-------- C:\WINDOWS\pss
2007-06-30 19:07 <DIR> d-------- C:\Program Files\Easy SpyRemover
2007-06-28 15:17 64,808 --a------ C:\WINDOWS\War3Unin.dat
2007-06-28 15:17 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-06-28 15:17 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-06-28 15:16 <DIR> d-------- C:\Program Files\Warcraft III
2007-06-27 23:01 <DIR> d-------- C:\temp_dvd
2007-06-27 23:01 <DIR> d-------- C:\Program Files\Dvd-cloner
2007-06-27 22:56 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Webroot
2007-06-27 22:17 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-06-27 22:12 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Bitdefender
2007-06-27 22:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-06-27 16:10 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Systweak
2007-06-27 16:07 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2007-06-26 14:50 56 -r-hs---- C:\WINDOWS\system32\B1FF19A1E2.sys
2007-06-26 14:50 1,890 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-26 14:49 <DIR> d-------- C:\Program Files\Enterbrain
2007-06-26 14:49 <DIR> d-------- C:\Program Files\Common Files\Enterbrain
2007-06-26 13:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Ahead
2007-06-26 13:42 <DIR> d-------- C:\Program Files\Nero
2007-06-26 13:42 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-26 13:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-26 13:24 <DIR> d-------- C:\Program Files\LimeWire
2007-06-26 13:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\Incomplete
2007-06-26 13:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\LimeWire
2007-06-25 20:20 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-25 18:10 <DIR> d-------- C:\divx
2007-06-24 14:32 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\DivX
2007-06-24 14:29 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-24 14:29 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-24 14:29 <DIR> d-------- C:\Program Files\DivX
2007-06-24 12:07 967 --a------ C:\WINDOWS\ScUnin.pif
2007-06-24 12:07 70,656 --a------ C:\WINDOWS\ScUnin.exe
2007-06-24 12:07 32,845 --a------ C:\WINDOWS\scunin.dat
2007-06-24 12:07 <DIR> d-------- C:\Program Files\Starcraft
2007-06-24 12:04 <DIR> d-------- C:\Program Files\Trillian
2007-06-24 12:04 <DIR> d-------- C:\Program Files\Alex Feinman
2007-06-24 12:01 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\WhenU
2007-06-24 02:35 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-24 01:45 <DIR> d-------- C:\Program Files\Vstplugins
2007-06-24 01:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Publish Providers
2007-06-24 01:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\NetMedia Providers
2007-06-24 01:43 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2007-06-24 01:43 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2007-06-24 01:43 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Sony
2007-06-24 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony
2007-06-24 01:42 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-06-24 01:40 <DIR> d-------- C:\Program Files\Sony
2007-06-24 01:39 <DIR> d-------- C:\Program Files\Sony Setup
2007-06-23 23:27 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Azureus
2007-06-23 23:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-23 23:26 <DIR> d-------- C:\Program Files\Azureus
2007-06-23 04:33 1,156 --a------ C:\WINDOWS\mozver.dat
2007-06-11 23:14 <DIR> d-------- C:\WINDOWS\vbSkinner
2007-06-11 23:11 <DIR> d-------- C:\Program Files\PFConfig
2007-06-11 22:50 <DIR> d-------- C:\Program Files\WinMX
2007-06-09 19:31 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\CyberLink
2007-06-09 19:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 06:37:29 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-05 04:32:21 -------- d-----w C:\Program Files\Soulseek
2007-07-01 01:11:49 -------- d-----w C:\Program Files\Google
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 18:49:05 -------- d-----w C:\Program Files\XBCD
2007-05-29 07:17:41 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\AdobeUM
2007-05-29 01:20:28 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Roxio
2007-05-29 01:15:32 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-05-29 01:14:07 -------- d-----w C:\Program Files\Roxio
2007-05-29 00:25:12 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Viewpoint
2007-05-28 00:32:10 -------- d-----w C:\Program Files\Pure Networks
2007-05-27 11:20:38 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-27 11:17:52 -------- d-----w C:\Program Files\Winamp
2007-05-27 11:11:39 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-27 11:11:24 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\AOL
2007-05-27 10:14:32 -------- d-----w C:\Program Files\BigFix
2007-05-26 23:17:37 -------- d-----w C:\Program Files\Safer Networking
2007-05-16 06:39:03 2,250 ----a-w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\wklnhst.dat
2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 03:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 03:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-06-27 23:19]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 01:48]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c7245e7-936a-11db-9fa6-00e0b8b6ed76}]
AutoRun\command- explorer.exe /select,"\Diagnostic"


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 20:03:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-07 20:04:14
C:\ComboFix-quarantined-files.txt ... 2007-07-07 20:04
C:\ComboFix2.txt ... 2007-07-06 23:24
C:\ComboFix3.txt ... 2007-07-06 19:04

--- E O F ---

kaspersky log-
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 07, 2007 10:20:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/07/2007
Kaspersky Anti-Virus database records: 359492
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 94871
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:59:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\Application Data\Mozilla\Firefox\Profiles\e2c2lcjn.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\History\History.IE5\MSHist012007070720070708\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.YOUR-B65D9311C0\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Softwin\BitDefender10\asdict.dat Object is locked skipped
C:\Program Files\Softwin\BitDefender10\aspdict.dat Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\master.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\model.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\modellog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\templog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP27\A0018181.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP51\A0028030.exe Infected: not-a-virus:AdTool.Win32.WhenU.c skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP51\A0028048.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP53\A0028074.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP67\A0031843.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP68\A0031916.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP74\A0033306.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP74\A0033403.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP83\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{50C5FE09-3538-4850-8028-B4FEE51FC75B}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\bdss.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e8.dat Object is locked skipped
C:\WINDOWS\Temp\tmp00001ea5\tmp00000000 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP83\change.log Object is locked skipped

Scan process completed.
 
Joined
Sep 8, 2005
Messages
9,113
Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only


  • Save it to your desktop

    Double-click ATF-Cleaner.exe to run the program.

    Under Main choose: Select All

    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.


Better than before we starting fixing everything???
 

naroth

Thread Starter
Joined
Jul 6, 2007
Messages
9
I haven't had a single trojan alert from bitdefender. I think its fixed. Thanks for your time and help. :)
 
Joined
Sep 8, 2005
Messages
9,113
Good (y)

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  2. If you don't have a Firewall installed, please choose from the following:
  3. If you don't have a Anti-Virus installed, please download the following free program:
  4. Here are two great Preventive programs:
    • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
  5. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    • Red for Warning
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown

    Here are the link to install SiteAdisor in Internet Explorer and Firefox
  6. Anti-Spyware Programs I Recommend:
  7. For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place]
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top