Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Help Help
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 12-24-2007, 11:11 PM   #1 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 31
OS: xp service pak 2


Help
my computer isnt running correctly. Can you check my HJT log and tell me whats wrong?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:09 AM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\command.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Pure Networks\Network Magic\nmapp .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Common Files\DriveCleaner Free\udcsdr .exe
C:\Program Files\Common Files\DriveCleaner Free\udcpas .exe
C:\Program Files\NavNT\vptray .exe
C:\WINDOWS\explorer.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAble\winable .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bill.DEMPSEY-1\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\tusqn.exe
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr .exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas .exe"
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [48c4a7f3] rundll32.exe "C:\WINDOWS\system32\mfenokdq.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean .exe" -startminimize
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\ned.exe
O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Awola\Awola.exe" /MIN
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Um9iaW4gRGVtcHNleQ\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 7077 bytes
wvdemp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-25-2007, 03:53 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help
www.bleepingcomputer.com
www.forospyware.com
www.geekstogo.com

1. Please choose from any of the above links. Download the file & Save it to Desktop.

2. Double click on ComboFix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-25-2007, 05:41 PM   #3 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 31
OS: xp service pak 2


Re: Help
here is the combofix log:

ComboFix 07-12-26.3 - Bill 2007-12-25 17:11:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.59 [GMT -6:00]
Running from: C:\Documents and Settings\Bill.DEMPSEY-1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS.\documents\settings\config.ini
C:\Documents and Settings\All Users.WINDOWS.\documents\settings\ivn4.dll
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Awola
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Awola\Awola001.bas
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Awola\settings.ini
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\DriveCleaner Free
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\ned.exe
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Games\GamesOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Games\GamesOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Layouts\PreferencesLayout.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Layouts\PreferencesLayout.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Manager\ManagerOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Movies\MoviesOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Reference\ReferenceOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Screensavers\ScreensaversOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Screensavers\ScreensaversOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Weather\AlertArchive.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Weather\WeatherOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Awola
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Awola\Awola Anti-Spyware 6.0.lnk
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Awola\Uninstall Awola Anti-Spyware 6.0.lnk
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\NetMon\log.txt
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\DriveCleaner Free\udcpas .exe
C:\Program Files\Common Files\drivecleaner free\udcpas .exe
C:\Program Files\Common Files\drivecleaner free\udcpas.exe
C:\Program Files\Common Files\DriveCleaner Free\udcsdr .exe
C:\Program Files\Common Files\drivecleaner free\udcsdr .exe
C:\Program Files\Common Files\drivecleaner free\udcsdr.exe
C:\Program Files\fnts~1
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive8.dll
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule10 .exe
C:\Program Files\QdrModule\QdrModule10.exe
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack10.exe
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Registry Cleaner Trial\Regclean .exe
C:\Program Files\Router\Router.exe
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\SpyHeals
C:\Program Files\SpyHeals\ignored.lst
C:\Program Files\SpyHeals\SpyHeals.exe
C:\Program Files\SpyHeals\sq.ini
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\WinAble\winable .exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\WinAble\winable.exe.lzma
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\cmhtdkfr.dll
C:\WINDOWS\system32\ejrakmeg.ini
C:\WINDOWS\system32\gemkarje.dll
C:\WINDOWS\system32\ibrhnrnw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfenokdq.dll
C:\WINDOWS\system32\nqsut.ini
C:\WINDOWS\system32\nqsut.ini2
C:\WINDOWS\system32\pmsewuog.dll
C:\WINDOWS\system32\qdkonefm.ini
C:\WINDOWS\system32\qomnopn.dll
C:\WINDOWS\system32\rasqervy.dll
C:\WINDOWS\system32\sdfinacs.dll
C:\WINDOWS\system32\tusqn.dll
C:\WINDOWS\system32\tusqn.exe
C:\WINDOWS\system32\upwgcoaj.dll
C:\WINDOWS\system32\wnrnhrbi.dll
C:\WINDOWS\system32\wuasirvy.dll
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\\asappsrv.dll
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\\command.exe
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\\oA62uqb0l3pQwJh5yk.vbs
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\command.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\All Users.WINDOWS.\documents\settings

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-26 18:04 . 2007-12-26 18:04 <DIR> d--hs---- C:\found.016
2007-12-25 16:41 . 2007-12-25 16:41 <DIR> d-------- C:\Deckard
2007-12-25 16:24 . 2007-12-25 16:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-25 16:24 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-25 15:36 . 2007-12-25 15:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-25 15:36 . 2007-12-25 15:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-25 15:36 . 2007-12-25 15:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-25 15:36 . 2007-12-25 15:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-24 23:06 . 2007-12-24 23:06 0 --ahs---- C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\13bb28aa24e6e9bcbf768ad49e16e911ac4f2041.dat
2007-12-24 19:13 . 2007-12-24 19:13 12,800 --a------ C:\winqvne.exe
2007-12-24 19:05 . 2007-12-24 19:05 8,711 --a------ C:\winobxk.exe
2007-12-24 19:04 . 2007-12-24 19:04 8,711 --a------ C:\winsdbt.exe
2007-12-24 18:39 . 2007-12-24 18:39 0 --a------ C:\WINDOWS\system32\hidrwupd.dll
2007-12-24 17:50 . 2007-12-26 17:13 5 --a------ C:\WINDOWS\system32\sdfixwcs.dll
2007-12-21 13:42 . 2007-12-24 17:50 382,464 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2007-12-14 19:28 . 2007-12-26 17:43 <DIR> d-------- C:\Program Files\Router
2007-12-10 00:13 . 2007-12-10 00:13 17,920 --a------ C:\WINDOWS\msacm32.drv
2007-12-08 11:16 . 2007-12-08 11:47 <DIR> d-------- C:\Documents and Settings\Robin\Birds Dec 07

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 23:43 --------- d-----w C:\Program Files\SpywareBot
2007-12-26 23:43 --------- d-----w C:\Program Files\Registry Cleaner Trial
2007-12-26 23:43 --------- d-----w C:\Program Files\QuickTime
2007-12-26 23:43 --------- d-----w C:\Program Files\NavNT
2007-12-26 23:43 --------- d-----w C:\Program Files\iTunes
2007-12-25 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-25 21:51 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2007-12-19 17:24 --------- d-----w C:\Program Files\PartyGaming
2007-11-25 19:59 --------- d-----w C:\Program Files\Apple Software Update
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 19:47 --------- d-----w C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Apple Computer
2007-10-30 01:59 --------- d--h--w C:\Program Files\Installshield Installation Information
2007-10-30 01:40 --------- d-----w C:\Program Files\Java
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-06-23 20:03 49,498 ----a-w C:\Program Files\popcorn Terms.html
2006-01-04 14:10 271 -csh--w C:\Program Files\desktop.ini
2006-01-04 14:10 21,952 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"License Manager"="C:\Program Files\License_Manager\license_manager.exe" []

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-04 13:57:36]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-16 14:27:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ivn4reg]
C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\ivn4.dll

R2 Fix-It Task Manager;Fix-It Task Manager;C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe [2001-07-31 10:25]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 21:31]
S3 EraserUtilDrv10614;EraserUtilDrv10614;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10614.sys []
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\WINDOWS\system32\Drivers\GPWADrv.sys []
S3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 15:29:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-25 17:20:01 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 18:29:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-26 18:32:16 - machine was rebooted
.
2007-12-21 09:02:29 --- E O F ---


Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:03 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Bill.DEMPSEY-1\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavHook Object - {07D7F044-2F5F-41B2-BAA5-936814AF0163} - C:\Program Files\Pure Networks\Network Magic\nmbrhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: ivn4reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\ivn4.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 5433 bytes
wvdemp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 02:42 AM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help
It's likely that quite a few of your legit files have got infected. Please carry out the instructions from this page :> click here
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 01:50 PM   #5 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 31
OS: xp service pak 2


Re: Help
the log is attatched
Attached Files
File Type: txt Log.txt (861 Bytes, 3 views)
wvdemp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 01:55 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help
All of those files got renamed by the infection. It added an extra space into the filename.

Example:

Original Name: "Reader_sl.exe"
Name modified by the infection: "Reader_sl .exe"

Please download & save to Desktop, this tool :> http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\NavNT\vptray .exe
C:\Program Files\Pure Networks\Network Magic\nmapp .exe
C:\Program Files\QuickTime\qttask .exe
Save this as Log.txt





Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a log for you. Post that log in your next reply.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-27-2007, 03:22 PM   #7 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 31
OS: xp service pak 2


Re: Help
Code:
Ran on Fri 12/28/2007 - 16:12:34.75

----a-w           137,728 2007-12-25 00:31:06  C:\Program Files\Router\Router .exe
----a-w         8,527,872 2007-12-25 05:31:46  C:\Program Files\SpywareBot\SpywareBot .exe

 Entries:                2  (2)
 Directories:            0  Files:             2
 Bytes:          8,665,600  Blocks:       16,925
wvdemp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-27-2007, 04:12 PM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help
Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
  • SpyWareBot
    License Manager
    Registry Cleaner
Please note any other programs that you dont recognize in that list in your next response


---------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O20 - Winlogon Notify: ivn4reg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\ivn4.dll (file missing)


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/205596-help.html
Collect::
C:\winqvne.exe
C:\winobxk.exe
C:\winsdbt.exe
File::
C:\WINDOWS\system32\hidrwupd.dll
C:\WINDOWS\system32\sdfixwcs.dll
C:\WINDOWS\mrofinu72.exe.tmp
C:\Program Files\popcorn Terms.html
Folder::
C:\Program Files\Router
C:\Program Files\License_Manager
C:\Program Files\SpywareBot
C:\Program Files\Registry Cleaner 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"License Manager"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ivn4reg]
Save this as "CFScript"




Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-28-2007, 07:29 PM   #9 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 31
OS: xp service pak 2


Re: Help
ok i did everything you said but when i tried to send the file to the bleepingcomputer site, it told me that the page cannot be displayed.

But here are the logs you wanted:

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:35 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bill.DEMPSEY-1\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavHook Object - {07D7F044-2F5F-41B2-BAA5-936814AF0163} - C:\Program Files\Pure Networks\Network Magic\nmbrhelp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 5346 bytes

ComboFix:

ComboFix 07-12-26.3 - Bill 2007-12-25 17:11:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.59 [GMT -6:00]
Running from: C:\Documents and Settings\Bill.DEMPSEY-1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS.\documents\settings\config.ini
C:\Documents and Settings\All Users.WINDOWS.\documents\settings\ivn4.dll
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Awola
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Awola\Awola001.bas
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Awola\settings.ini
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\DriveCleaner Free
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\ned.exe
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Games\GamesOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Games\GamesOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Layouts\PreferencesLayout.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Layouts\PreferencesLayout.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Manager\ManagerOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Movies\MoviesOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Reference\ReferenceOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Screensavers\ScreensaversOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Screensavers\ScreensaversOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Weather\AlertArchive.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Weather\WeatherOptions.xml
C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Starware\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Awola
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Awola\Awola Anti-Spyware 6.0.lnk
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Awola\Uninstall Awola Anti-Spyware 6.0.lnk
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Bill.DEMPSEY-1\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Application Data\NetMon\log.txt
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\DriveCleaner Free\udcpas .exe
C:\Program Files\Common Files\drivecleaner free\udcpas .exe
C:\Program Files\Common Files\drivecleaner free\udcpas.exe
C:\Program Files\Common Files\DriveCleaner Free\udcsdr .exe
C:\Program Files\Common Files\drivecleaner free\udcsdr .exe
C:\Program Files\Common Files\drivecleaner free\udcsdr.exe
C:\Program Files\fnts~1
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive8.dll
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule10 .exe
C:\Program Files\QdrModule\QdrModule10.exe
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack10.exe
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Registry Cleaner Trial\Regclean .exe
C:\Program Files\Router\Router.exe
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\SpyHeals
C:\Program Files\SpyHeals\ignored.lst
C:\Program Files\SpyHeals\SpyHeals.exe
C:\Program Files\SpyHeals\sq.ini
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\WinAble\winable .exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\WinAble\winable.exe.lzma
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\cmhtdkfr.dll
C:\WINDOWS\system32\ejrakmeg.ini
C:\WINDOWS\system32\gemkarje.dll
C:\WINDOWS\system32\ibrhnrnw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfenokdq.dll
C:\WINDOWS\system32\nqsut.ini
C:\WINDOWS\system32\nqsut.ini2
C:\WINDOWS\system32\pmsewuog.dll
C:\WINDOWS\system32\qdkonefm.ini
C:\WINDOWS\system32\qomnopn.dll
C:\WINDOWS\system32\rasqervy.dll
C:\WINDOWS\system32\sdfinacs.dll
C:\WINDOWS\system32\tusqn.dll
C:\WINDOWS\system32\tusqn.exe
C:\WINDOWS\system32\upwgcoaj.dll
C:\WINDOWS\system32\wnrnhrbi.dll
C:\WINDOWS\system32\wuasirvy.dll
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\\asappsrv.dll
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\\command.exe
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\\oA62uqb0l3pQwJh5yk.vbs
C:\WINDOWS\Um9iaW4gRGVtcHNleQ\command.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\All Users.WINDOWS.\documents\settings

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-26 18:04 . 2007-12-26 18:04 <DIR> d--hs---- C:\found.016
2007-12-25 16:41 . 2007-12-25 16:41 <DIR> d-------- C:\Deckard
2007-12-25 16:24 . 2007-12-25 16:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-25 16:24 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-25 15:36 . 2007-12-25 15:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-25 15:36 . 2007-12-25 15:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-25 15:36 . 2007-12-25 15:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-25 15:36 . 2007-12-25 15:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-24 23:06 . 2007-12-24 23:06 0 --ahs---- C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\13bb28aa24e6e9bcbf768ad49e16e911ac4f2041.dat
2007-12-24 19:13 . 2007-12-24 19:13 12,800 --a------ C:\winqvne.exe
2007-12-24 19:05 . 2007-12-24 19:05 8,711 --a------ C:\winobxk.exe
2007-12-24 19:04 . 2007-12-24 19:04 8,711 --a------ C:\winsdbt.exe
2007-12-24 18:39 . 2007-12-24 18:39 0 --a------ C:\WINDOWS\system32\hidrwupd.dll
2007-12-24 17:50 . 2007-12-26 17:13 5 --a------ C:\WINDOWS\system32\sdfixwcs.dll
2007-12-21 13:42 . 2007-12-24 17:50 382,464 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2007-12-14 19:28 . 2007-12-26 17:43 <DIR> d-------- C:\Program Files\Router
2007-12-10 00:13 . 2007-12-10 00:13 17,920 --a------ C:\WINDOWS\msacm32.drv
2007-12-08 11:16 . 2007-12-08 11:47 <DIR> d-------- C:\Documents and Settings\Robin\Birds Dec 07

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 23:43 --------- d-----w C:\Program Files\SpywareBot
2007-12-26 23:43 --------- d-----w C:\Program Files\Registry Cleaner Trial
2007-12-26 23:43 --------- d-----w C:\Program Files\QuickTime
2007-12-26 23:43 --------- d-----w C:\Program Files\NavNT
2007-12-26 23:43 --------- d-----w C:\Program Files\iTunes
2007-12-25 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-25 21:51 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2007-12-19 17:24 --------- d-----w C:\Program Files\PartyGaming
2007-11-25 19:59 --------- d-----w C:\Program Files\Apple Software Update
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 19:47 --------- d-----w C:\Documents and Settings\Bill.DEMPSEY-1\Application Data\Apple Computer
2007-10-30 01:59 --------- d--h--w C:\Program Files\Installshield Installation Information
2007-10-30 01:40 --------- d-----w C:\Program Files\Java
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-06-23 20:03 49,498 ----a-w C:\Program Files\popcorn Terms.html
2006-01-04 14:10 271 -csh--w C:\Program Files\desktop.ini
2006-01-04 14:10 21,952 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"License Manager"="C:\Program Files\License_Manager\license_manager.exe" []

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-04 13:57:36]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-16 14:27:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ivn4reg]
C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\ivn4.dll

R2 Fix-It Task Manager;Fix-It Task Manager;C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe [2001-07-31 10:25]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 21:31]
S3 EraserUtilDrv10614;EraserUtilDrv10614;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10614.sys []
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\WINDOWS\system32\Drivers\GPWADrv.sys []
S3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 15:29:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-25 17:20:01 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 18:29:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-26 18:32:16 - machine was rebooted
.
2007-12-21 09:02:29 --- E O F ---


Online Scan:

-------------------------------------------------------------------------------
wvdemp is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-28-2007, 11:32 PM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Help
Quote:
when i tried to send the file to the bleepingcomputer site, it told me that the page cannot be displayed.
Try clicking on this :> http://www.bleepingcomputer.com/subm....php?channel=4

Quote:
ComboFix 07-12-26.3 - Bill 2007-12-25 17:11:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.59 [GMT -6:00]
You posted the incorrect ComboFix log. This was the one from your previous run.


If you have done the Kaspersky scan, I would like to peruse the log that's produced
Last edited by sUBs : 12-28-2007 at 11:35 PM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-29-2007, 11:17 AM   #11 (permalink)
Registered User