Tech Support Forum - View Single Post

kaulu · 01-08-2008, 03:05 PM

Hello, I copied, pasted & saved as CFScript, dragged it into Combofix.exe.
I found the resulting log in C:\ComboFix\ComboFix.txt.
It looks simular to the last combofix log.
Take a look, I don't know what is going wrong.

ComboFix 07-12-31.4 - Kauluwehi 2008-01-08 11:33:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.150 [GMT -10:00]
Running from: C:\Documents and Settings\Kauluwehi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kauluwehi\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\1276.tmp
C:\1A9B.tmp
C:\22CE.tmp
C:\719.tmp
C:\A4C.tmp
C:\B3B.tmp
C:\E86.tmp
C:\WINDOWS\system32\aipvnsyo.dll
C:\WINDOWS\system32\axrbymcw.ini
C:\WINDOWS\system32\drivers\jxptloigjakn.sys
C:\WINDOWS\system32\ekchgkeb.ini
C:\WINDOWS\system32\emladbcu.dll
C:\WINDOWS\system32\gnttxyoy.dll
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\hhyidaxk.ini
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\laiwdotd.ini
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.exe
C:\WINDOWS\system32\psnyeugk.ini
C:\WINDOWS\system32\rqwnalhn.ini
C:\WINDOWS\system32\wyvtkfdy.dll
C:\WINDOWS\system32\ydfktvyw.ini
.
/wow section - STAGE 3
/wow section - STAGE 4
/wow section - STAGE 5
/wow section - STAGE 7
/wow section - STAGE 8
/wow section - STAGE 9
/wow section - STAGE 19
/wow section - STAGE 30
/wow section - STAGE 33
/wow section - STAGE 36

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1276.tmp
C:\1A9B.tmp
C:\22CE.tmp
C:\719.tmp
C:\A4C.tmp
C:\B3B.tmp
C:\E86.tmp
C:\WINDOWS\system32\aipvnsyo.dll
C:\WINDOWS\system32\axrbymcw.ini
C:\WINDOWS\system32\drivers\jxptloigjakn.sys
C:\WINDOWS\system32\ekchgkeb.ini
C:\WINDOWS\system32\emladbcu.dll
C:\WINDOWS\system32\gnttxyoy.dll
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\hhyidaxk.ini
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\laiwdotd.ini
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.exe
C:\WINDOWS\system32\psnyeugk.ini
C:\WINDOWS\system32\rqwnalhn.ini
C:\WINDOWS\system32\ydfktvyw.ini
C:\WINDOWS\system32\pmkjj.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-08 11:47 . 2008-01-08 11:47 388,608 --a------ C:\WINDOWS\system32\cmd .exe
2008-01-08 11:47 . 2008-01-08 11:47 337,920 --------- C:\WINDOWS\system32\pmkjj.dll
2008-01-08 04:59 . 2008-01-08 05:02 77,888 --a------ C:\WINDOWS\system32\yuxxdens.dll
2008-01-08 04:58 . 2008-01-08 11:49 1,044,875 ---hs---- C:\WINDOWS\system32\pasoyplt.ini
2008-01-08 04:56 . 2008-01-08 04:58 90,176 --a------ C:\WINDOWS\system32\tlpyosap.dll
2008-01-08 04:51 . 2008-01-08 04:55 1,044,575 --ahs---- C:\WINDOWS\system32\boqqvtef.ini
2008-01-08 04:41 . 2008-01-08 04:42 77,888 --a------ C:\WINDOWS\system32\lxchbmbb.dll
2008-01-05 07:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 17:34 . 2008-01-04 17:34 <DIR> d-------- C:\Deckard
2008-01-04 17:28 . 2008-01-04 17:28 <DIR> d-------- C:\ie-spyad_zo
2008-01-04 17:18 . 2008-01-04 17:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-04 17:18 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-04 16:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-02 18:57 . 2008-01-08 11:50 24,679 --a------ C:\logfile
2008-01-02 18:45 . 2008-01-02 18:45 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-01-02 18:43 . 2008-01-02 18:43 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-01-02 18:40 . 2008-01-02 18:45 <DIR> d-------- C:\Program Files\Kodak
2008-01-02 18:39 . 2008-01-02 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-30 13:35 . 2008-01-04 16:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-30 13:35 . 2008-01-04 16:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-27 09:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 09:41 . 2007-12-27 09:43 <DIR> d-------- C:\Program Files\Java
2007-12-27 09:41 . 2007-12-27 09:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 18:45 . 2007-01-18 02:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-12-25 17:17 . 2007-12-25 17:17 75 --a------ C:\WINDOWS\WININIT.INI
2007-12-25 17:03 . 2007-12-25 17:03 <DIR> d-------- C:\Program Files\X-Cleaner
2007-12-25 13:32 . 2008-01-08 11:48 53,248 --a------ C:\WINDOWS\system32\VTTimer .exe
2007-12-25 09:10 . 2007-12-30 10:51 <DIR> d-------- C:\VundoFix Backups
2007-12-25 08:35 . 2007-12-25 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2007-12-23 00:10 . 2008-01-08 11:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-23 00:10 . 2007-12-23 00:10 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:53, on 2008-01-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kauluwehi\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjj.exe
O2 - BHO: {c5fda177-ef63-fb4a-0594-f7b9550fe747} - {747ef055-9b7f-4950-a4bf-36fe771adf5c} - C:\WINDOWS\system32\yuxxdens.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A6160C36-B162-4E66-A8C2-A10704E4FEB8} - C:\WINDOWS\system32\pmkjj.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [265d8a8f] rundll32.exe "C:\WINDOWS\system32\tlpyosap.dll",b
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177810849578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7676 bytes

01-08-2008, 03:05 PM	#5 (permalink)
kaulu Registered User Join Date: Dec 2007 Posts: 13 OS: WIN XP SP2	Re: Got infected with virtumode Hello, I copied, pasted & saved as CFScript, dragged it into Combofix.exe. I found the resulting log in C:\ComboFix\ComboFix.txt. It looks simular to the last combofix log. Take a look, I don't know what is going wrong. ComboFix 07-12-31.4 - Kauluwehi 2008-01-08 11:33:31.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.150 [GMT -10:00] Running from: C:\Documents and Settings\Kauluwehi\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Kauluwehi\Desktop\CFScript.txt * Created a new restore point FILE C:\1276.tmp C:\1A9B.tmp C:\22CE.tmp C:\719.tmp C:\A4C.tmp C:\B3B.tmp C:\E86.tmp C:\WINDOWS\system32\aipvnsyo.dll C:\WINDOWS\system32\axrbymcw.ini C:\WINDOWS\system32\drivers\jxptloigjakn.sys C:\WINDOWS\system32\ekchgkeb.ini C:\WINDOWS\system32\emladbcu.dll C:\WINDOWS\system32\gnttxyoy.dll C:\WINDOWS\system32\Help.ico C:\WINDOWS\system32\hhyidaxk.ini C:\WINDOWS\system32\jjkmp.ini C:\WINDOWS\system32\jjkmp.ini2 C:\WINDOWS\system32\laiwdotd.ini C:\WINDOWS\system32\pavas.ico C:\WINDOWS\system32\pmkjj.dll C:\WINDOWS\system32\pmkjj.exe C:\WINDOWS\system32\psnyeugk.ini C:\WINDOWS\system32\rqwnalhn.ini C:\WINDOWS\system32\wyvtkfdy.dll C:\WINDOWS\system32\ydfktvyw.ini . /wow section - STAGE 3 /wow section - STAGE 4 /wow section - STAGE 5 /wow section - STAGE 7 /wow section - STAGE 8 /wow section - STAGE 9 /wow section - STAGE 19 /wow section - STAGE 30 /wow section - STAGE 33 /wow section - STAGE 36 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\1276.tmp C:\1A9B.tmp C:\22CE.tmp C:\719.tmp C:\A4C.tmp C:\B3B.tmp C:\E86.tmp C:\WINDOWS\system32\aipvnsyo.dll C:\WINDOWS\system32\axrbymcw.ini C:\WINDOWS\system32\drivers\jxptloigjakn.sys C:\WINDOWS\system32\ekchgkeb.ini C:\WINDOWS\system32\emladbcu.dll C:\WINDOWS\system32\gnttxyoy.dll C:\WINDOWS\system32\Help.ico C:\WINDOWS\system32\hhyidaxk.ini C:\WINDOWS\system32\jjkmp.ini C:\WINDOWS\system32\jjkmp.ini2 C:\WINDOWS\system32\laiwdotd.ini C:\WINDOWS\system32\pavas.ico C:\WINDOWS\system32\pmkjj.dll C:\WINDOWS\system32\pmkjj.exe C:\WINDOWS\system32\psnyeugk.ini C:\WINDOWS\system32\rqwnalhn.ini C:\WINDOWS\system32\ydfktvyw.ini C:\WINDOWS\system32\pmkjj.dll . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 ))))))))))))))))))))))))))))))) . 2008-01-08 11:47 . 2008-01-08 11:47 388,608 --a------ C:\WINDOWS\system32\cmd .exe 2008-01-08 11:47 . 2008-01-08 11:47 337,920 --------- C:\WINDOWS\system32\pmkjj.dll 2008-01-08 04:59 . 2008-01-08 05:02 77,888 --a------ C:\WINDOWS\system32\yuxxdens.dll 2008-01-08 04:58 . 2008-01-08 11:49 1,044,875 ---hs---- C:\WINDOWS\system32\pasoyplt.ini 2008-01-08 04:56 . 2008-01-08 04:58 90,176 --a------ C:\WINDOWS\system32\tlpyosap.dll 2008-01-08 04:51 . 2008-01-08 04:55 1,044,575 --ahs---- C:\WINDOWS\system32\boqqvtef.ini 2008-01-08 04:41 . 2008-01-08 04:42 77,888 --a------ C:\WINDOWS\system32\lxchbmbb.dll 2008-01-05 07:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-04 17:34 . 2008-01-04 17:34 <DIR> d-------- C:\Deckard 2008-01-04 17:28 . 2008-01-04 17:28 <DIR> d-------- C:\ie-spyad_zo 2008-01-04 17:18 . 2008-01-04 17:26 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-04 17:18 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-01-04 16:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-02 18:57 . 2008-01-08 11:50 24,679 --a------ C:\logfile 2008-01-02 18:45 . 2008-01-02 18:45 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs 2008-01-02 18:43 . 2008-01-02 18:43 <DIR> d-------- C:\Program Files\Common Files\Kodak 2008-01-02 18:40 . 2008-01-02 18:45 <DIR> d-------- C:\Program Files\Kodak 2008-01-02 18:39 . 2008-01-02 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak 2007-12-30 13:35 . 2008-01-04 16:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-30 13:35 . 2008-01-04 16:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-27 09:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-12-27 09:41 . 2007-12-27 09:43 <DIR> d-------- C:\Program Files\Java 2007-12-27 09:41 . 2007-12-27 09:41 <DIR> d-------- C:\Program Files\Common Files\Java 2007-12-25 18:45 . 2007-01-18 02:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-12-25 17:17 . 2007-12-25 17:17 75 --a------ C:\WINDOWS\WININIT.INI 2007-12-25 17:03 . 2007-12-25 17:03 <DIR> d-------- C:\Program Files\X-Cleaner 2007-12-25 13:32 . 2008-01-08 11:48 53,248 --a------ C:\WINDOWS\system32\VTTimer .exe 2007-12-25 09:10 . 2007-12-30 10:51 <DIR> d-------- C:\VundoFix Backups 2007-12-25 08:35 . 2007-12-25 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware 2007-12-23 00:10 . 2008-01-08 11:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-23 00:10 . 2007-12-23 00:10 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:53, on 2008-01-08 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE C:\WINDOWS\system32\pctspk.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spyware Doctor\SDTrayApp .exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\VTTimer .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Kauluwehi\Desktop\HiJackThis_v2.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjj.exe O2 - BHO: {c5fda177-ef63-fb4a-0594-f7b9550fe747} - {747ef055-9b7f-4950-a4bf-36fe771adf5c} - C:\WINDOWS\system32\yuxxdens.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {A6160C36-B162-4E66-A8C2-A10704E4FEB8} - C:\WINDOWS\system32\pmkjj.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [265d8a8f] rundll32.exe "C:\WINDOWS\system32\tlpyosap.dll",b O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177810849578 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 7676 bytes