Jump to content


Photo

Windows XP - Outerinfo Pop-ups, missing .dll, other malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 bagnus

bagnus

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 07 June 2007 - 10:58 AM

Upon restarting my computer I receive a few messages:

AVG warns - Malware Found - Adware.PurityScan, csrss.exe

C:\Windows\system32\qaqmvied.dll module could not be found

A windows installer begins and after canceling it three times a message box, with the title, hpqtra08.exe, appears stating - Application has failed to start because MFC71.DLL was not found.

There is also a desktop icon of a yellow sign with an exclamation point named, "Click to Find and Fix Errors."

Additionally, I receive the "Outerinfo Pop-up" semi-frequently after starting Firefox.

Here is my HiJackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 오전 1:06:09, on 2007-06-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\user\Application Data\Τаsks\c?rss.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\user\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20490996-D3D1-48D5-B992-10DE7EAEC49E} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\nnnkhfe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PsapiAnalyzer Object - {6D7D5679-4E81-430C-9C18-75FE169F1D07} - c:\windows\apppatch\snut.dll
O2 - BHO: (no name) - {957C4D4A-8CDF-D952-DB0D-8DADD8932497} - C:\WINDOWS\system32\bdrzlo.dll
O2 - BHO: (no name) - {9CDE1294-B013-41DA-8B58-B20AB321E62F} - \
O2 - BHO: 0 - {A9FB7D9B-6C96-4B49-2CAA-184B0A9C9F21} - C:\Program Files\Messenger\labumux.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\lbproknh.dll
O2 - BHO: (no name) - {EF8447D2-BC84-4318-BFBF-CA42BDB364Db} - C:\WINDOWS\system32\pjryhrix.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\qaqmvied.dll",realset
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Wiio] "C:\WINDOWS\system32\ΜICRO~1.NET\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Ijuxipop] C:\WINDOWS\system32\sуstem32\rеgsvr32.exe
O4 - HKCU\..\Run: [Qyfzn] "C:\Documents and Settings\user\Application Data\Τаsks\c?rss.exe"
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094143456950
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co...57/WStarter.cab
O16 - DPF: {CFCBEE6F-BE54-4682-84F6-0E3FCDFAE3E2} (NowCAFE Control) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: nnnkhfe - nnnkhfe.dll (file missing)
O20 - Winlogon Notify: snut - c:\windows\apppatch\snut.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)

Thank you for your time and effort.

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 10 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 15 June 2007 - 11:06 AM

Hi and welcome

Go to your Control panel>>Add/Remove programs>>search for and if found uninstall
WinAntiVirus Pro 2007


Download ComboFix from here
IMPORTANT !!! Place it on your Desktop.
[*]Double click combofix.exe and follow the prompts.
[*]When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Your log shows that you have disabled some startup programs using msconfig. This is not recommended because I cannot clearly see everything that is loading on your computer at startup. This can be bad if they are malware, so I would like you to re-enable those startup entries.

To re-enable all startup items please follow these instructions:
Please go to Start -> Run and type (or copy and paste):

msconfig

Click OK.
If not already selected go to the General tab.
Under Startup Selection select "Normal Startup - load all device drivers and services".
Click Apply and then Close.
When you are prompted to reboot, select "Exit Without Restart".


In your reply post
ComboFix log
New HJT log

Comments on how thing are running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 bagnus

bagnus

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 17 June 2007 - 03:48 AM

Logfile of HijackThis v1.99.1
Scan saved at 오전 1:45:09, on 2007-06-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20490996-D3D1-48D5-B992-10DE7EAEC49E} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {957C4D4A-8CDF-D952-DB0D-8DADD8932497} - C:\WINDOWS\system32\bdrzlo.dll
O2 - BHO: (no name) - {9CDE1294-B013-41DA-8B58-B20AB321E62F} - \
O2 - BHO: 0 - {A9FB7D9B-6C96-4B49-2CAA-184B0A9C9F21} - C:\Program Files\Messenger\labumux.dll (file missing)
O2 - BHO: (no name) - {EF8447D2-BC84-4318-BFBF-CA42BDB364Db} - C:\WINDOWS\system32\pjryhrix.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Wiio] "C:\WINDOWS\system32\ΜICRO~1.NET\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Ijuxipop] C:\WINDOWS\system32\sуstem32\rеgsvr32.exe
O4 - HKCU\..\Run: [Qyfzn] "C:\Documents and Settings\user\Application Data\Τаsks\c?rss.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094143456950
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co...57/WStarter.cab
O16 - DPF: {CFCBEE6F-BE54-4682-84F6-0E3FCDFAE3E2} (NowCAFE Control) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: nnnkhfe - nnnkhfe.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)


ComboFix 07-06-13.7 - C:\Documents and Settings\user\Desktop\ComboFix.exe
"user" - 2007-06-17 1:25:28 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\exxevkqa.dll
C:\WINDOWS\system32\lbproknh.dll
C:\WINDOWS\system32\mffbjdut.exe
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nmllm.ini2
C:\WINDOWS\system32\nmllm.tmp
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nmllm.ini2
C:\WINDOWS\system32\nmllm.tmp
C:\WINDOWS\AppPatch\snut.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\ecurit~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\AppPatch\ntp2.ini
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T2
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4


((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))


2007-06-17 01:24 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-07 08:34 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\TrojanHunter
2007-06-07 01:45 <DIR> d-------- C:\HJT
2007-06-07 01:15 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-06 21:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-06 20:55 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-06 14:35 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-02 16:31 60,928 --a------ C:\WINDOWS\system32\bdrzlo.dll
2007-06-02 16:31 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Τаsks
2007-05-24 04:16 2 --a------ C:\WINDOWS\system32\wapiisv.exe
2007-05-24 04:15 <DIR> d-------- C:\WINDOWS\system32\sуstem32
2007-05-24 04:12 <DIR> d-------- C:\WINDOWS\system32\Μicrosoft.NET
2007-05-24 04:07 725,044 --ahs---- C:\WINDOWS\system32\mljgf.dll
2007-05-24 02:11 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\ΑppPatch
2007-05-23 02:42 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-05-23 02:41 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-05-23 02:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-23 02:02 677,244 --a------ C:\Temp\maTUS.exe
2007-05-23 02:02 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-23 02:02 <DIR> d-------- C:\Program Files\Common Files\Οracle
2007-05-23 02:00 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-05-23 01:59 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 08:33:48 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-07 08:03:12 -------- d-----w C:\Program Files\Messenger
2007-06-05 05:42:12 -------- d-----w C:\Program Files\Online Services
2007-06-03 00:22:54 -------- d-----w C:\DOCUME~1\user\APPLIC~1\.gaim
2007-05-24 09:11:59 -------- d-----w C:\DOCUME~1\user\APPLIC~1\ΑppPatch
2007-05-22 06:38:16 -------- d--h--w C:\DOCUME~1\user\APPLIC~1\Move Networks
2007-05-20 21:41:46 -------- d-----w C:\Program Files\Soulseek-Test
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{20490996-D3D1-48D5-B992-10DE7EAEC49E}=C:\WINDOWS\system32\mllmn.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{957C4D4A-8CDF-D952-DB0D-8DADD8932497}=C:\WINDOWS\system32\bdrzlo.dll [2007-05-21 06:59]
{9CDE1294-B013-41DA-8B58-B20AB321E62F}=\ [2007-06-17 01:38]
{A9FB7D9B-6C96-4B49-2CAA-184B0A9C9F21}=C:\Program Files\Messenger\labumux.dll []
{EF8447D2-BC84-4318-BFBF-CA42BDB364Db}=C:\WINDOWS\system32\pjryhrix.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2003-02-24 16:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-01 15:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-03 14:34]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-17 01:37]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"mav_startupmon"="C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []
"{ZN}"="C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe" []
"THGuard"="C:\Program Files\TrojanHunter 4.6\THGuard.exe" [2007-05-11 20:01]
"SoundMan"="SOUNDMAN.EXE" [2003-07-16 07:50 C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 14:05]
"Corel Reminder"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2006-07-15 03:34]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-12-08 15:50]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
"Wiio"="C:\WINDOWS\system32\ΜICRO~1.NET\rundll32.exe" []
"Ijuxipop"="C:\WINDOWS\system32\sуstem32\rеgsvr32.exe" []
"Qyfzn"="C:\Documents and Settings\user\Application Data\Τаsks\c?rss.exe" [2007-05-21 07:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmn]
C:\WINDOWS\system32\mllmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkhfe]
nnnkhfe.dll


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 01:34:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-17 1:40:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-17 01:40

--- E O F ---


The outerinfo pop ups are gone, system is a bit faster. AVG still displayed notifications about malware.

#5 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 17 June 2007 - 07:39 AM

Welcome back

Still a bit of work to do but we're closer now.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.co...cle.php/3561546
A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application. If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.
Your call
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player




Open HJT and click scan only, place a check by these entries

O2 - BHO: (no name) - {20490996-D3D1-48D5-B992-10DE7EAEC49E} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {957C4D4A-8CDF-D952-DB0D-8DADD8932497} - C:\WINDOWS\system32\bdrzlo.dll
O2 - BHO: (no name) - {9CDE1294-B013-41DA-8B58-B20AB321E62F} - \
O2 - BHO: 0 - {A9FB7D9B-6C96-4B49-2CAA-184B0A9C9F21} - C:\Program Files\Messenger\labumux.dll (file missing)
O2 - BHO: (no name) - {EF8447D2-BC84-4318-BFBF-CA42BDB364Db} - C:\WINDOWS\system32\pjryhrix.dll (file missing)
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\user\Local Settings\Temp\TICHD003.exe CHD003
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h <- it's a bad idea to let p2p Programs startup with Windows
O4 - HKCU\..\Run: [Wiio] "C:\WINDOWS\system32\ΜICRO~1.NET\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Ijuxipop] C:\WINDOWS\system32\sуstem32\rеgsvr32.exe
O4 - HKCU\..\Run: [Qyfzn] "C:\Documents and Settings\user\Application Data\Τаsks\c?rss.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll (file missing)
O20 - Winlogon Notify: nnnkhfe - nnnkhfe.dll (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Close all open windows and browsers except HJT and click fix checked



Open notepad and copy/paste the text in the quotebox below into it.

File::
C:\WINDOWS\system32\bdrzlo.dll
C:\WINDOWS\system32\wapiisv.exe
C:\WINDOWS\system32\mljgf.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\Temp\maTUS.exe
C:\WINDOWS\system32\T6
C:\DOCUME~1\user\APPLIC~1\Τаsks
C:\WINDOWS\system32\Μicrosoft.NET


Folder::
C:\WINDOWS\system32\T1QaSQ
C:\Program Files\Viewpoint


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"bdrzlo.dll"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mav_startupmon"=-
"{ZN}"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qyfzn"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkhfe]

Save this as ComboFix-Do.txt drag ComboFix-Do.txt into ComboFix.exe Posted Image
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.




Please download and install SUPERAntiSpyware
  • Load SUPERAntiSpyware and click the Check for Updates button.
  • Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!
IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.
  • Open SUPERAntiSpyware and click the Scan your Computer button.
  • Check Perform Complete Scan and then click Next.
  • SUPERAntiSpyware will now scan your computer and when itís finished it will list all the infections it has found.
  • Make sure that they all have a check next to them, and then click Next.
  • Click Finish and you will be taken back to the main interface.
  • It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
  • I'll need a log afterwards of what has been found.
  • To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
  • Please post the results of the SUPERAntiSpyware login your next reply.


In your next reply post
ComboFix-Do txt
SUPERAntiSpyware log
New HJT log

Let me know if you still have notifications about malware with comments on how your computer is running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 bagnus

bagnus

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 17 June 2007 - 06:17 PM

ComboFix 07-06-13.7 - C:\Documents and Settings\user\Desktop\ComboFix.exe
"user" - 2007-06-17 15:33:50 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\user\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\user\APPLIC~1\Τаsks
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Temp\maTUS.exe
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\T1QaSQ
C:\WINDOWS\system32\wapiisv.exe


((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))


2007-06-17 01:24 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-07 08:34 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\TrojanHunter
2007-06-07 01:45 <DIR> d-------- C:\HJT
2007-06-07 01:15 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-06 21:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-06 20:55 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-06 14:35 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-24 04:15 <DIR> d-------- C:\WINDOWS\system32\sуstem32
2007-05-24 04:12 <DIR> d-------- C:\WINDOWS\system32\Μicrosoft.NET
2007-05-24 02:11 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\ΑppPatch
2007-05-23 02:42 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-05-23 02:41 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-05-23 02:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-23 02:02 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-23 02:02 <DIR> d-------- C:\Program Files\Common Files\Οracle
2007-05-23 01:59 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 21:45:55 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-17 11:16:47 -------- d-----w C:\Program Files\Ares
2007-06-07 08:03:12 -------- d-----w C:\Program Files\Messenger
2007-06-05 05:42:12 -------- d-----w C:\Program Files\Online Services
2007-06-03 00:22:54 -------- d-----w C:\DOCUME~1\user\APPLIC~1\.gaim
2007-05-22 06:38:16 -------- d--h--w C:\DOCUME~1\user\APPLIC~1\Move Networks
2007-05-20 21:41:46 -------- d-----w C:\Program Files\Soulseek-Test
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2003-02-24 16:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-01 15:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-03 14:34]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-17 01:37]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"THGuard"="C:\Program Files\TrojanHunter 4.6\THGuard.exe" [2007-05-11 20:01]
"SoundMan"="SOUNDMAN.EXE" [2003-07-16 07:50 C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 14:05]
"Corel Reminder"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-12-08 15:50]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 15:37:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-17 15:38:14
C:\ComboFix-quarantined-files.txt ... 2007-06-17 15:38
C:\ComboFix2.txt ... 2007-06-17 01:40

--- E O F ---



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/17/2007 at 04:07 PM

Application Version : 3.8.1002

Core Rules Database Version : 3256
Trace Rules Database Version: 1267

Scan type : Complete Scan
Total Scan Time : 00:16:21

Memory items scanned : 439
Memory threats detected : 1
Registry items scanned : 5641
Registry threats detected : 0
File items scanned : 1496
File threats detected : 15

Adware.ClickSpring/Resident
C:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\ΤаSKS\C?RSS.EXE
C:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\ΤаSKS\C?RSS.EXE

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@angleinteractive.directtrack[2].txt
C:\Documents and Settings\user\Cookies\user@html[2].txt
C:\Documents and Settings\user\Cookies\user@da-tracking[2].txt
C:\Documents and Settings\user\Cookies\user@ads.adbrite[2].txt
C:\Documents and Settings\user\Cookies\user@atwola[1].txt
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[1].txt
C:\Documents and Settings\user\Cookies\user@www.xctrk[2].txt
C:\Documents and Settings\user\Cookies\user@directtrack[1].txt
C:\Documents and Settings\user\Cookies\user@ad.outerinfo[2].txt
C:\Documents and Settings\user\Cookies\user@cpvfeed[2].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
C:\Program Files\Common Files\WinAntiVirus Pro 2007

Adware.ClickSpring/Outer Info Network
C:\Documents and Settings\user\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\user\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\user\Start Menu\Programs\Outerinfo




Logfile of HijackThis v1.99.1
Scan saved at 오후 4:16:13, on 2007-06-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Wiio] "C:\WINDOWS\system32\ΜICRO~1.NET\rundll32.exe" -vt ndrv
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094143456950
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co...57/WStarter.cab
O16 - DPF: {CFCBEE6F-BE54-4682-84F6-0E3FCDFAE3E2} (NowCAFE Control) -
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)




No more AVG notifications of malware. System running much smoother. Windows installer still appearing on startup.

I am extremely grateful for your help.

#7 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 18 June 2007 - 08:33 AM

Welcome back

No more AVG notifications of malware. System running much smoother, I am extremely grateful for your help.

Glad to hear it's running smooth again, and your welcome!



Open HJT and click scan only, place a check by these entries

O4 - HKCU\..\Run: [Wiio] "C:\WINDOWS\system32\ΜICRO~1.NET\rundll32.exe" -vt ndrv
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co...57/WStarter.cab
O16 - DPF: {CFCBEE6F-BE54-4682-84F6-0E3FCDFAE3E2} (NowCAFE Control) -
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) -

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
(Description: System Tray icon for the Realtek AC97 Audio Sound Manager for AC97 onboard audio. Available via Start -> Settings-> Control Panel. Removing this entry will free up a small amount of system resources. )

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )

Close all open windows and browsers except HJT and click fix checked


Please delete your previous ComboFix-Do txt


Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\ΜICRO~1.NET\rundll32.exe

Save this as ComboFix-Do.txt drag ComboFix-Do.txt into ComboFix.exe Posted Image
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.


This will help with the Windows Installer issue
Windows Installer CleanUp Utility


In your reply post
ComboFix Do.txt
New HJT log

Comments on your computer now.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 bagnus

bagnus

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 18 June 2007 - 10:12 PM

ComboFix 07-06-13.7 - C:\Documents and Settings\user\Desktop\ComboFix.exe
"user" - 2007-06-18 19:49:55 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\user\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))


2007-06-17 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-17 15:47 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\SUPERAntiSpyware.com
2007-06-17 15:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-17 15:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-17 01:24 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-07 08:34 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\TrojanHunter
2007-06-07 01:45 <DIR> d-------- C:\HJT
2007-06-07 01:15 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-06-06 21:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-06 20:55 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-06 14:35 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-24 04:15 <DIR> d-------- C:\WINDOWS\system32\sуstem32
2007-05-24 04:12 <DIR> d-------- C:\WINDOWS\system32\Μicrosoft.NET
2007-05-24 02:11 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\ΑppPatch
2007-05-23 02:42 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-05-23 02:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-23 02:02 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-23 02:02 <DIR> d-------- C:\Program Files\Common Files\Οracle
2007-05-23 01:59 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 23:10:24 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-17 11:16:47 -------- d-----w C:\Program Files\Ares
2007-06-07 08:03:12 -------- d-----w C:\Program Files\Messenger
2007-06-05 05:42:12 -------- d-----w C:\Program Files\Online Services
2007-06-03 00:22:54 -------- d-----w C:\DOCUME~1\user\APPLIC~1\.gaim
2007-05-22 06:38:16 -------- d--h--w C:\DOCUME~1\user\APPLIC~1\Move Networks
2007-05-20 21:41:46 -------- d-----w C:\Program Files\Soulseek-Test
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2003-02-24 16:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-01 15:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-17 01:37]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"THGuard"="C:\Program Files\TrojanHunter 4.6\THGuard.exe" [2007-05-11 20:01]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 14:05]
"Corel Reminder"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-12-08 15:50]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 19:53:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-18 19:54:02
C:\ComboFix-quarantined-files.txt ... 2007-06-18 19:54
C:\ComboFix2.txt ... 2007-06-17 15:38
C:\ComboFix3.txt ... 2007-06-17 01:40

--- E O F ---




Logfile of HijackThis v1.99.1
Scan saved at 오후 8:11:44, on 2007-06-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094143456950
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)




Everything seems to be working fine now. Thank you very much.

#9 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 19 June 2007 - 06:37 AM

Welcome back

Everything seems to be working fine now. Thank you very much.


Glad we could help.

If there are no more issues or problems your good to go!


Please delete the tools I had you download and use.



Below I have included a number of recommendations to protect your computer in order to prevent future malware infections.

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.
Tutorial

IE-SPYAD puts over 5000 sites in your restricted zone so you will be protected when you visit innocent-looking sites that aren't actually innocent at all.
Tutorial

Install and Update SpyBot Search&Destroy Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.
Tutorial
Run on a regular basis

Install and Update Ad-Aware SE Personal
You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.
Tutorial
Run on a regular basis

SUPERAntiSpyware
This is another excellent FREE scanner to look for nasties that might be lurking in your system.
SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well. Quick Guide: How to use!

Update all these programs regularly . Without regular updates you will not be protected when new malicious programs are released.
And to run them regularly as this can prevent a great deal of spyware hassle.

Please take the time to read this article with suggestions and information on 'Safe Computing Practices.'

So how did I get infected in the first place.
Another valueable article to read Dealing with Unwanted Spyware and Parasites

Read through the information found here, to help you prevent any possible future infections.
How to prevent Malware' by miekiemoes:
http://users.telenet...prevention.html

And if you want to improve speed/system performance after malware removal, take a look
http://users.telenet...owcomputer.html
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 05 July 2007 - 08:53 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button