1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trouble removing a problem DLL causing slow performance

Discussion in 'Virus & Other Malware Removal' started by jakemachine, Sep 22, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. jakemachine

    jakemachine Thread Starter

    Joined:
    Feb 26, 2008
    Messages:
    18
    Hi,
    Recently my computer has been running slowly, applications are taking up to 10 seconds to start and firefox/internet explorer take ages to load sites. So after running Hijackthis, i noticed an oddity in the log... 'hwxkor32.dll' . A quick search on google showed this was some kind of virus/malware. I've tried multiple methods to remove it, including safemode/delete, command line unregistering, and adaware (which didn't find it) but it's still there. Anyway, I believe this dll is the source of my problems but here is the log just to make sure...


    Logfile of HijackThis v1.99.1
    Scan saved at 5:26:58 PM, on 9/22/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210210042450
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: HWXKOR - IV - Desktop (hwxkor32) - Unknown owner - rundll32.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    Any help or info on how to remove this troublemaker would be greatly apreciated.

    Thanks,
    Jake
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,014
    That is an older version of HijackThis. If you still require assistance with this, please uninstall HijackThis via the Control Panel, download the latest version and post a new log.


    Click here to download HJTsetup.exe.
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

    Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
     
  3. jakemachine

    jakemachine Thread Starter

    Joined:
    Feb 26, 2008
    Messages:
    18
    Thanks for the reply... I'll keep the system unchanged until this gets sorted.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:22:43 PM, on 9/29/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\eMule\emule.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210210042450
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: HWXKOR - IV - Desktop (hwxkor32) - Unknown owner - rundll32.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 4152 bytes
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,014
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.
     
  5. jakemachine

    jakemachine Thread Starter

    Joined:
    Feb 26, 2008
    Messages:
    18
    Here's the combofix log...

    ComboFix 08-09-28.03 - Jake 2008-09-29 17:58:21.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1621 [GMT -7:00]
    Running from: C:\Documents and Settings\Jake\Desktop\Combo-Fix.exe
    Command switches used :: C:\Documents and Settings\Jake\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
    .

    2008-09-29 12:22 . 2008-09-29 12:22 <DIR> d-------- C:\Program Files\Trend Micro
    2008-09-22 21:24 . 2006-10-04 07:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
    2008-09-22 21:24 . 2006-10-04 07:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
    2008-09-22 21:24 . 2006-10-04 07:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
    2008-09-22 15:57 . 2008-08-05 16:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
    2008-09-22 15:57 . 2008-09-22 15:57 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-09-22 15:45 . 2008-09-22 15:45 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-22 15:45 . 2008-09-22 15:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-09-22 15:45 . 2008-09-22 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-15 18:53 . 2008-09-22 21:21 <DIR> d-------- C:\Program Files\PokerStars
    2008-09-15 14:24 . 2008-09-29 12:10 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-09-14 11:16 . 2008-09-14 11:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-09-14 11:13 . 2008-09-14 11:13 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
    2008-09-10 23:41 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\000001_.tmp
    2008-09-10 22:59 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
    2008-09-10 22:59 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
    2008-09-10 22:51 . 2008-09-10 22:51 <DIR> d-------- C:\WINDOWS\system32\scripting
    2008-09-10 22:51 . 2008-09-10 22:51 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-09-10 22:46 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\005158_.tmp
    2008-09-10 22:03 . 2007-08-13 18:06 56,700 --a------ C:\WINDOWS\system32\ieuinit.inf
    2008-09-10 22:03 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
    2008-09-10 22:03 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
    2008-09-10 22:02 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002366_.tmp
    2008-09-10 21:52 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
    2008-09-10 21:52 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp(3).dll
    2008-09-10 21:52 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2008-09-10 21:51 . 2008-07-18 22:09 215,752 --a------ C:\WINDOWS\system32\wuaucpl.cpl
    2008-09-10 21:51 . 2008-07-18 22:09 215,752 --a--c--- C:\WINDOWS\system32\dllcache\wuaucpl.cpl
    2008-09-10 21:47 . 2008-09-10 21:47 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\SUPERAntiSpyware.com
    2008-09-10 21:47 . 2008-09-10 21:47 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\Apple Computer
    2008-09-10 21:46 . 2008-08-05 16:28 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\DivX
    2008-09-10 21:46 . 2008-09-14 20:29 <DIR> d-------- C:\Documents and Settings\Bob Loblaw
    2008-09-10 21:40 . 2003-03-31 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-09-10 21:39 . 2004-08-04 00:56 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
    2008-09-10 21:38 . 2004-08-04 00:56 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
    2008-09-10 21:37 . 2008-07-18 22:09 1,811,656 --a------ C:\WINDOWS\system32\wuaueng.dll
    2008-09-10 21:36 . 2004-08-03 22:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
    2008-09-10 21:36 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
    2008-09-10 21:35 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
    2008-09-10 21:35 . 2004-08-04 01:01 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
    2008-09-10 21:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
    2008-09-10 21:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
    2008-09-10 21:35 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
    2008-09-10 21:35 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser(2).dll
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Program Files\iTunes
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Program Files\iPod
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-09-10 18:35 . 2008-09-10 18:35 <DIR> d-------- C:\Program Files\QuickTime
    2008-09-10 18:34 . 2008-09-05 22:16 1,900,544 --a------ C:\WINDOWS\system32\usbaaplrc.dll
    2008-09-09 22:40 . 2008-09-09 22:40 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\MSN6
    2008-09-09 22:40 . 2008-09-09 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
    2008-09-09 18:08 . 2008-09-09 23:19 <DIR> d-------- C:\Program Files\PokerStars.NET
    2008-09-06 17:24 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
    2008-09-06 17:24 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
    2008-09-06 17:24 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
    2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\ImTOO Software Studio
    2008-09-03 17:28 . 2008-09-03 17:28 <DIR> d-------- C:\temp
    2008-09-03 17:28 . 2008-09-03 17:28 <DIR> d-------- C:\Program Files\Avex
    2008-09-03 17:22 . 2008-09-03 17:22 <DIR> d-------- C:\Program Files\E-Zsoft
    2008-09-03 17:21 . 2008-09-03 17:21 <DIR> d-------- C:\Program Files\Common Files\Download Manager
    2008-09-03 16:27 . 2008-09-05 22:16 36,864 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-08-19 23:31 . 2008-08-19 23:31 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\DivX
    2008-08-12 23:00 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-08-10 10:33 . 2008-09-09 23:28 <DIR> d-------- C:\Program Files\Audacity
    2008-08-07 11:45 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-08-07 11:39 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002389_.tmp
    2008-08-07 11:07 . 2003-03-31 05:00 1,086,182 -ra------ C:\WINDOWS\SET67.tmp
    2008-08-07 11:07 . 2003-03-31 05:00 13,608 -ra------ C:\WINDOWS\SET73.tmp
    2008-08-06 13:02 . 2008-08-06 13:02 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-06 13:00 . 2008-08-12 23:00 <DIR> d-------- C:\Program Files\Java
    2008-08-06 13:00 . 2008-08-06 13:00 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-08-06 11:20 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\PeerGuardian2
    2008-08-05 18:14 . 2008-08-05 18:14 <DIR> d-------- C:\Program Files\Music Rescue
    2008-08-05 18:10 . 2008-08-07 00:55 81,984 --a------ C:\WINDOWS\system32\bdod.bin
    2008-08-05 16:52 . 2008-08-05 16:52 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-05 16:52 . 2008-09-28 11:31 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\uTorrent
    2008-08-05 16:47 . 2008-09-14 11:07 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-08-05 16:15 . 2003-03-31 05:00 1,086,182 -ra------ C:\WINDOWS\SET40.tmp
    2008-08-05 16:15 . 2003-03-31 05:00 13,608 -ra------ C:\WINDOWS\SET4C.tmp
    2008-08-04 20:14 . 2008-08-04 20:14 2,422 --a------ C:\WINDOWS\system32\wpa.bak

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-28 10:44 --------- d-----w C:\Program Files\eMule
    2008-09-15 03:32 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2008-09-15 03:32 --------- d-----w C:\Documents and Settings\Jake\Application Data\SUPERAntiSpyware.com
    2008-09-11 01:35 --------- d-----w C:\Program Files\Common Files\Apple
    2008-09-04 00:10 --------- d-----w C:\Documents and Settings\Jake\Application Data\Apple Computer
    2008-09-03 23:30 --------- d-----w C:\Program Files\Apple Software Update
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet(2)(2).dll
    2008-06-23 16:57 267,776 ----a-w C:\WINDOWS\system32\iertutil(2).dll
    2008-06-23 16:57 267,776 ----a-w C:\WINDOWS\system32\iertutil(2)(2).dll
    2008-06-23 16:57 105,984 ----a-w C:\WINDOWS\system32\url(2)(2).dll
    2008-06-23 16:57 1,159,680 ----a-w C:\WINDOWS\system32\urlmon(2)(2).dll
    2008-06-20 17:46 147,968 ----a-w C:\WINDOWS\system32\dnsapi(2)(2).dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
    "nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\eMule\\emule.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6717:TCP"= 6717:TCP:messenger

    S2 hwxkor32;HWXKOR - IV - Desktop;rundll32.exe C:\WINDOWS\system32\hwxkor32.dll,yjib [ ]

    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-RemoveIT Pro XT - C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\cvvmpdi5.default\
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-29 17:59:06
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-09-29 17:59:44
    ComboFix-quarantined-files.txt 2008-09-30 00:59:42

    Pre-Run: 246,418,223,104 bytes free
    Post-Run: 246,638,157,824 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    178 --- E O F --- 2008-08-07 16:47:52



    and the hijackthis log...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:00:50 PM, on 9/29/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210210042450
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: HWXKOR - IV - Desktop (hwxkor32) - Unknown owner - rundll32.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 3978 bytes
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,014
    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    File::
    C:\WINDOWS\000001_.tmp
    C:\WINDOWS\005158_.tmp
    C:\WINDOWS\002366_.tmp
    C:\WINDOWS\002389_.tmp
    C:\WINDOWS\SET67.tmp
    C:\WINDOWS\SET73.tmp
    C:\WINDOWS\SET40.tmp
    C:\WINDOWS\SET4C.tmp
     
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     
  7. jakemachine

    jakemachine Thread Starter

    Joined:
    Feb 26, 2008
    Messages:
    18
    Hi again Cookiegal,

    The script was run without any problems. Here are the new logs...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:56:47 PM, on 9/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210210042450
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: HWXKOR - IV - Desktop (hwxkor32) - Unknown owner - rundll32.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 3945 bytes





    ComboFix 08-09-28.03 - Jake 2008-09-30 22:52:29.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1661 [GMT -7:00]
    Running from: C:\Documents and Settings\Jake\Desktop\Combo-Fix.exe
    Command switches used :: C:\Documents and Settings\Jake\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    C:\WINDOWS\000001_.tmp
    C:\WINDOWS\002366_.tmp
    C:\WINDOWS\002389_.tmp
    C:\WINDOWS\005158_.tmp
    C:\WINDOWS\SET40.tmp
    C:\WINDOWS\SET4C.tmp
    C:\WINDOWS\SET67.tmp
    C:\WINDOWS\SET73.tmp
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\000001_.tmp
    C:\WINDOWS\002366_.tmp
    C:\WINDOWS\002389_.tmp
    C:\WINDOWS\005158_.tmp
    C:\WINDOWS\SET40.tmp
    C:\WINDOWS\SET4C.tmp
    C:\WINDOWS\SET67.tmp
    C:\WINDOWS\SET73.tmp

    .
    ((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
    .

    2008-09-29 23:24 . 2008-09-29 23:24 754 --a------ C:\WINDOWS\WORDPAD.INI
    2008-09-29 12:22 . 2008-09-29 12:22 <DIR> d-------- C:\Program Files\Trend Micro
    2008-09-22 21:24 . 2006-10-04 07:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
    2008-09-22 21:24 . 2006-10-04 07:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
    2008-09-22 21:24 . 2006-10-04 07:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
    2008-09-22 15:57 . 2008-08-05 16:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
    2008-09-22 15:57 . 2008-09-22 15:57 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-09-22 15:45 . 2008-09-22 15:45 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-22 15:45 . 2008-09-22 15:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-09-22 15:45 . 2008-09-22 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-15 18:53 . 2008-09-22 21:21 <DIR> d-------- C:\Program Files\PokerStars
    2008-09-15 14:24 . 2008-09-29 12:10 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-09-14 11:16 . 2008-09-14 11:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-09-14 11:13 . 2008-09-14 11:13 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
    2008-09-10 22:59 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
    2008-09-10 22:59 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
    2008-09-10 22:51 . 2008-09-10 22:51 <DIR> d-------- C:\WINDOWS\system32\scripting
    2008-09-10 22:51 . 2008-09-10 22:51 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-09-10 22:03 . 2007-08-13 18:06 56,700 --a------ C:\WINDOWS\system32\ieuinit.inf
    2008-09-10 22:03 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
    2008-09-10 22:03 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
    2008-09-10 21:52 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
    2008-09-10 21:52 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp(3).dll
    2008-09-10 21:52 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2008-09-10 21:51 . 2008-07-18 22:09 215,752 --a------ C:\WINDOWS\system32\wuaucpl.cpl
    2008-09-10 21:51 . 2008-07-18 22:09 215,752 --a--c--- C:\WINDOWS\system32\dllcache\wuaucpl.cpl
    2008-09-10 21:47 . 2008-09-10 21:47 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\SUPERAntiSpyware.com
    2008-09-10 21:47 . 2008-09-10 21:47 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\Apple Computer
    2008-09-10 21:46 . 2008-08-05 16:28 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\DivX
    2008-09-10 21:46 . 2008-09-14 20:29 <DIR> d-------- C:\Documents and Settings\Bob Loblaw
    2008-09-10 21:40 . 2003-03-31 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-09-10 21:39 . 2004-08-04 00:56 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
    2008-09-10 21:38 . 2004-08-04 00:56 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
    2008-09-10 21:37 . 2008-07-18 22:09 1,811,656 --a------ C:\WINDOWS\system32\wuaueng.dll
    2008-09-10 21:36 . 2004-08-03 22:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
    2008-09-10 21:36 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
    2008-09-10 21:35 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
    2008-09-10 21:35 . 2004-08-04 01:01 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
    2008-09-10 21:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
    2008-09-10 21:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
    2008-09-10 21:35 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
    2008-09-10 21:35 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser(2).dll
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Program Files\iTunes
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Program Files\iPod
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-09-10 18:35 . 2008-09-10 18:35 <DIR> d-------- C:\Program Files\QuickTime
    2008-09-10 18:34 . 2008-09-05 22:16 1,900,544 --a------ C:\WINDOWS\system32\usbaaplrc.dll
    2008-09-09 22:40 . 2008-09-09 22:40 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\MSN6
    2008-09-09 22:40 . 2008-09-09 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
    2008-09-09 18:08 . 2008-09-09 23:19 <DIR> d-------- C:\Program Files\PokerStars.NET
    2008-09-06 17:24 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
    2008-09-06 17:24 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
    2008-09-06 17:24 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
    2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
    2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\ImTOO Software Studio
    2008-09-03 17:28 . 2008-09-03 17:28 <DIR> d-------- C:\temp
    2008-09-03 17:28 . 2008-09-03 17:28 <DIR> d-------- C:\Program Files\Avex
    2008-09-03 17:22 . 2008-09-03 17:22 <DIR> d-------- C:\Program Files\E-Zsoft
    2008-09-03 17:21 . 2008-09-03 17:21 <DIR> d-------- C:\Program Files\Common Files\Download Manager
    2008-09-03 16:27 . 2008-09-05 22:16 36,864 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-01 03:01 --------- d-----w C:\Program Files\PeerGuardian2
    2008-10-01 03:01 --------- d-----w C:\Documents and Settings\Jake\Application Data\uTorrent
    2008-09-28 10:44 --------- d-----w C:\Program Files\eMule
    2008-09-15 03:32 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2008-09-15 03:32 --------- d-----w C:\Documents and Settings\Jake\Application Data\SUPERAntiSpyware.com
    2008-09-11 01:35 --------- d-----w C:\Program Files\Common Files\Apple
    2008-09-10 06:28 --------- d-----w C:\Program Files\Audacity
    2008-09-04 00:10 --------- d-----w C:\Documents and Settings\Jake\Application Data\Apple Computer
    2008-09-03 23:30 --------- d-----w C:\Program Files\Apple Software Update
    2008-08-20 06:31 --------- d-----w C:\Documents and Settings\Jake\Application Data\DivX
    2008-08-13 06:00 --------- d-----w C:\Program Files\Java
    2008-08-07 07:55 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
    2008-08-06 20:00 --------- d-----w C:\Program Files\Common Files\Java
    2008-08-06 01:14 --------- d-----w C:\Program Files\Music Rescue
    2008-08-05 23:52 --------- d-----w C:\Program Files\uTorrent
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
    "nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\eMule\\emule.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6717:TCP"= 6717:TCP:messenger

    S2 hwxkor32;HWXKOR - IV - Desktop;rundll32.exe C:\WINDOWS\system32\hwxkor32.dll,yjib [ ]

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-30 22:53:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-09-30 22:54:04
    ComboFix-quarantined-files.txt 2008-10-01 05:54:01
    ComboFix2.txt 2008-09-30 00:59:44

    Pre-Run: 245,899,190,272 bytes free
    Post-Run: 245,891,088,384 bytes free

    167 --- E O F --- 2008-08-07 16:47:52
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,014
    Please download Malwarebytes Anti-Malware form Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply along with a new HijackThis log please.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
     
  9. jakemachine

    jakemachine Thread Starter

    Joined:
    Feb 26, 2008
    Messages:
    18
    Malwarebytes' Anti-Malware 1.28
    Database version: 1226
    Windows 5.1.2600 Service Pack 2

    10/1/2008 11:21:23 PM
    mbam-log-2008-10-01 (23-21-23).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 90085
    Time elapsed: 22 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:21:59 PM, on 10/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210210042450
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: HWXKOR - IV - Desktop (hwxkor32) - Unknown owner - rundll32.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 3979 bytes
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,014
    Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
    • Instead of Windows loading as normal, the Advanced Options Menu should appear
    • Select the first option, to run Windows in Safe Mode, then press Enter
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to the clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.
     
  11. jakemachine

    jakemachine Thread Starter

    Joined:
    Feb 26, 2008
    Messages:
    18
    SDFix: Version 1.231
    Run by Administrator on Mon 10/06/2008 at 10:31 AM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    No Trojan Files Found






    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-06 10:42:56
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files :



    Files with Hidden Attributes :

    Tue 5 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Wed 10 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
    Mon 22 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
    Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"
    Wed 6 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BIT10.tmp"

    Finished!


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:45:24 AM, on 10/6/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210210042450
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 3893 bytes
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,014
    Why are you not running any anti-virus program?

    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    Driver::
    HWXKOR  
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     
  13. jakemachine

    jakemachine Thread Starter

    Joined:
    Feb 26, 2008
    Messages:
    18
    Hi Cookiegal,
    I wasn't running any anti-virus because whenever i tried to install one, it would do more harm than good during the infection. Once you've decided the computer is clean, I will update windows with the latest fixes and install the BitDefender software I have purchased. Again, thanks for your help.

    Jake


    ComboFix 08-10-06.05 - Jake 2008-10-07 0:33:34.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1701 [GMT -7:00]
    Running from: C:\Documents and Settings\Jake\Desktop\Combo-Fix.exe
    Command switches used :: C:\Documents and Settings\Jake\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
    .

    2008-10-06 10:31 . 2008-10-06 10:31 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
    2008-10-06 10:30 . 2008-10-06 10:30 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-10-01 22:56 . 2008-10-01 22:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-01 22:56 . 2008-10-01 22:56 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\Malwarebytes
    2008-10-01 22:56 . 2008-10-01 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-01 22:56 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-01 22:56 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-29 23:24 . 2008-09-29 23:24 754 --a------ C:\WINDOWS\WORDPAD.INI
    2008-09-29 12:22 . 2008-09-29 12:22 <DIR> d-------- C:\Program Files\Trend Micro
    2008-09-22 21:24 . 2006-10-04 07:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
    2008-09-22 21:24 . 2006-10-04 07:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
    2008-09-22 21:24 . 2006-10-04 07:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
    2008-09-22 15:57 . 2008-08-05 16:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
    2008-09-22 15:57 . 2008-09-22 15:57 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-09-22 15:45 . 2008-09-22 15:45 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-22 15:45 . 2008-09-22 15:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-09-22 15:45 . 2008-09-22 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-15 18:53 . 2008-09-22 21:21 <DIR> d-------- C:\Program Files\PokerStars
    2008-09-15 14:24 . 2008-09-29 12:10 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-09-14 11:16 . 2008-09-14 11:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-09-14 11:13 . 2008-09-14 11:13 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
    2008-09-10 22:59 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
    2008-09-10 22:59 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
    2008-09-10 22:51 . 2008-09-10 22:51 <DIR> d-------- C:\WINDOWS\system32\scripting
    2008-09-10 22:51 . 2008-09-10 22:51 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-09-10 22:03 . 2007-08-13 18:06 56,700 --a------ C:\WINDOWS\system32\ieuinit.inf
    2008-09-10 22:03 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
    2008-09-10 22:03 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
    2008-09-10 21:52 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
    2008-09-10 21:52 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp(3).dll
    2008-09-10 21:52 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2008-09-10 21:51 . 2008-07-18 22:09 215,752 --a------ C:\WINDOWS\system32\wuaucpl.cpl
    2008-09-10 21:51 . 2008-07-18 22:09 215,752 --a--c--- C:\WINDOWS\system32\dllcache\wuaucpl.cpl
    2008-09-10 21:47 . 2008-09-10 21:47 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\SUPERAntiSpyware.com
    2008-09-10 21:47 . 2008-09-10 21:47 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\Apple Computer
    2008-09-10 21:46 . 2008-08-05 16:28 <DIR> d-------- C:\Documents and Settings\Bob Loblaw\Application Data\DivX
    2008-09-10 21:46 . 2008-09-14 20:29 <DIR> d-------- C:\Documents and Settings\Bob Loblaw
    2008-09-10 21:40 . 2003-03-31 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-09-10 21:39 . 2004-08-04 00:56 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
    2008-09-10 21:38 . 2004-08-04 00:56 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
    2008-09-10 21:37 . 2008-07-18 22:09 1,811,656 --a------ C:\WINDOWS\system32\wuaueng.dll
    2008-09-10 21:36 . 2004-08-03 22:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
    2008-09-10 21:36 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
    2008-09-10 21:35 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
    2008-09-10 21:35 . 2004-08-04 01:01 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
    2008-09-10 21:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
    2008-09-10 21:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
    2008-09-10 21:35 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
    2008-09-10 21:35 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser(2).dll
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Program Files\iTunes
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Program Files\iPod
    2008-09-10 18:36 . 2008-09-10 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-09-10 18:35 . 2008-09-10 18:35 <DIR> d-------- C:\Program Files\QuickTime
    2008-09-10 18:34 . 2008-09-05 22:16 1,900,544 --a------ C:\WINDOWS\system32\usbaaplrc.dll
    2008-09-09 22:40 . 2008-09-09 22:40 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\MSN6
    2008-09-09 22:40 . 2008-09-09 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
    2008-09-09 18:08 . 2008-09-09 23:19 <DIR> d-------- C:\Program Files\PokerStars.NET

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-01 03:01 --------- d-----w C:\Program Files\PeerGuardian2
    2008-10-01 03:01 --------- d-----w C:\Documents and Settings\Jake\Application Data\uTorrent
    2008-09-28 10:44 --------- d-----w C:\Program Files\eMule
    2008-09-15 03:32 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2008-09-15 03:32 --------- d-----w C:\Documents and Settings\Jake\Application Data\SUPERAntiSpyware.com
    2008-09-11 01:35 --------- d-----w C:\Program Files\Common Files\Apple
    2008-09-10 06:28 --------- d-----w C:\Program Files\Audacity
    2008-09-06 05:16 36,864 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-09-04 00:50 --------- d-----w C:\Documents and Settings\Jake\Application Data\ImTOO Software Studio
    2008-09-04 00:28 --------- d-----w C:\Program Files\Avex
    2008-09-04 00:22 --------- d-----w C:\Program Files\E-Zsoft
    2008-09-04 00:21 --------- d-----w C:\Program Files\Common Files\Download Manager
    2008-09-04 00:10 --------- d-----w C:\Documents and Settings\Jake\Application Data\Apple Computer
    2008-09-03 23:30 --------- d-----w C:\Program Files\Apple Software Update
    2008-08-20 06:31 --------- d-----w C:\Documents and Settings\Jake\Application Data\DivX
    2008-08-13 06:00 --------- d-----w C:\Program Files\Java
    2008-08-07 07:55 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    .

    ((((((((((((((((((((((((((((( [email protected]_17.59.35.10 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
    + 2008-10-06 17:30:43 495,616 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
    + 2008-10-06 17:30:43 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2008-10-06 17:30:42 495,616 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
    + 2008-10-06 17:30:42 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
    "nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "hwxkor32"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\eMule\\emule.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6717:TCP"= 6717:TCP:messenger

    S4 hwxkor32;HWXKOR - IV - Desktop;rundll32.exe C:\WINDOWS\system32\hwxkor32.dll,yjib [ ]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-09-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-07 00:34:38
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-10-07 0:35:08
    ComboFix-quarantined-files.txt 2008-10-07 07:35:02
    ComboFix2.txt 2008-10-01 05:54:04
    ComboFix3.txt 2008-09-30 00:59:44

    Pre-Run: 245,770,371,072 bytes free
    Post-Run: 245,762,646,016 bytes free

    156 --- E O F --- 2008-08-07 16:47:52



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:36:44 AM, on 10/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210210042450
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 3837 bytes
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,014
    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    Driver::
    hwxkor32 
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     
  15. jakemachine

    jakemachine Thread Starter

    Joined:
    Feb 26, 2008
    Messages:
    18
    ComboFix 08-10-06.05 - Jake 2008-10-11 22:06:31.5 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1689 [GMT -7:00]
    Running from: C:\Documents and Settings\Jake\Desktop\Combo-Fix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2008-09-12 to 2008-10-12 )))))))))))))))))))))))))))))))
    .

    2008-10-07 01:02 . 2008-06-13 04:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
    2008-10-07 00:53 . 2008-10-07 00:53 <DIR> d-------- C:\WINDOWS\system32\en
    2008-10-07 00:50 . 2008-10-07 00:50 0 --a----t- C:\WINDOWS\005601_.tmp
    2008-10-07 00:47 . 2008-04-13 17:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
    2008-10-06 10:30 . 2008-10-06 10:30 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-10-01 22:56 . 2008-10-01 22:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-01 22:56 . 2008-10-01 22:56 <DIR> d-------- C:\Documents and Settings\Jake\Application Data\Malwarebytes
    2008-10-01 22:56 . 2008-10-01 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-01 22:56 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-01 22:56 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-29 23:24 . 2008-09-29 23:24 754 --a------ C:\WINDOWS\WORDPAD.INI
    2008-09-29 12:22 . 2008-09-29 12:22 <DIR> d-------- C:\Program Files\Trend Micro
    2008-09-22 15:57 . 2008-08-05 16:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
    2008-09-22 15:57 . 2008-09-22 15:57 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-09-22 15:45 . 2008-09-22 15:45 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-22 15:45 . 2008-09-22 15:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-09-22 15:45 . 2008-09-22 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-15 18:53 . 2008-09-22 21:21 <DIR> d-------- C:\Program Files\PokerStars
    2008-09-15 14:24 . 2008-09-29 12:10 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-12 02:47 --------- d-----w C:\Documents and Settings\Jake\Application Data\uTorrent
    2008-10-08 00:50 --------- d-----w C:\Program Files\PeerGuardian2
    2008-10-07 13:14 --------- d-----w C:\Program Files\uTorrent
    2008-09-28 10:44 --------- d-----w C:\Program Files\eMule
    2008-09-15 03:32 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2008-09-15 03:32 --------- d-----w C:\Documents and Settings\Jake\Application Data\SUPERAntiSpyware.com
    2008-09-11 04:47 --------- d-----w C:\Documents and Settings\Bob Loblaw\Application Data\SUPERAntiSpyware.com
    2008-09-11 04:47 --------- d-----w C:\Documents and Settings\Bob Loblaw\Application Data\Apple Computer
    2008-09-11 01:36 --------- d-----w C:\Program Files\iTunes
    2008-09-11 01:36 --------- d-----w C:\Program Files\iPod
    2008-09-11 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-09-11 01:35 --------- d-----w C:\Program Files\QuickTime
    2008-09-11 01:35 --------- d-----w C:\Program Files\Common Files\Apple
    2008-09-10 06:28 --------- d-----w C:\Program Files\Audacity
    2008-09-10 06:19 --------- d-----w C:\Program Files\PokerStars.NET
    2008-09-10 05:40 --------- d-----w C:\Documents and Settings\Jake\Application Data\MSN6
    2008-09-10 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
    2008-09-06 05:16 36,864 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
    2008-09-06 05:16 1,900,544 ----a-w C:\WINDOWS\system32\usbaaplrc.dll
    2008-09-04 00:50 --------- d-----w C:\Documents and Settings\Jake\Application Data\ImTOO Software Studio
    2008-09-04 00:28 --------- d-----w C:\Program Files\Avex
    2008-09-04 00:22 --------- d-----w C:\Program Files\E-Zsoft
    2008-09-04 00:21 --------- d-----w C:\Program Files\Common Files\Download Manager
    2008-09-04 00:10 --------- d-----w C:\Documents and Settings\Jake\Application Data\Apple Computer
    2008-09-03 23:30 --------- d-----w C:\Program Files\Apple Software Update
    2008-08-20 06:31 --------- d-----w C:\Documents and Settings\Jake\Application Data\DivX
    2008-08-13 06:00 --------- d-----w C:\Program Files\Java
    2008-08-07 07:55 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
    "nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2008-04-13 17:12 1695232 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "hwxkor32"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\eMule\\emule.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6717:TCP"= 6717:TCP:messenger

    .
    Contents of the 'Scheduled Tasks' folder

    2008-09-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\cvvmpdi5.default\
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-11 22:07:09
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-10-11 22:07:37
    ComboFix-quarantined-files.txt 2008-10-12 05:07:32
    ComboFix2.txt 2008-10-12 04:56:33
    ComboFix3.txt 2008-10-07 07:35:09
    ComboFix4.txt 2008-10-01 05:54:04
    ComboFix5.txt 2008-10-12 05:06:27

    Pre-Run: 238,513,491,968 bytes free
    Post-Run: 238,501,912,576 bytes free

    126 --- E O F --- 2008-08-07 16:47:52



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:08:35 PM, on 10/11/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210210042450
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 3838 bytes
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Trouble removing problem
  1. triciabard
    Replies:
    7
    Views:
    766
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/752427

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice