HJT log, Please check ASAP. - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

May 16^th, 2008, 2:54am

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   HJT log, Please check ASAP.

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: HJT log, Please check ASAP. (Read 112 times)

gurdeep
Newbie

Posts: 29

HJT log, Please check ASAP.
« on: Apr 20^th, 2008, 11:20pm »

Quote

Modify

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:36 PM, on 4/20/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\ASUS\AASP\1.00.33\aaCenter.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\computer\Desktop\HJT\HiJackThis.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.98.238.8:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {4F071945-F90F-4AE9-9B79-FCA5FDA5AC0D} - C:\Windows\system32\tuVPGYrR.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\gEwvvvwW.dll,#1
O4 - HKLM\..\Run: [18481239] "rundll32.exe" "C:\Windows\system32\dhntqkjq.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BM1b7b21a5] Rundll32.exe "C:\Windows\system32\pvyqphbb.dll",s
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherEye] "C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5252/mcfscan.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12939 bytes

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: HJT log, Please check ASAP.
« Reply #1 on: Apr 21^st, 2008, 1:04am »

Quote

Modify

First of all, I assume that this is HJT log is from a different computer than the computer on the other post you have. �Is that correct ??

At any rate, it is severely infected. �Please do this:

1. �Go to the link below and download program Combofix.exe and save it on your desktop. �
�
http://download.bleepingcomputer.com/sUBs/ComboFix.exe �
�
2. �Temporarily de-Activate all your security programs EXCEPT your software firewall. �
�
3. �Close down as many programs as you can (programs in the Notification Tray- �next to the clock). �
�
4. �Close your browser. �
�
5. �Double click on Combofix.exe to execute it and follow the instructions. �
�
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
�
- �When Combofix.exe is finished, it will save a log on your system. � �
�
6. �Post the Combofix log back here � �
�
7. �Run Hijackthis and post a HiJackthis scan log back here. �DO NOT fix anything with HJT...just post the scan log. �

Also:

Your JAVA applet is severely out of date. �For security reasons, you need to update this (C:\Program Files\Java\jre1.5.0_01\). �

- �Please go to the link below and install the latest Java JRE

http://java.sun.com/javase/downloads/index.jsp

- �After the update is completed, go to your Control Panel>Add and Remove Programs. �Uninstall any older version of Java. �Unfortunately Java does not do this automatically.

In addition, your version of TrojanHunter is severely out of date.

« Last Edit: Apr 21^st, 2008, 1:05am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

gurdeep
Newbie

Posts: 29

Re: HJT log, Please check ASAP.
« Reply #2 on: Apr 21^st, 2008, 11:33pm »

Quote

Modify

ComboFix 08-04-20.2 - computer 2008-04-21 20:33:40.2 - NTFSx86
Microsoft� Windows Vista� Ultimate 6.0.6000.0.1252.1.1033.18.1166 [GMT -7:00]
Running from: C:\Users\computer\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Windows\Downloaded Program Files\setup.inf
C:\Windows\System32\AaJmnnnn.ini
C:\Windows\System32\AaJmnnnn.ini2
C:\Windows\system32\ddcAtrsp.dll
C:\Windows\system32\gEwvvvwW.dll
C:\Windows\System32\LoqsvGgh.ini
C:\Windows\System32\LoqsvGgh.ini2
C:\Windows\System32\onWwvyxx.ini
C:\Windows\System32\onWwvyxx.ini2
C:\Windows\System32\RrYGPVut.ini
C:\Windows\System32\RrYGPVut.ini2
C:\Windows\system32\tuVPGYrR.dll
C:\Windows\System32\xGMWayay.ini
C:\Windows\System32\xGMWayay.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2082-07-02 16:30 . 2082-07-02 15:34
<DIR>
d--------
C:\Windows\Panther
2082-07-02 16:30 . 2008-01-09 22:07
<DIR>
d--hs----
C:\Boot
2082-07-02 16:30 . 2008-01-09 20:30
443,912
-rahs----
C:\bootmgr
2082-07-02 15:32 . 2008-04-13 14:11
<DIR>
d--------
C:\Windows\Debug
2008-04-18 19:01 . 2008-04-19 23:42
654
---hs----
C:\Windows\System32\qjkqtnhd.ini
2008-04-17 19:48 . 2008-04-17 19:52
237,057
--a------
C:\Windows\System32\Office [Keygen].exe
2008-04-16 22:10 . 2008-04-16 22:10
<DIR>
d--------
C:\Program Files\Alwil Software
2008-04-16 22:10 . 2008-03-29 11:32
50,768
--a------
C:\Windows\System32\drivers\aswMonFlt.sys
2008-04-08 17:36 . 2008-02-28 21:16
2,027,008
--a------
C:\Windows\System32\win32k.sys
2008-04-08 17:35 . 2008-02-14 16:19
944,184
--a------
C:\Windows\System32\winload.exe
2008-04-08 17:35 . 2008-02-18 22:10
620,088
--a------
C:\Windows\System32\ci.dll
2008-04-08 17:35 . 2008-02-28 23:39
371,712
--a------
C:\Windows\System32\srcore.dll
2008-04-08 17:35 . 2008-02-28 23:38
313,856
--a------
C:\Windows\System32\rstrui.exe
2008-04-08 17:35 . 2008-02-28 23:39
40,960
--a------
C:\Windows\System32\srclient.dll
2008-04-08 17:35 . 2008-02-28 23:51
19,000
--a------
C:\Windows\System32\kd1394.dll
2008-04-08 17:35 . 2008-02-28 23:38
16,384
--a------
C:\Windows\System32\srdelayed.exe
2008-04-08 17:35 . 2008-02-28 23:34
7,168
--a------
C:\Windows\System32\f3ahvoas.dll
2008-04-08 17:35 . 2008-02-28 23:35
6,656
--a------
C:\Windows\System32\kbd106n.dll
2008-04-08 16:58 . 2008-04-08 16:58
<DIR>
d--------
C:\Users\dad\AppData\Roaming\vlc
2008-04-03 23:02 . 2008-04-03 23:02
524,288
--ahs----
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{8f2119c1-020c-11dd-b3 9e-0015f294eb8b}.TMContainer00000000000000000002.regtrans-ms
2008-04-03 23:02 . 2008-04-03 23:02
524,288
--ahs----
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{8f2119c1-020c-11dd-b3 9e-0015f294eb8b}.TMContainer00000000000000000001.regtrans-ms
2008-04-03 23:02 . 2008-04-03 23:02
65,536
--ahs----
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{8f2119c1-020c-11dd-b3 9e-0015f294eb8b}.TM.blf
2008-03-27 00:04 . 2008-03-27 00:04
268
--ah-----
C:\sqmdata06.sqm
2008-03-27 00:04 . 2008-03-27 00:04
244
--ah-----
C:\sqmnoopt06.sqm
2008-03-26 23:16 . 2008-04-08 17:08
<DIR>
d--------
C:\Users\dad\AppData\Roaming\DivX
2008-03-26 10:17 . 2008-03-26 10:17
<DIR>
d--------
C:\Users\dad\AppData\Roaming\Apple Computer
2008-03-24 22:41 . 2008-04-11 20:38
<DIR>
d--------
C:\Program Files\LimeWire Acceleration Patch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 03:23
---------
d-----w
C:\Program Files\BitComet
2008-04-13 20:51
---------
d-----w
C:\Users\computer\AppData\Roaming\LimeWire
2008-04-12 00:44
---------
d-----w
C:\Program Files\Windows Mail
2008-03-17 13:00
---------
d-----w
C:\Program Files\Free WMA to MP3 Converter
2008-03-16 07:19
---------
d-----w
C:\ProgramData\Lavasoft
2008-03-16 07:18
---------
d-----w
C:\Program Files\Lavasoft
2008-03-16 07:17
---------
d-----w
C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 05:30
---------
d-----w
C:\Program Files\PokerStars
2008-03-10 05:30
---------
d-----w
C:\Program Files\Common Files\xing shared
2008-03-10 05:29
---------
d-----w
C:\Program Files\Common Files\Real
2008-03-06 07:02
---------
d-----w
C:\Program Files\Smallvideosoft
2008-03-03 00:32
---------
d-----w
C:\Users\dad\AppData\Roaming\Talkback
2008-02-26 07:46
---------
d-----w
C:\ProgramData\DVD Shrink
2008-02-21 04:43
826,368
----a-w
C:\Windows\System32\wininet.dll
2008-02-21 04:43
56,320
----a-w
C:\Windows\System32\iesetup.dll
2008-02-21 04:43
52,736
----a-w
C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43
296,448
----a-w
C:\Windows\System32\gdi32.dll
2008-02-21 04:43
26,624
----a-w
C:\Windows\System32\ieUnatt.exe
2008-02-14 00:24
194,560
----a-w
C:\Windows\System32\WebClnt.dll
2008-02-14 00:10
3,504,696
----a-w
C:\Windows\System32\ntkrnlpa.exe
2008-02-14 00:10
3,470,392
----a-w
C:\Windows\System32\ntoskrnl.exe
2008-02-14 00:09
24,064
----a-w
C:\Windows\System32\netcfg.exe
2008-02-14 00:09
22,016
----a-w
C:\Windows\System32\netiougc.exe
2008-02-14 00:09
2,560
----a-w
C:\Windows\AppPatch\AcRes.dll
2008-02-14 00:09
167,424
----a-w
C:\Windows\System32\tcpipcfg.dll
2008-02-14 00:08
537,600
----a-w
C:\Windows\AppPatch\AcLayers.dll
2008-02-14 00:08
449,536
----a-w
C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 00:08
4,247,552
----a-w
C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 00:08
2,144,256
----a-w
C:\Windows\AppPatch\AcGenral.dll
2008-02-14 00:08
173,056
----a-w
C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 00:08
1,686,528
----a-w
C:\Windows\System32\gameux.dll
2007-08-29 22:37
174
--sha-w
C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 20:34 1232896]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2007-09-26 15:14 4484816]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 05:33 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-02 21:33 1006264]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SoundMan"="SOUNDMAN.EXE" [2007-07-02 17:54 598016 C:\Windows\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-23 00:19 1102848]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"PC Pitstop Optimize2 Reminder"="C:\Program Files\PCPitstop\Optimize2\Reminder.exe" [ ]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 10:53 780312]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52 505368]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-09 22:27 185896]
"BM1b7b21a5"="Rundll32.exe" [2006-11-02 02:45 44544 C:\Windows\System32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57 5355832]

C:\Users\computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-07-26 14:08:21 147456]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B02FDFEF-FA55-4AF3-AF6E-1034D7A87F43}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A29F60A8-18C8-44FF-94E3-F73D934CD7DC}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{975DB941-C072-4AE0-BD45-44B524572430}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{62710C88-003B-4B3A-B0BA-4EA34C24FBB8}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5A5FD5AA-4941-445A-BF48-D7C4BCA8BEA8}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A083600D-C6B7-4DDB-9154-6415F7B73FE1}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{840AC66F-5CFF-450F-B0A6-EF09532854B1}"= UDP:14592:BitComet 14592 TCP
"{32FBD3AA-494E-4950-8A34-073F63A3DF99}"= TCP:14592:BitComet 14592 UDP
"{3E7BD79A-75BE-4E07-B25D-9038BE9FFE58}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{D0A7D053-720A-432C-9B96-B785817E7FC8}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{A15C815D-C774-4CED-AA94-7A44D9D83939}"= UDP:25242:BitComet 25242 TCP
"{75451C9A-8861-43ED-888B-337BD719380E}"= TCP:25242:BitComet 25242 UDP
"{8FB590C1-09C7-4467-B4F7-45B810C887FF}"= UDP:C:\Program Files\PPLive\PPLive.exe Tongue

PLive
"{DE14D94F-318E-46E9-AF39-B89E16040893}"= TCP:C:\Program Files\PPLive\PPLive.exe Tongue

PLive
"{0175D907-6C60-4051-A63D-8C1920D4B28D}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{C8B0C98E-7F1E-4769-9FCF-6BB68327BFC4}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{22443B45-8FE7-4E8F-84BB-D5BE7577FD11}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{E8412761-5762-4D93-BD90-A55F020CDE37}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D24DE6E4-9657-4F2F-B5B8-8A9BF42318FF}"= UDP:25506:BitComet 25506 TCP
"{CB48C4D7-C0C8-42BA-BD1A-22E6A9896B9A}"= TCP:25506:BitComet 25506 UDP
"{BABE57CF-BE59-47A9-86C6-4C6FD52E34E6}"= UDP:25148:BitComet 25148 TCP
"{51396CAB-D7DD-4213-ABE3-8FE83EDE66B2}"= TCP:25148:BitComet 25148 UDP
"{FB20FF3B-A3A5-4B06-BB29-5640C16F60EC}"= UDP:53521:BitComet 53521 TCP
"{7A641D84-A5AD-4940-B422-A5E13C424B76}"= TCP:53521:BitComet 53521 UDP
"{5A0E1B3A-FB3A-415B-A0CA-29497765B52A}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{38473D1B-ABE9-4667-87CD-E8768619CB3F}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\Windows\system32\Drivers\SSFS0BB8.SYS [2007-06-21 18:43]
R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 11:31]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071220.001\IDSvi x86.sys [2007-11-06 09:07]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 11:32]
R2 vistatalk;vistatalk;C:\Windows\system32\vistatalk.sys [2007-07-02 22:40]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 15:32]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 00:30]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 00:30]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys [2007-11-02 14:36]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\Windows\system32\DRIVERS\motodrv.sys [2007-10-10 16:41]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2007-10-02 15:53]
S3 USB_RNDIS_XP;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver;C:\Windows\system32\DRIVERS\usb8023.sys [2006-11-02 01:57]
S4 BOHCI;BOHCI;C:\Windows\system32\drivers\BOHCI.sys [2004-02-04 13:35]
S4 BUHCI;BUHCI;C:\Windows\system32\drivers\BUHCI.sys [2004-02-04 13:35]
S4 BUSBD;BUSBD;C:\Windows\system32\drivers\BUSBD.sys [2004-02-04 13:35]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 02:59:59 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - computer.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
.
************************************************************************ **

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 20:36:47
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************ **
.
Completion time: 2008-04-21 20:38:22
ComboFix-quarantined-files.txt 2008-04-22 03:38:04

Pre-Run: 96,651,231,232 bytes free
Post-Run: 96,610,390,016 bytes free

215
--- E O F ---
2008-04-18 00:06:08

IP Logged

gurdeep
Newbie

Posts: 29

Re: HJT log, Please check ASAP.
« Reply #3 on: Apr 21^st, 2008, 11:42pm »

Quote

Modify

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:44 PM, on 4/21/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\Explorer.exe
C:\Users\computer\Desktop\HJT\HiJackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.98.238.8:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BM1b7b21a5] "Rundll32.exe" "C:\Windows\system32\pvyqphbb.dll",s
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherEye] "C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5252/mcfscan.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11792 bytes

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: HJT log, Please check ASAP.
« Reply #4 on: Apr 22^nd, 2008, 1:18am »

Quote

Modify

Okay, Combofix cleaned a LOT of infectious files from this system.

Quote:

C:\Windows\Downloaded Program Files\setup.inf
C:\Windows\System32\AaJmnnnn.ini
C:\Windows\System32\AaJmnnnn.ini2
C:\Windows\system32\ddcAtrsp.dll
C:\Windows\system32\gEwvvvwW.dll
C:\Windows\System32\LoqsvGgh.ini
C:\Windows\System32\LoqsvGgh.ini2
C:\Windows\System32\onWwvyxx.ini
C:\Windows\System32\onWwvyxx.ini2
C:\Windows\System32\RrYGPVut.ini
C:\Windows\System32\RrYGPVut.ini2
C:\Windows\system32\tuVPGYrR.dll
C:\Windows\System32\xGMWayay.ini
C:\Windows\System32\xGMWayay.ini2

Now please do this:

1. �Delete Combofix.

- �Delete Combofix.exe from your desk top.

- �Locate the Combofix quarantine folder named Qoobox and delete it. �It is probably under C:\

- �Delete the Combofix log file.

2. �Run another HiJackthis scan.

3. �When the scan is completed, place a check mark next to the following items. �BE SURE these are the only items check.

O4 - HKLM\..\Run: [BM1b7b21a5] "Rundll32.exe" "C:\Windows\system32\pvyqphbb.dll",s

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab

4. �Close your browser window.

5. �Click on Fix Checked at the lower left on the HJT window. �Confirm that you want these items fixed and let HJT fix them.

6. �Close the HJT window and immediately reboot.

7. �Because of the high number of infections found on this system, I urge you to run a Kaspersky Remote Scan.

http://www.kaspersky.com/virusscanner

- �Use Internet Explorer to access this website. �Kaspersky needs to download/install an ActiveX element for the scan. �Please let it do so.

- �Before starting the remote scan, temporarily disable all your other security software EXCEPT your software firewall. �This is to prevent any interference with the remote scanner.

- �BE SURE to scan your entire system with Kaspersky.

8. �Please post back here the results of the Kaspersky scan

9. �Post a new HJT scan log. �

Please remember to update your JAVA. Instructions are on your other post thread.

« Last Edit: Apr 22^nd, 2008, 1:21am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

gurdeep
Newbie

Posts: 29

Re: HJT log, Please check ASAP.
« Reply #5 on: Apr 22^nd, 2008, 1:48am »

Quote

Modify

Thank for replying, but before i start doing the recomended I have a quick question. when i turned on my computer and logged in ,a windows error came up saying:

Error loading C:\windows\system32\pvyqphbb.dll
The specific module could not be found.

I clicked OK, and then i proceeded to open my internet browser and I can connect to any web pages, i know for a fact that i have a connection running,and that i can also log onto Windows Live Messenger. I was just wondering if any Trojans and such or even fixing problem are related to the problem of me not being able to access the net.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: HJT log, Please check ASAP.
« Reply #6 on: Apr 22^nd, 2008, 2:42am »

Quote

Modify

Quote:

Error loading C:\windows\system32\pvyqphbb.dll
The specific module could not be found.

This error should be fixed when you perform the HJT fixes I provided.

Quote:

I clicked OK, and then i proceeded to open my internet browser and I can connect to any web pages,

I assume you mean to say "I cannot connect to any web pages", correct?

I suspect that the infections removal may have damaged your Winsock TCP/IP.

Please try this:

1. Click on Start button.

2. Type Cmd in the Start Search text box.

3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.

4. Type netsh winsock reset in the Command Prompt shell, and then press the Enter key.

5. Restart the computer.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

gurdeep
Newbie

Posts: 29

Re: HJT log, Please check ASAP.
« Reply #7 on: Apr 22^nd, 2008, 11:17pm »

Quote

Modify

Thanks for the reply. The "netsh winsock reset" in CMD worked at first (after the computer restart, from the "netsh winsock reset"), but after I turned my computer off then back on again, the internet didn't work. So I tried the "netsh winsock reset" in CMD for the 2nd time and it didn't work.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5270

Re: HJT log, Please check ASAP.
« Reply #8 on: Apr 23^rd, 2008, 12:05am »

Quote

Modify

Would you please download a copy of the latest free version of SuperAntiSpyware via your other computer and install it on the computer that is acting up.

http://www.superantispyware.com/

Hopefully it can connect to its update server and obtain the latest definitions and rules. �If it cannot, go to the manual download page (via your functioning computer) and download the core and trace definitions. �Then install them on the infected computer. �On the bottom of the manual update webpage, it explains how to manually install the definitions.

http://www.superantispyware.com/definitions.html�

Then:

1. �Reboot into SAFE MODE

2. �Run a Full System scan using SuperAntiSpyware. �Let it fix what it finds.

3. �Reboot back into Normal Mode.

4. �In SuperAntispyware, go to Preferences> Repairs tab

5. �Run the "Repair Broken Network Connection" tool.

6. �Reboot and see if the problem is corrected. �

7. �Post back here a copy of the SAS scan log

8. �Post a new HJT log.

« Last Edit: Apr 23^rd, 2008, 12:05am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register