Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Trojan Issue

  1. #1
    Member GMan2385's Avatar
    Join Date
    Oct 2005
    Posts
    29
    Points
    0

    Default Trojan Issue

    Hello H2G mods. It's been a good long time since I needed any assistance, but recently I've been having an issue, it's only been the past 2 days now.

    I recently upgraded my computer that I built nearly 5 years ago. New MoBo, new processor, graphics card etc.

    I had to re-install My windows as it appears my harddisk that contains all of my windows info has recently been deemed "BAD" by Partition Magic 8. After the clean install thing were working ok, so I went about regaining all of my lost program associations and whatnot. I had to download Adobe Reader since I had simply run the installation off their site the last time I installed it. Much to my surprise, very shortly after installing it I started getting pop up warnings from AVG that I have a Trojan. I just ran a third scan after the errors continued to happen despite two scans and reboots. Now upon Windows Startup, my AIM no longer loads and I get two error messages, one stating that Windows cannot open "ddccb.exe" in the system32 folder, and the other stating the same for "shell.exe," located in the same folder.

    Here's my HJT log from the scan I just performed. I ran it through the Detective, but the only recommendations were to remove three system tray tools (Nvidia, and Winamp Agent [which actually showed up twice]) that I regularly use, so I didn't remove them, plus, I know what those are and trust them.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:13:58 PM, on 1/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    F:\Winamp\winampa.exe
    F:\Program files\Adobe\Reader\Reader_sl.exe
    C:\WINDOWS\system32\8B85898A90899.exe
    F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
    H:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\WINDOWS\system32\wuauclt.exe
    F:\Program Files\Grisoft\AVG7\avgwb.dat
    F:\HJT\HijackThis.exe

    R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
    F3 - REG:win.ini: load=C:\WINDOWS\System32\ddccb.exe
    O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] F:\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program files\Adobe\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [181216171D161E1] 8B85898A90899.exe
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [MaxBlastMonitor.exe] H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [AIM] F:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - Startup: .protected
    O4 - Global Startup: .protected
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200950970686
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Any help will be greatly appreciated. also I have another slightly unrelated question, but thought that I might as well ask and if I need to I can repost the question in another section. I added a 500GB Maxtor SATA Drive before I went about upgrading my computer, but once I got my Windows installation back up and running I went to access the drive and it says it is unformatted (though I KNOW I formatted it prior to the upgrade to have 3 partitions, all NTFS) it was used to hold a backup image I had made of my Windows Drive in case I ran into issues, which I seem to have, and I was has hoping to use the Image to restore my programs to their previous functionality. Now, when I tried to re-format the drive nothing works, not Partition Magic, Not Maxtor's "MaxBlast5" software, not even Windows will format it. Any help on this issue will also be greatly appreciated.

    Thanks again for the help!

    _Greg

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    So far I see a vundo problem and a smitfraud infection. I also see that you are running a old version of HJT program.

    Delete your current HJT folder.

    Read and follow the directions here and post a new HJT when done.

    http://www.help2go.com/Tutorials/Pro...Hijackers.html

    BG

    P.S.

    On your other problem, if it is the same PC, wait until we are done here.
    Our policy has been once a HJT log has been submitted other help in the forums will be suspended.

  3. #3
    Member GMan2385's Avatar
    Join Date
    Oct 2005
    Posts
    29
    Points
    0

    Default

    Ok, so throughout the day as I was cleaning my apartment to move in the next week I went about doing everything that's listed on the linked page.

    Here's the ActiveScan Log:


    Incident Status Location

    Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs
    Adware:Adware/CommAd Not disinfected C:\WINDOWS\R3JlZ29yeSBIaWxs\laL5tZ6Vym1KuqUP.vbs
    Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\5tr3jco0.default\COOKIES.TXT[.enhance.com/]
    Possible Virus. Not disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temp\UE.EXE
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temp\WVDWLRGX.EXE
    Virus:Trj/Downloader.SAX Disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temp\XRUN.EXE
    Virus:Trj/Downloader.PLF Disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temp\SNAPSNET.EXE
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\gamadril20071203[1]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@doubleclick[1].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@atdmt[2].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adrevolver[2].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@casalemedia[2].txt
    Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@findwhat[1].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@ad.yieldmanager[2].txt
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@fastclick[2].txt
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@statse.webtrendslive[2].txt
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@apmebf[1].txt
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@overture[1].txt
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@burstnet[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@tribalfusion[2].txt
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@advertising[2].txt
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@questionmarket[1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@statcounter[1].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@atwola[1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.com.com/]
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[server.iad.liveperson.net/]
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[statse.webtrendslive.com/]
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[server.iad.liveperson.net/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.doubleclick.net/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.fastclick.net/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.apmebf.com/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.fastclick.net/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.realmedia.com/]
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.zedo.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.realmedia.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.apmebf.com/]
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.zedo.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.realmedia.com/]
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.zedo.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.realmedia.com/]
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.trafficmp.com/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.atwola.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.advertising.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[ad.yieldmanager.com/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.adserver.easyad.info/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.mediaplex.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.atdmt.com/]
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.tribalfusion.com/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.questionmarket.com/]
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.ads.pointroll.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.statcounter.com/]
    Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.azjmp.com/]
    Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.findwhat.com/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.burstnet.com/]
    Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[www.burstbeacon.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.casalemedia.com/]
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.xiti.com/]
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.gostats.com/]
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.adrevolver.com/]
    Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.spylog.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.serving-sys.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.bs.serving-sys.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.serving-sys.com/]
    Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.bluestreak.com/]
    Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[counter.hitslink.com/]
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.clickbank.net/]
    Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Gregory Hill\Application Data\Mozilla\Firefox\Profiles\wt4ky86e.default\COOKIES.TXT[.ads.addynamix.com/]
    Adware:Adware/DnsInsider Not disinfected C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
    Spyware:Spyware/7r7t Not disinfected D:\New Music\Hot Fuss\Hot Fuss.exe

    And here's My latest HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:51:07 AM, on 1/22/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    F:\Winamp\winampa.exe
    F:\Program files\Adobe\Reader\Reader_sl.exe
    C:\WINDOWS\system32\8B85898A90899.exe
    F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
    H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\AIM6\aim6.exe
    H:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    F:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
    F3 - REG:win.ini: load=C:\WINDOWS\System32\ddccb.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O2 - BHO: (no name) - {90FD3ECD-48E5-421C-A995-A5EBBD3F4F86} - C:\WINDOWS\System32\seclogo.dll
    O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] F:\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program files\Adobe\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [181216171D161E1] 8B85898A90899.exe
    O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [MaxBlastMonitor.exe] H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [AIM] F:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200950970686
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - Winlogon Notify: pmnkjhg - pmnkjhg.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9286 bytes


    Thanks again for all the help, You folks were the first place I thought of coming back to when this issue started up. You're an amazing help for those of us who like to work on our own computers but don't know everything we probably should.

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    The vundo trojan you have is one of the newest versions & not that easy to get rid of, apart from that you have several other trojans/infections ... I'm surprised this is a relatively new insalled o/s

    Download: SmitfraudFix.zip from :-

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

    1. Download to your desktop
    2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
    3. Double-click smitfraudfix.cmd
    4. Select 1 and hit Enter to create a report of the infected files
    5. find the C:\rapport.txt file and post the contents in your next post here...

    THEN ...

    Download Superantispyware.

    http://www.superantispyware.com/

    Once downloaded and installed update the definitions
    and then run a full system scan quarantine what it finds!

    * Double-click SUPERAntiSypware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.

    THEN ...

    Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

    Link 1
    Link 2
    Link 3


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall


    Please remember to post :-

    1. C:\rapport.txt file
    2. SUPERAntiSpyware Scan Log
    3. C:\ComboFix.txt
    4. a new hijackthis log.( run after everything else)

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  5. #5
    Member GMan2385's Avatar
    Join Date
    Oct 2005
    Posts
    29
    Points
    0

    Default

    Alrighty, well, I followed all the directions listed by SteamWiz...

    However, I never had a logfile pop up nor was there one in the C drive where it said it would be. It also never re-set my clock settings. I do have the Rapport log and SuperAntiSpyware log though, and I ran a HJT scan after waiting 18 minutes for ComboFix after the window had closed itself. here are the other logs.

    Super Anti Spyware:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/22/2008 at 11:53 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3386
    Trace Rules Database Version: 1380

    Scan type : Complete Scan
    Total Scan Time : 01:16:53

    Memory items scanned : 560
    Memory threats detected : 0
    Registry items scanned : 4035
    Registry threats detected : 18
    File items scanned : 75276
    File threats detected : 109

    Adware.Tracking Cookie
    C:\Documents and Settings\Gregory Hill\Cookies\gregory_hill@tacoda[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory_hill@revsci[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@html[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adultobserver[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@gomyron[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@advertising[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory_hill@atwola[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@indiads[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@doubleclick[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@209.9.174[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@secure.systemerrorfixer[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@interclick[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@go[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adecn[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@clean.systemerrorfixer[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@www.pcantiviruspro[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adprofile[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@ads.traderonline[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@2o7[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@mediatraffic[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@ads3.blastro[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@a[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@2676[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@10181[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@systemerrorfixer[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@2676[3].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@specificclick[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@doubleclick[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@eas.apm.emediate[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@clicksfeed[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@webtraffic20[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@da-tracking[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@findwhat[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adsby.zwoops[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@thezirius[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@208.122.40[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@nextag[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@roiservice[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@208.122.40[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@questionmarket[1].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@adlegend[2].txt
    C:\Documents and Settings\Gregory Hill\Cookies\gregory hill@pandasoftware.112.2o7[1].txt

    Trojan.NetMon/DNSChange
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

    Trojan.cmdService
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

    Trojan.Unknown Origin
    C:\WINDOWS\R3JLZ29YESBIAWXS\LAL5TZ6VYM1KUQUP.VBS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{5195BF5A-8D86-4ECD-8BFA-E325D4ED5E7D}\RP20\A0004331.VBS

    Trojan.Downloader-NoName
    C:\DOCUMENTS AND SETTINGS\GREGORY HILL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\90OE5IP5\SPOOLSV[1].EXE

    Adware.Unknown Origin
    C:\PROGRAM FILES\COMMON FILES\MZKK\MZKKD\CLASS-BARREL

    Adware.Vundo-Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{5195BF5A-8D86-4ECD-8BFA-E325D4ED5E7D}\RP20\A0004333.DLL

    Trace.Known Threat Sources
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ctxad-574[1].sig
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\ctxad-574[1].0005
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\ctxad-574[1].0002
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\ctxad-574[1].0004
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\ctxad-574[1].0006
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ack[3].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ctxad-574[1].0003
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\checkin[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\close[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ack[2].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\1x1[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\tsupdate2[1].php
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\ack[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\ctxad-574[1].0000
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\ctxad-574[1].0001
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\background[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\crypt[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\index[2].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\2250lkxrlxlu[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\2676dwzvwngd[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\managers[2].js
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\resize[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\spacer[3].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\ajax[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\CAMV2ZUL.htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\errorhandler[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\get_lic_new[2].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\doorway-door[1].exe
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\index3[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\_ld[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\second[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\landing[2]
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\get_lic_new[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\get_lic_new[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\style813[1].css
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\stats[2].jpg
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\crypt[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\errorhandler[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\solution[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\styler[1].css
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\main.shadow.top[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\icon.arrow[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\middle_left[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\CANI033X.php
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\page.screenshot[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\ajax[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\main.shadow.btm[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\scan.bg[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\CAG16VWD.htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\managers[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\middle_right[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\button.download[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\arrow[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\scan.bar[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\window[1].js
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\8[1].htm
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\C9MPKR5H\family[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\90OE5IP5\ballon[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\72C68QG0\bg[2].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\alert[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\main[1].gif
    C:\Documents and Settings\Gregory Hill\Local Settings\Temporary Internet Files\Content.IE5\6H99FNQS\scan.txt[1].gif


    Rapport.txt:

    SmitFraudFix v2.274

    Scan done at 22:29:14.64, Tue 01/22/2008
    Run from C:\Documents and Settings\Gregory Hill\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in normal mode

    Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\WINDOWS\system32\wuauclt.exe
    F:\Winamp\winampa.exe
    C:\WINDOWS\system32\8B85898A90899.exe
    F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
    H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\AIM6\aim6.exe
    H:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    F:\Winamp\winamp.exe
    C:\WINDOWS\system32\cmd.exe

    hosts

    hosts file corrupted !

    #AAW 10.18.250.4 download.microsoft.com
    #AAW 10.18.250.4 downloads.microsoft.com
    #AAW 10.18.250.4 go.microsoft.com
    #AAW 10.18.250.4 microsoft.com
    #AAW 10.18.250.4 msdn.microsoft.com
    #AAW 10.18.250.4 office.microsoft.com
    #AAW 10.18.250.4 support.microsoft.com
    #AAW 10.18.250.4 windowsupdate.microsoft.com
    #AAW 10.18.250.4 www.microsoft.com
    #AAW 10.18.250.4 pandasoftware.com
    #AAW 10.18.250.4 www.pandasoftware.com

    C:\


    C:\WINDOWS


    C:\WINDOWS\system


    C:\WINDOWS\Web


    C:\WINDOWS\system32


    C:\Documents and Settings\Gregory Hill


    C:\Documents and Settings\Gregory Hill\Application Data


    Start Menu


    C:\DOCUME~1\GREGOR~1\FAVORI~1


    Desktop


    C:\Program Files

    C:\Program Files\Helper\ FOUND !

    Corrupted keys


    Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix.exe by S!Ri


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    Rustock



    DNS

    Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
    DNS Server Search Order: 68.190.192.35
    DNS Server Search Order: 66.214.48.27

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{9327A6A2-AC67-4714-B834-1B02EE6269BA}: DhcpNameServer=68.190.192.35 66.214.48.27
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{9327A6A2-AC67-4714-B834-1B02EE6269BA}: DhcpNameServer=68.190.192.35 66.214.48.27
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{9327A6A2-AC67-4714-B834-1B02EE6269BA}: DhcpNameServer=68.190.192.35 66.214.48.27
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{9327A6A2-AC67-4714-B834-1B02EE6269BA}: DhcpNameServer=68.190.192.35 66.214.48.27
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.190.192.35 66.214.48.27
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.190.192.35 66.214.48.27
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.190.192.35 66.214.48.27
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.190.192.35 66.214.48.27


    Scanning for wininet.dll infection


    End

    Newest HJT Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:30, on 2008-01-23
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    F:\Winamp\winampa.exe
    C:\WINDOWS\system32\8B85898A90899.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
    H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    H:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    F:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] F:\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program files\Adobe\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [181216171D161E1] 8B85898A90899.exe
    O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [MaxBlastMonitor.exe] H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [AIM] F:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200950970686
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: pmnkjhg - pmnkjhg.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8765 bytes

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    If it never re-set the clock settings, then it didn't complete, possibly because it needed to reboot, but some configuration on your computer wouldn't let it ...

    Please try and run Combofix in safemode ...
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member GMan2385's Avatar
    Join Date
    Oct 2005
    Posts
    29
    Points
    0

    Default

    Alright, so I tried to boot into safe mode and run ComboFix again, but the same thing happened. this morning before I went to work I double checked that all of my anti-virus/adware/firewall programs were shut off and ran Combo fix again to see if it might finish,but I noticed it went to stage 38 then said it was completeing the scan and creating the report, but the same thing happened, even in safe mode, no report popped up, nor was there one saved at C:\ComboFix.txt. could there possibly be another problem?

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Find the C:\Combofix folder & open it ... post the contents of any text (.txt) files you see in there ...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Please delete your Combofix.exe file & download a new version from the same link...

    A new version was uploaded an hour ago which should allow you to produce a log, & reset the time etc,

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  10. #10
    Member GMan2385's Avatar
    Join Date
    Oct 2005
    Posts
    29
    Points
    0

    Default

    Ok, I deleted the old ComboFix.exe file and downloaded the new one. It did reset the clock settings and posted a log for me. Here's the Combo Fix log as well as a New HJT log.

    ComboFix 08-01-23.1C - Gregory Hill 2008-01-24 16:29:07.9 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1562 [GMT -8:00]
    Running from: C:\Documents and Settings\Gregory Hill\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    C:\Documents and Settings\Gregory Hill\Application Data\RACLE~1
    C:\Documents and Settings\Gregory Hill\Application Data\WNSXS~1
    C:\Program Files\Helper
    C:\Program Files\Temporary
    C:\WINDOWS\appatc~1
    C:\WINDOWS\system32\bccdd.ini
    C:\WINDOWS\system32\bccdd.ini2
    C:\WINDOWS\system32\drivers\uqaqnmhj.dat
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\seclogo.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_ERLWGTRG
    -------\LEGACY_NTNDIS
    -------\erlwgtrg


















    ((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
    .

    2008-01-23 16:33 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
    2008-01-23 16:33 . 2008-01-21 16:17 211 --a------ C:\Boot.bak
    2008-01-23 00:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
    2008-01-22 22:29 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-01-22 22:29 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-01-22 22:29 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-01-22 22:29 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-01-22 22:29 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-22 22:29 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-22 22:29 . 2008-01-22 22:29 3,398 --a------ C:\WINDOWS\system32\tmp.reg
    2008-01-22 07:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-01-22 07:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-01-22 03:40 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
    2008-01-22 03:06 . 2007-07-09 05:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
    2008-01-22 03:00 . 2008-01-22 03:00 d--h----- C:\WINDOWS\$hf_mig$
    2008-01-22 02:41 . 2008-01-22 02:41 d-------- C:\Program Files\Windows Defender
    2008-01-22 02:08 . 2008-01-22 03:21 147 --a------ C:\WINDOWS\wininit.ini
    2008-01-21 22:03 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
    2008-01-21 21:39 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
    2008-01-21 21:37 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\tvatmrneaarv.sys
    2008-01-21 21:33 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-01-21 21:26 . 2008-01-21 21:26 d-------- C:\WINDOWS\system32\ActiveScan
    2008-01-21 21:26 . 2008-01-21 21:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
    2008-01-21 21:26 . 2008-01-21 21:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
    2008-01-21 21:26 . 2008-01-21 21:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
    2008-01-21 21:18 . 2008-01-21 21:19 d-------- C:\WINDOWS\system32\nGpxx01
    2008-01-21 21:18 . 2008-01-21 21:19 d-------- C:\Temp\cXzz9
    2008-01-21 21:18 . 2008-01-21 21:19 d-------- C:\Temp
    2008-01-21 17:06 . 2006-07-12 01:20 139,264 -ra------ C:\WINDOWS\system32\JMRaidAPI.dll
    2008-01-21 16:47 . 2008-01-21 16:47 d-------- C:\Program Files\Common Files\Maxtor
    2008-01-21 16:47 . 2008-01-21 16:47 392,320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
    2008-01-21 16:47 . 2008-01-21 16:47 120,992 --a------ C:\WINDOWS\system32\drivers\snapman.sys
    2008-01-21 16:47 . 2008-01-21 16:47 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
    2008-01-21 16:16 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-01-21 16:15 . 2008-01-21 16:15 d-------- C:\WINDOWS\provisioning
    2008-01-21 16:15 . 2008-01-21 16:15 d-------- C:\WINDOWS\peernet
    2008-01-21 16:14 . 2008-01-21 16:14 d-------- C:\WINDOWS\ServicePackFiles
    2008-01-21 16:10 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2008-01-21 16:08 . 2008-01-21 16:08 d-------- C:\WINDOWS\EHome
    2008-01-21 15:36 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
    2008-01-21 15:35 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
    2008-01-21 15:35 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
    2008-01-21 15:20 . 2004-08-03 23:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
    2008-01-21 15:20 . 2004-08-03 23:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
    2008-01-21 15:20 . 2004-08-03 23:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
    2008-01-21 15:20 . 2004-08-03 23:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
    2008-01-21 15:20 . 2007-03-08 07:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
    2008-01-21 15:16 . 2004-08-03 23:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
    2008-01-21 15:12 . 2008-01-21 15:12 d--h----- C:\WINDOWS\$xpsp1hfm$
    2008-01-21 15:12 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
    2008-01-21 14:46 . 2004-08-03 21:58 23,040 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
    2008-01-21 14:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
    2008-01-21 14:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
    2008-01-21 14:45 . 2008-01-21 14:45 d-------- C:\Program Files\Logitech
    2008-01-21 14:45 . 2008-01-21 14:45 d-------- C:\Program Files\Common Files\Logitech
    2008-01-21 14:38 . 2008-01-21 14:38 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2008-01-21 13:38 . 2008-01-21 13:38 d-------- C:\WINDOWS\Sun
    2008-01-21 13:29 . 2008-01-21 13:29 d-------- C:\WINDOWS\system32\bits
    2008-01-20 19:30 . 2008-01-20 19:30 d-------- C:\Program Files\AOL Search
    2008-01-20 17:35 . 2008-01-20 17:35 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-20 17:33 . 2008-01-20 17:33 dr-h----- C:\$VAULT$.AVG
    2008-01-20 17:32 . 2008-01-20 17:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2008-01-20 17:32 . 2008-01-20 17:32 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2008-01-20 16:47 . 2004-08-03 23:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
    2008-01-20 16:47 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
    2008-01-20 16:47 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2008-01-20 16:47 . 2004-08-03 23:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
    2008-01-20 16:47 . 2004-08-03 23:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
    2008-01-20 16:44 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
    2008-01-20 16:44 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
    2008-01-20 16:44 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
    2008-01-20 16:44 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
    2008-01-20 16:44 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
    2008-01-20 16:44 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
    2008-01-20 16:44 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
    2008-01-20 04:50 . 2008-01-20 04:50 d-------- C:\WINDOWS\mzkk
    2008-01-20 04:50 . 2008-01-20 04:50 d-------- C:\Program Files\Common Files\mzkk
    2008-01-20 04:35 . 2008-01-20 04:35 d-------- C:\WINDOWS\system32\E6E0E4E5EBE4E
    2008-01-20 04:35 . 2007-12-14 04:40 120,832 --a------ C:\WINDOWS\system32\8B85898A90899.exe
    2008-01-20 03:39 . 2008-01-20 03:39 d--hs---- C:\WINDOWS\R3JlZ29yeSBIaWxs
    2008-01-19 03:39 . 2008-01-19 03:39 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
    2008-01-19 03:15 . 2008-01-19 03:15 d-------- C:\Program Files\Dot1XCfg
    2008-01-18 15:52 . 2008-01-18 15:52 d-------- C:\Program Files\Common Files\Adobe
    2008-01-12 01:05 . 2008-01-12 01:05 d---s---- C:\WINDOWS\system32\Microsoft
    2008-01-12 01:05 . 2008-01-12 01:05 d-------- C:\Program Files\QuickTime
    2008-01-12 01:05 . 2008-01-12 01:05 d-------- C:\Program Files\Apple Software Update
    2008-01-11 12:08 . 2008-01-11 12:08 d-------- C:\Program Files\Combined Community Codec Pack
    2008-01-10 22:39 . 2008-01-10 22:39 d-------- C:\Program Files\Viewpoint
    2008-01-10 22:39 . 2008-01-10 22:39 d-------- C:\Program Files\Common Files\AOL
    2008-01-10 22:39 . 2008-01-10 22:39 d-------- C:\Program Files\AIM6
    2008-01-10 22:38 . 2008-01-22 02:22 1,398 --ah----- C:\IPH.PH
    2008-01-10 22:36 . 2008-01-10 22:36 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
    2008-01-10 21:51 . 2008-01-10 21:51 d-------- C:\Program Files\Winamp Remote
    2008-01-10 21:51 . 2008-01-21 16:33 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
    2008-01-10 21:46 . 2008-01-10 21:46 d-------- C:\Program Files\Java
    2008-01-10 21:46 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-01-10 21:45 . 2008-01-10 21:45 d-------- C:\Program Files\Common Files\Java
    2008-01-10 21:41 . 2008-01-10 21:41 1,158 --a------ C:\WINDOWS\mozver.dat
    2008-01-10 16:26 . 2008-01-10 16:26 25 --a------ C:\WINDOWS\mixerdef.ini
    2008-01-10 16:24 . 2006-06-14 00:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-10 23:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-10 23:47 --------- d-----w C:\Program Files\NVIDIA Corporation
    2008-01-10 23:37 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-01-10 23:32 --------- d--h--w C:\Program Files\Uninstall Information
    2008-01-10 23:27 --------- d-----w C:\Program Files\microsoft frontpage
    2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
    2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
    2007-10-31 13:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
    2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
    2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
    2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-23_ 0.13.26.65 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-23 08:09:02 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-24 00:32:42 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    - 2008-01-23 08:09:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-24 00:32:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    - 2008-01-23 08:09:02 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-24 00:32:42 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    - 2008-01-23 08:09:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-24 00:32:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    - 2008-01-23 08:09:02 1,486,848 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
    + 2008-01-24 00:32:42 1,646,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
    - 2008-01-23 08:09:04 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-24 00:32:42 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2007-03-06 01:22:42 213,216 ------w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
    + 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
    + 2007-08-14 02:54:10 765,952 ------w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
    - 2007-08-14 02:54:10 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
    + 2007-07-12 23:31:54 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
    2008-01-03 08:27 111968 --a------ C:\Program Files\AOL Search\AOLSearch.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [ ]
    "Aim6"="" []
    "DAEMON Tools Lite"="H:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 08:51 486856]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [ ]
    "AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 17:32 219136]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= H:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    H:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 H:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkjhg]
    pmnkjhg.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
    S3 PciCon;PciCon;I:\PciCon.sys []

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-21 18:18:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-24 16:29:33
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-24 16:29:46
    ComboFix-quarantined-files.txt 2008-01-25 00:29:46
    .
    2008-01-23 11:00:30 --- E O F ---


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:31:45 PM, on 1/24/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    F:\Winamp\winampa.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\8B85898A90899.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    H:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
    H:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
    H:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    F:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200950970686
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: pmnkjhg - pmnkjhg.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7469 bytes

Page 1 of 2 12 LastLast