Tech Support Forum - View Single Post

Meestho · 07-09-2007, 06:35 AM

Thank you for the help

The combo fix log is

"nom" - 2007-07-09 8:19:17 - ComboFix 07-07-09.7 - Service Pack 4

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\cclrojrg.dll
C:\WINNT\system32\haauvrsa.dll
C:\WINNT\system32\owkxsuan.dll
C:\WINNT\system32\ocxbblmf.exe
C:\WINNT\system32\tjucjeuk.exe
C:\WINNT\system32\awttttu.dll
C:\WINNT\system32\efcccda.dll
C:\WINNT\system32\hgghedc.dll
C:\WINNT\system32\khfcbcd.dll
C:\WINNT\system32\opnlifg.dll
C:\WINNT\system32\qomkkif.dll
C:\WINNT\system32\qomkljh.dll
C:\WINNT\system32\rqronkl.dll
C:\WINNT\system32\rqrpnnn.dll
C:\WINNT\system32\vtuttrq.dll
C:\WINNT\system32\vtuusqo.dll
C:\WINNT\system32\grjorlcc.ini
C:\WINNT\system32\jmllm.bak1
C:\WINNT\system32\jmllm.bak2
C:\WINNT\system32\jmllm.ini
C:\WINNT\system32\mllmj.dll
C:\WINNT\system32\qomnmnk.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))

2007-07-09 08:18 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-08 12:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-07-08 12:04 <DIR> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-07-07 18:42 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-07 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-07-07 16:03 <DIR> d-------- C:\Program Files\THQ
2007-07-07 16:02 <DIR> d-------- C:\DOCUME~1\nom\APPLIC~1\InstallShield
2007-07-07 12:57 <DIR> d-------- C:\download
2007-07-06 17:10 <DIR> d--h----- C:\WINNT\PIF

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 16:05:08 -------- d-----w C:\Program Files\Lavasoft
2007-07-08 16:05:04 -------- d-----w C:\DOCUME~1\nom\APPLIC~1\Lavasoft
2007-07-08 03:33:04 -------- d-----w C:\Program Files\MSN Messenger
2007-07-07 20:03:22 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 13:32:48 -------- d-----w C:\Program Files\NSRCG
2007-07-07 13:31:29 -------- d-----w C:\Program Files\MAIET
2007-07-06 12:19:15 -------- d-----w C:\Program Files\SoulSeek
2007-07-05 21:29:38 -------- d-----w C:\Program Files\mIRC
2007-07-02 16:49:54 -------- d-----w C:\Program Files\Zoom Player
2007-06-22 03:01:58 -------- d-----w C:\DOCUME~1\nom\APPLIC~1\uTorrent
2007-06-22 00:51:20 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-06-04 19:18:48 9,344 ----a-w C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINNT\system32\drivers\AWRTPD.sys
2007-06-02 23:40:07 120 ----a-w C:\drmHeader.bin
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:23 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe
2007-04-11 00:17:04 20,205 ----a-w C:\WINNT\mozver.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
03-11-03 18:17 54248 --a------ C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
07-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c1ce531-09e9-4fc5-9803-1c2956615786}]
07-05-18 07:12 112128 --a------ C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
03-05-15 01:03 147456 --a------ C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [02-01-15 11:06 C:\WINNT\system32\nwiz.exe]
"AHQInit"="C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe" [01-05-10 12:49 ]
"ATIPTA"="C:\Program Files\ATI Technologies\Panneau de contrôle ATI\atiptaxx.exe" []
"LoadQM"="loadqm.exe" [00-05-03 18:23 C:\WINNT\loadqm.exe]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [02-10-17 20:15 ]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [02-11-27 09:58 ]
"CreateCD50"="C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.exe" [02-11-27 09:58 ]
"hpsjbmgr"="C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe" []
"MessengerPlus3"="C:\Program Files\Messenger Plus! 3\MsgPlus.exe" [06-09-28 22:03 ]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" [05-07-15 14:48 ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [07-04-22 09:00 ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [06-12-11 20:36 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-02-16 10:54 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07-05-18 07:12 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-14 20:30 C:\WINNT\system32\internat.exe]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [02-05-02 09:57 ]
"MessengerPlus3"="C:\Program Files\Messenger Plus! 3\MsgPlus.exe" [06-09-28 22:03 ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [05-03-29 18:28 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 08:26:23
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 8:28:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-09 08:27

--- E O F ---

and the new hijack this log is

Logfile of HijackThis v1.99.1
Scan saved at 08:33:29, on 2007-07-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\ATI Technologies\Panneau de contrôle ATI\atiptaxx.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Fichiers communs\Real\Update_OB\rnathchk.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\nom\Application Data\Mozilla\Profiles\default\k31s9osi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\Panneau de contrôle ATI\atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/game...s/y/cct0_x.cab
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelgraphics.com/bin/cortvrml10.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://cs8.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

thank you again

JN

07-09-2007, 06:35 AM	#3 (permalink)
Meestho Registered User Join Date: Oct 2006 Posts: 22 OS: Windows Xp	Re: Virtumonde removal Thank you for the help The combo fix log is "nom" - 2007-07-09 8:19:17 - ComboFix 07-07-09.7 - Service Pack 4 (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINNT\system32\cclrojrg.dll C:\WINNT\system32\haauvrsa.dll C:\WINNT\system32\owkxsuan.dll C:\WINNT\system32\ocxbblmf.exe C:\WINNT\system32\tjucjeuk.exe C:\WINNT\system32\awttttu.dll C:\WINNT\system32\efcccda.dll C:\WINNT\system32\hgghedc.dll C:\WINNT\system32\khfcbcd.dll C:\WINNT\system32\opnlifg.dll C:\WINNT\system32\qomkkif.dll C:\WINNT\system32\qomkljh.dll C:\WINNT\system32\rqronkl.dll C:\WINNT\system32\rqrpnnn.dll C:\WINNT\system32\vtuttrq.dll C:\WINNT\system32\vtuusqo.dll C:\WINNT\system32\grjorlcc.ini C:\WINNT\system32\jmllm.bak1 C:\WINNT\system32\jmllm.bak2 C:\WINNT\system32\jmllm.ini C:\WINNT\system32\mllmj.dll C:\WINNT\system32\qomnmnk.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 ))))))))))))))))))))))))))))))) 2007-07-09 08:18 51,200 --a------ C:\WINNT\nircmd.exe 2007-07-08 12:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft 2007-07-08 12:04 <DIR> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard 2007-07-07 18:42 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-07-07 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy 2007-07-07 16:03 <DIR> d-------- C:\Program Files\THQ 2007-07-07 16:02 <DIR> d-------- C:\DOCUME~1\nom\APPLIC~1\InstallShield 2007-07-07 12:57 <DIR> d-------- C:\download 2007-07-06 17:10 <DIR> d--h----- C:\WINNT\PIF (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-08 16:05:08 -------- d-----w C:\Program Files\Lavasoft 2007-07-08 16:05:04 -------- d-----w C:\DOCUME~1\nom\APPLIC~1\Lavasoft 2007-07-08 03:33:04 -------- d-----w C:\Program Files\MSN Messenger 2007-07-07 20:03:22 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-07-07 13:32:48 -------- d-----w C:\Program Files\NSRCG 2007-07-07 13:31:29 -------- d-----w C:\Program Files\MAIET 2007-07-06 12:19:15 -------- d-----w C:\Program Files\SoulSeek 2007-07-05 21:29:38 -------- d-----w C:\Program Files\mIRC 2007-07-02 16:49:54 -------- d-----w C:\Program Files\Zoom Player 2007-06-22 03:01:58 -------- d-----w C:\DOCUME~1\nom\APPLIC~1\uTorrent 2007-06-22 00:51:20 -------- d-----w C:\Program Files\Mozilla Thunderbird 2007-06-04 19:18:48 9,344 ----a-w C:\WINNT\system32\drivers\NSDriver.sys 2007-06-04 19:17:02 8,320 ----a-w C:\WINNT\system32\drivers\AWRTRD.sys 2007-06-04 19:14:56 6,272 ----a-w C:\WINNT\system32\drivers\AWRTPD.sys 2007-06-02 23:40:07 120 ----a-w C:\drmHeader.bin 2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL 2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll 2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll 2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll 2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll 2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll 2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll 2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe 2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll 2007-04-16 12:44:23 54,032 ----a-w C:\WINNT\system32\mpr.dll 2007-04-13 19:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe 2007-04-11 00:17:04 20,205 ----a-w C:\WINNT\mozver.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 03-11-03 18:17 54248 --a------ C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 07-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c1ce531-09e9-4fc5-9803-1c2956615786}] 07-05-18 07:12 112128 --a------ C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}] 03-05-15 01:03 147456 --a------ C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\system32\mobsync.exe] "NvCplDaemon"="NvQTwk" [] "nwiz"="nwiz.exe" [02-01-15 11:06 C:\WINNT\system32\nwiz.exe] "AHQInit"="C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe" [01-05-10 12:49 ] "ATIPTA"="C:\Program Files\ATI Technologies\Panneau de contrôle ATI\atiptaxx.exe" [] "LoadQM"="loadqm.exe" [00-05-03 18:23 C:\WINNT\loadqm.exe] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [02-10-17 20:15 ] "AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [02-11-27 09:58 ] "CreateCD50"="C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.exe" [02-11-27 09:58 ] "hpsjbmgr"="C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe" [] "MessengerPlus3"="C:\Program Files\Messenger Plus! 3\MsgPlus.exe" [06-09-28 22:03 ] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" [05-07-15 14:48 ] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [07-04-22 09:00 ] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [06-12-11 20:36 ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-02-16 10:54 ] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07-05-18 07:12 ] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "internat.exe"="internat.exe" [99-12-14 20:30 C:\WINNT\system32\internat.exe] "ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [02-05-02 09:57 ] "MessengerPlus3"="C:\Program Files\Messenger Plus! 3\MsgPlus.exe" [06-09-28 22:03 ] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [05-03-29 18:28 ] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "internat.exe"=internat.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs WmdmPmSN Newly Created Service - IPNAT Newly Created Service - RASAUTO Newly Created Service - SHAREDACCESS ************************************************************************ catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-09 08:26:23 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-09 8:28:08 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-07-09 08:27 --- E O F --- and the new hijack this log is Logfile of HijackThis v1.99.1 Scan saved at 08:33:29, on 2007-07-09 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\devldr32.exe C:\Program Files\ATI Technologies\Panneau de contrôle ATI\atiptaxx.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINNT\system32\internat.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINNT\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Fichiers communs\Real\Update_OB\rnathchk.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\nom\Application Data\Mozilla\Profiles\default\k31s9osi.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\Panneau de contrôle ATI\atiptaxx.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe -osboot O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\FICHIE~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/game...s/y/cct0_x.cab O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelgraphics.com/bin/cortvrml10.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://cs8.chat.sc5.yahoo.com/v43/yacscom.cab O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://antu.popcap.com/games/popcaploader_v5.cab O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe thank you again JN