Tech Support Forum - View Single Post - Re: I cannot get rid of Ping.exe

Gibgab · 01-08-2008, 07:44 PM

Hi Bruce, thank you for responding.
Here are the logs.
I have antivirus installed on other PC's on this network.
But not this one. A bad move on my part.
MarkB

ComboFix 08-01-09.2 - MarkB 2008-01-08 20:11:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.411 [GMT -6:00]
Running from: C:\Documents and Settings\MarkB\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET
C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\??crosoft.NET\
C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\ping .exe
C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\ping.exe
C:\Documents and Settings\MarkB\Application Data\YMBOLS~1
C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo
C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\system32\cbxxxxx.dll
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\RCX21.tmp
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX2A.tmp
C:\WINDOWS\system32\RCX2C.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\RCX3F.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.exe
C:\WINDOWS\system32\wapisvit32.exe

Code:

 <pre>
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe ---> CLIStart.exe
C:\Program Files\DAEMON Tools\daemon .exe ---> daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd .exe ---> HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper .exe ---> iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> jusched.exe
C:\Program Files\Messenger\msmsgs .exe ---> msmsgs.exe
C:\Program Files\Router\Router .exe ---> Router.exe
C:\Program Files\SpywareBot\SpywareBot .exe ---> SpywareBot.exe
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 20:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 04:02 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 03:28 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-08 03:28 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-08 03:28 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-08 03:09 . 2008-01-08 03:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-07 19:36 . 2008-01-07 19:36 37,027 --a------ C:\WINDOWS\atmoUn.exe
2008-01-07 03:38 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-07 03:17 . 2007-06-26 00:08 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-01-06 20:46 . 2006-05-19 06:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-01-06 20:46 . 2006-05-19 06:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-01-06 20:45 . 2008-01-08 04:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-06 20:45 . 2007-08-21 00:15 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-01-06 20:45 . 2007-04-25 08:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2008-01-06 20:31 . 2008-01-06 20:31 <DIR> d-------- C:\Deckard
2008-01-06 20:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-06 20:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-06 20:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-06 19:59 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-06 18:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-06 18:40 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vmkyrcnnhiau.sys
2008-01-06 18:02 . 2008-01-06 19:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 18:02 . 2008-01-06 18:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-06 18:02 . 2008-01-06 18:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-06 18:02 . 2008-01-06 18:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-02 20:18 . 2008-01-03 05:28 <DIR> d-------- C:\VundoFix Backups
2008-01-01 14:39 . 2008-01-08 20:19 <DIR> d-------- C:\Program Files\SpywareBot
2008-01-01 14:39 . 2008-01-06 20:42 <DIR> d-------- C:\Documents and Settings\MarkB\Application Data\SpywareBot
2007-12-31 12:49 . 2007-12-31 13:14 <DIR> d--hs---- C:\WINDOWS\TWFyayBCcmFiYW50
2007-12-31 12:43 . 2007-12-31 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 12:06 . 2007-12-31 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 11:35 . 2007-12-31 12:32 <DIR> d-------- C:\Program Files\STOPzilla!
2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-31 11:35 . 2007-12-31 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-31 11:14 . 2007-12-31 12:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-30 21:49 . 2007-12-31 11:08 2,012 --ah----- C:\Documents and Settings\All Users\Application Data\index0.dat
2007-12-30 21:47 . 2007-12-30 21:47 <DIR> d-------- C:\WINDOWS\mobgslti
2007-12-30 21:30 . 2007-12-31 13:27 380,416 --a------ C:\WINDOWS\mrofinu11.exe.tmp
2007-12-28 19:46 . 2007-12-28 19:46 <DIR> d-------- C:\Program Files\Disney
2007-12-28 10:04 . 2007-12-28 10:04 19,088 --a------ C:\Documents and Settings\MarkB\Application Data\GDIPFONTCACHEV1.DAT
2007-12-26 21:24 . 2007-12-26 21:24 3,470,360 --a------ C:\fallout_boy_saturday.mp3
2007-12-15 10:39 . 2007-12-17 18:44 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 02:19 --------- d-----w C:\Program Files\iTunes
2008-01-09 02:19 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-09 02:18 --------- d-----w C:\Program Files\QuickTime
2008-01-08 01:36 --------- d-----w C:\Documents and Settings\MarkB\Application Data\AdobeUM
2008-01-07 00:50 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2008-01-06 03:48 --------- d-----w C:\Documents and Settings\MarkB\Application Data\U3
2007-12-31 18:37 10 ----a-w C:\Program Files\.autoreg
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2005-07-29 22:24 472 --sha-r C:\WINDOWS\TWFyayBCcmFiYW50\nqIVuV1FwAI2sqcX.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2A7AA16-678C-3F59-895A-3CE672845892}]
C:\WINDOWS\system32\owvq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffe58e9d-4cfe-42ac-b8d1-7c4360891611}]
C:\WINDOWS\system32\eqcyjdbv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-08 05:30 1694208]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-08 05:29 171464]
"Trto"="C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" [ ]
"Llsbjso"="C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2008-01-08 05:30 6362352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2008-01-08 05:29 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-08 05:29 241664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-08 05:29 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-08 05:29 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 05:29 271672]
"f49fc3c0"="C:\WINDOWS\system32\ogurxwit.dll" [ ]

C:\Documents and Settings\MarkB\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2006-05-23 15:17:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1b47c87-3a5d-11dc-89f5-001217699e83}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 19:50:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-09 02:20:20 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:20:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 20:22:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 02:22:08
.
2008-01-08 10:24:58 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:06 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MarkB\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C2A7AA16-678C-3F59-895A-3CE672845892} - C:\WINDOWS\system32\owvq.dll (file missing)
O2 - BHO: {11619806-34c7-1d8b-ca24-efc4d9e85eff} - {ffe58e9d-4cfe-42ac-b8d1-7c4360891611} - C:\WINDOWS\system32\eqcyjdbv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f49fc3c0] rundll32.exe "C:\WINDOWS\system32\ogurxwit.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Trto] "C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Llsbjso] "C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe"
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1167322382734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199222661218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6347 bytes

01-08-2008, 07:44 PM	#3 (permalink)
Gibgab Registered User Join Date: Jan 2008 Location: San Antonio Posts: 10 OS: XP	Re: I cannot get rid of Ping.exe - Vundo? Hi Bruce, thank you for responding. Here are the logs. I have antivirus installed on other PC's on this network. But not this one. A bad move on my part. MarkB ComboFix 08-01-09.2 - MarkB 2008-01-08 20:11:53.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.411 [GMT -6:00] Running from: C:\Documents and Settings\MarkB\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe C:\Documents and Settings\LocalService\Application Data\NetMon C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\??crosoft.NET\ C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\ping .exe C:\Documents and Settings\MarkB\Application Data\CROSOF~1.NET\ping.exe C:\Documents and Settings\MarkB\Application Data\YMBOLS~1 C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo\Terms.lnk C:\Documents and Settings\MarkB\Start Menu\Programs\Outerinfo\Uninstall.lnk C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\QuickTime\QTTask .exe C:\Program Files\Router C:\Program Files\Router\Router .exe C:\Program Files\Router\Router.exe C:\Program Files\Router\UnInstall.exe C:\Program Files\SpywareBot\SpywareBot.exe C:\Program Files\Temporary C:\Program Files\Temporary\wininstall.exe C:\WINDOWS\b148.exe C:\WINDOWS\cookies.ini C:\WINDOWS\default.htm C:\WINDOWS\system32\cbxxxxx.dll C:\WINDOWS\system32\drivers\blank.gif C:\WINDOWS\system32\drivers\box_2.gif C:\WINDOWS\system32\drivers\button_buynow.gif C:\WINDOWS\system32\drivers\button_freescan.gif C:\WINDOWS\system32\drivers\cell_bg.gif C:\WINDOWS\system32\drivers\cell_footer.gif C:\WINDOWS\system32\drivers\cell_header_block.gif C:\WINDOWS\system32\drivers\cell_header_remove.gif C:\WINDOWS\system32\drivers\cell_header_scan.gif C:\WINDOWS\system32\drivers\detect.htm C:\WINDOWS\system32\drivers\download_btn.jpg C:\WINDOWS\system32\drivers\download_now_btn.gif C:\WINDOWS\system32\drivers\footer_back.jpg C:\WINDOWS\system32\drivers\header_1.gif C:\WINDOWS\system32\drivers\header_2.gif C:\WINDOWS\system32\drivers\header_3.gif C:\WINDOWS\system32\drivers\header_4.gif C:\WINDOWS\system32\drivers\header_red_bg.gif C:\WINDOWS\system32\drivers\header_red_free_scan.gif C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif C:\WINDOWS\system32\drivers\infected.gif C:\WINDOWS\system32\drivers\main_back.gif C:\WINDOWS\system32\drivers\product_2_header.gif C:\WINDOWS\system32\drivers\product_2_name_small.gif C:\WINDOWS\system32\drivers\product_features.gif C:\WINDOWS\system32\drivers\pt.htm C:\WINDOWS\system32\drivers\rating.gif C:\WINDOWS\system32\drivers\s_detect.htm C:\WINDOWS\system32\drivers\screenshot.jpg C:\WINDOWS\system32\drivers\sep_hor.gif C:\WINDOWS\system32\drivers\sep_vert.gif C:\WINDOWS\system32\drivers\shadow.jpg C:\WINDOWS\system32\drivers\shadow_bg.gif C:\WINDOWS\system32\drivers\spacer.gif C:\WINDOWS\system32\drivers\star.gif C:\WINDOWS\system32\drivers\star_gray.gif C:\WINDOWS\system32\drivers\star_gray_small.gif C:\WINDOWS\system32\drivers\star_small.gif C:\WINDOWS\system32\drivers\style.css C:\WINDOWS\system32\drivers\v.gif C:\WINDOWS\system32\drivers\warning_icon.gif C:\WINDOWS\system32\drivers\win_logo.gif C:\WINDOWS\system32\drivers\x.gif C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\RCX21.tmp C:\WINDOWS\system32\RCX22.tmp C:\WINDOWS\system32\RCX24.tmp C:\WINDOWS\system32\RCX2A.tmp C:\WINDOWS\system32\RCX2C.tmp C:\WINDOWS\system32\RCX2D.tmp C:\WINDOWS\system32\RCX2E.tmp C:\WINDOWS\system32\RCX37.tmp C:\WINDOWS\system32\RCX3F.tmp C:\WINDOWS\system32\RCX47.tmp C:\WINDOWS\system32\stfv.bin C:\WINDOWS\system32\stutv.ini C:\WINDOWS\system32\stutv.ini2 C:\WINDOWS\system32\vtuts.dll C:\WINDOWS\system32\vtuts.exe C:\WINDOWS\system32\wapisvit32.exe Code: <pre> C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe ---> CLIStart.exe C:\Program Files\DAEMON Tools\daemon .exe ---> daemon.exe C:\Program Files\HP\HP Software Update\HPWuSchd .exe ---> HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> hpcmpmgr.exe C:\Program Files\iTunes\iTunesHelper .exe ---> iTunesHelper.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> jusched.exe C:\Program Files\Messenger\msmsgs .exe ---> msmsgs.exe C:\Program Files\Router\Router .exe ---> Router.exe C:\Program Files\SpywareBot\SpywareBot .exe ---> SpywareBot.exe </pre> . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR ((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 ))))))))))))))))))))))))))))))) . 2008-01-08 20:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-08 04:02 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-01-08 03:28 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys 2008-01-08 03:28 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe 2008-01-08 03:28 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll 2008-01-08 03:09 . 2008-01-08 03:09 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Program Files\Viewpoint 2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-01-07 19:36 . 2008-01-07 19:36 37,027 --a------ C:\WINDOWS\atmoUn.exe 2008-01-07 03:38 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-01-07 03:17 . 2007-06-26 00:08 1,104,896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll 2008-01-06 20:46 . 2006-05-19 06:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll 2008-01-06 20:46 . 2006-05-19 06:59 94,720 -----c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll 2008-01-06 20:45 . 2008-01-08 04:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-01-06 20:45 . 2007-08-21 00:15 683,520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-01-06 20:45 . 2007-04-25 08:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll 2008-01-06 20:31 . 2008-01-06 20:31 <DIR> d-------- C:\Deckard 2008-01-06 20:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-01-06 20:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui 2008-01-06 20:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui 2008-01-06 20:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2008-01-06 20:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui 2008-01-06 19:59 . 2008-01-06 19:59 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-06 19:59 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-01-06 18:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-06 18:40 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vmkyrcnnhiau.sys 2008-01-06 18:02 . 2008-01-06 19:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-06 18:02 . 2008-01-06 18:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-06 18:02 . 2008-01-06 18:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-06 18:02 . 2008-01-06 18:02 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-02 20:18 . 2008-01-03 05:28 <DIR> d-------- C:\VundoFix Backups 2008-01-01 14:39 . 2008-01-08 20:19 <DIR> d-------- C:\Program Files\SpywareBot 2008-01-01 14:39 . 2008-01-06 20:42 <DIR> d-------- C:\Documents and Settings\MarkB\Application Data\SpywareBot 2007-12-31 12:49 . 2007-12-31 13:14 <DIR> d--hs---- C:\WINDOWS\TWFyayBCcmFiYW50 2007-12-31 12:43 . 2007-12-31 12:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-31 12:06 . 2007-12-31 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Program Files\Lavasoft 2007-12-31 11:54 . 2007-12-31 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-31 11:35 . 2007-12-31 12:32 <DIR> d-------- C:\Program Files\STOPzilla! 2007-12-31 11:35 . 2007-12-31 11:35 <DIR> d-------- C:\Program Files\Common Files\iS3 2007-12-31 11:35 . 2007-12-31 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2007-12-31 11:14 . 2007-12-31 12:31 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-12-30 21:49 . 2007-12-31 11:08 2,012 --ah----- C:\Documents and Settings\All Users\Application Data\index0.dat 2007-12-30 21:47 . 2007-12-30 21:47 <DIR> d-------- C:\WINDOWS\mobgslti 2007-12-30 21:30 . 2007-12-31 13:27 380,416 --a------ C:\WINDOWS\mrofinu11.exe.tmp 2007-12-28 19:46 . 2007-12-28 19:46 <DIR> d-------- C:\Program Files\Disney 2007-12-28 10:04 . 2007-12-28 10:04 19,088 --a------ C:\Documents and Settings\MarkB\Application Data\GDIPFONTCACHEV1.DAT 2007-12-26 21:24 . 2007-12-26 21:24 3,470,360 --a------ C:\fallout_boy_saturday.mp3 2007-12-15 10:39 . 2007-12-17 18:44 <DIR> d-------- C:\WINDOWS\.jagex_cache_32 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-09 02:19 --------- d-----w C:\Program Files\iTunes 2008-01-09 02:19 --------- d-----w C:\Program Files\DAEMON Tools 2008-01-09 02:18 --------- d-----w C:\Program Files\QuickTime 2008-01-08 01:36 --------- d-----w C:\Documents and Settings\MarkB\Application Data\AdobeUM 2008-01-07 00:50 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster 2008-01-06 03:48 --------- d-----w C:\Documents and Settings\MarkB\Application Data\U3 2007-12-31 18:37 10 ----a-w C:\Program Files\.autoreg 2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys 2005-07-29 22:24 472 --sha-r C:\WINDOWS\TWFyayBCcmFiYW50\nqIVuV1FwAI2sqcX.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2A7AA16-678C-3F59-895A-3CE672845892}] C:\WINDOWS\system32\owvq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffe58e9d-4cfe-42ac-b8d1-7c4360891611}] C:\WINDOWS\system32\eqcyjdbv.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-08 05:30 1694208] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-08 05:29 171464] "Trto"="C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" [ ] "Llsbjso"="C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe" [ ] "Router"="C:\Program Files\Router\Router.exe" [ ] "SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [2008-01-08 05:30 6362352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480] "nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2008-01-08 05:29 49152] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-08 05:29 241664] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-08 05:29 90112] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-08 05:29 132496] "QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 05:29 271672] "f49fc3c0"="C:\WINDOWS\system32\ogurxwit.dll" [ ] C:\Documents and Settings\MarkB\Start Menu\Programs\Startup\ Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2006-05-23 15:17:00] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1b47c87-3a5d-11dc-89f5-001217699e83}] \Shell\AutoRun\command - H:\LaunchU3.exe -a Newly Created Service - GTNDIS5 . Contents of the 'Scheduled Tasks' folder "2008-01-02 19:50:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-09 02:20:20 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job" - C:\Program Files\SpywareBot\SpywareBot.ex - C:\Program Files\SpywareBot . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-08 20:20:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-08 20:22:17 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-09 02:22:08 . 2008-01-08 10:24:58 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:24:06 PM, on 1/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\MarkB\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {C2A7AA16-678C-3F59-895A-3CE672845892} - C:\WINDOWS\system32\owvq.dll (file missing) O2 - BHO: {11619806-34c7-1d8b-ca24-efc4d9e85eff} - {ffe58e9d-4cfe-42ac-b8d1-7c4360891611} - C:\WINDOWS\system32\eqcyjdbv.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [f49fc3c0] rundll32.exe "C:\WINDOWS\system32\ogurxwit.dll",b O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [Trto] "C:\DOCUME~1\MarkB\APPLIC~1\CROSOF~1.NET\ping.exe" -vt yazb O4 - HKCU\..\Run: [Llsbjso] "C:\Documents and Settings\MarkB\Application Data\?ymbols\w?nlogon.exe" O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1167322382734 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199222661218 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 6347 bytes