Free PC Performance Scan

Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Hijacked?

[Fixed] Hijackthis! Logs - Hijacked? posted in the Security & Safety forums; Hi, My internet browser recently started opening up the page 'scanner.vav-xscanner.com'. Hoping to get some advice on how to clear this up. My log: Logfile of Trend Micro HijackThis v2.0.0 ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
  #1  
Old 06-29-2008
Bronze Member
My PC
 
Join Date: Jun 2008
Posts: 3
PC Experience: Experienced
zito48 - See this Members User comments on their Profile page
Unhappy Hijacked?
Hi,

My internet browser recently started opening up the page 'scanner.vav-xscanner.com'. Hoping to get some advice on how to clear this up.

My log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:26:04 AM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless 802.11g Monitor\XPFix.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sistray.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
O2 - BHO: (no name) - {130AADC3-47E0-4A65-BA97-0ACB1B12ACB5} - C:\WINDOWS\system32\opnmJYRI.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\tuvSlklM.dll
O2 - BHO: (no name) - {D01B8AF3-932C-4E2D-8491-1943AC64027E} - C:\WINDOWS\system32\urqOFvwX.dll
O2 - BHO: (no name) - {F566BC4E-21DE-7E21-FB4F-7AA2E79B43B0} - C:\WINDOWS\system32\tcm.dll (file missing)
O2 - BHO: {5d82b282-e1eb-2289-1ec4-1dbf50ea306f} - {f603ae05-fbd1-4ce1-9822-be1e282b28d5} - C:\WINDOWS\system32\fkzldh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [e0156602] rundll32.exe "C:\WINDOWS\system32\vmpfyibv.dll",b
O4 - HKLM\..\Run: [BMe326559e] Rundll32.exe "C:\WINDOWS\system32\gpqhfmqb.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Vfvpq] "C:\Program Files\?ecurity\m?iexec.exe"
O4 - Startup: HDD temperature.lnk = C:\Program Files\PalickSoft\HDD Temperature\HDDTemperature.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvSlklM - C:\WINDOWS\SYSTEM32\tuvSlklM.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7938 bytes

Thanks!
  #2  
Old 06-29-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,960
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Hijacked?
You have a lot of nasty stuff to be removed.


Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 06-29-2008
Bronze Member
My PC
 
Join Date: Jun 2008
Posts: 3
PC Experience: Experienced
zito48 - See this Members User comments on their Profile page
Default Re: Hijacked?
Hi again,

Followed all your instructions and here are my two log files. I really appreciated the help.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:23:03 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless 802.11g Monitor\XPFix.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: (no name) - {130AADC3-47E0-4A65-BA97-0ACB1B12ACB5} - C:\WINDOWS\system32\opnmJYRI.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {80ff8bff-abff-45f9-5064-68cf53a8c0ea} - {ae0c8a35-fc86-4605-9f54-ffbaffb8ff08} - C:\WINDOWS\system32\dnasnj.dll
O2 - BHO: (no name) - {D01B8AF3-932C-4E2D-8491-1943AC64027E} - C:\WINDOWS\system32\urqOFvwX.dll (file missing)
O2 - BHO: (no name) - {F566BC4E-21DE-7E21-FB4F-7AA2E79B43B0} - C:\WINDOWS\system32\tcm.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [e0156602] rundll32.exe "C:\WINDOWS\system32\apfhmqke.dll",b
O4 - HKLM\..\Run: [BMe326559e] Rundll32.exe "C:\WINDOWS\system32\kkpdvktf.dll",s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Vfvpq] "C:\Program Files\?ecurity\m?iexec.exe"
O4 - Startup: HDD temperature.lnk = C:\Program Files\PalickSoft\HDD Temperature\HDDTemperature.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8082 bytes







ComboFix 08-06-20.4 - Owner 2008-06-29 15:54:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.128 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Owner\My Documents\ASEMBL~1
C:\Program Files\Common Files\scurit~1
C:\Program Files\crosof~1.net
C:\Program Files\ecurit~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\BMe326559e.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\audfxhwf.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\ekqmhfpa.ini
C:\WINDOWS\system32\IRYJmnpo.ini
C:\WINDOWS\system32\IRYJmnpo.ini2
C:\WINDOWS\system32\jcyiqunt.ini
C:\WINDOWS\system32\jjtqygvr.ini
C:\WINDOWS\system32\kvalnniw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJBQIax.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sks~1\??sks\
C:\WINDOWS\system32\thsnntri.ini
C:\WINDOWS\system32\tuvSlklM.dll
C:\WINDOWS\system32\tuxqfuqk.ini
C:\WINDOWS\system32\vbiyfpmv.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wlcdhjte.ini
C:\WINDOWS\system32\xaIQBJlm.ini
C:\WINDOWS\system32\xaIQBJlm.ini2
C:\WINDOWS\system32\xmbnbtwr.ini
C:\WINDOWS\system32\XwvFOqru.ini
C:\WINDOWS\system32\XwvFOqru.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-29 16:12 . 2008-06-29 16:12 0 --a------ C:\WINDOWS\BMe326559e.xml
2008-06-29 15:28 . 2008-06-29 15:28 103,424 --a------ C:\WINDOWS\system32\qbkuqgcn.dll
2008-06-29 15:28 . 2008-06-29 15:28 103,424 --a------ C:\WINDOWS\system32\dnasnj.dll
2008-06-29 15:26 . 2008-06-29 15:26 90,624 --a------ C:\WINDOWS\system32\kkpdvktf.dll
2008-06-29 15:26 . 2008-06-29 15:26 82,432 --a------ C:\WINDOWS\system32\apfhmqke.dll
2008-06-29 01:45 . 2008-06-29 01:45 103,424 --a------ C:\WINDOWS\system32\uimbvsjm.dll
2008-06-29 01:45 . 2008-06-29 01:45 103,424 --a------ C:\WINDOWS\system32\ugiaot.dll
2008-06-29 01:41 . 2008-06-29 01:41 90,624 --a------ C:\WINDOWS\system32\flafqtld.dll
2008-06-27 19:07 . 2008-06-27 19:07 102,912 --a------ C:\WINDOWS\system32\jlnjrswd.dll
2008-06-27 19:07 . 2008-06-27 19:07 102,912 --a------ C:\WINDOWS\system32\fkzldh.dll
2008-06-27 19:07 . 2008-06-27 19:07 90,112 --a------ C:\WINDOWS\system32\gpqhfmqb.dll
2008-06-27 18:11 . 2008-06-27 18:11 25,520 --a------ C:\WINDOWS\system32\efcawuUK.dll
2008-06-27 01:30 . 2008-06-27 01:30 25,520 --a------ C:\WINDOWS\system32\iiffCVnm.dll
2008-06-27 01:20 . 2008-06-27 01:20 91,136 --a------ C:\WINDOWS\system32\axjvusnb.dll
2008-06-27 01:13 . 2008-06-27 01:13 <DIR> d-------- C:\WINDOWS\system32\modtrux01
2008-06-27 01:13 . 2008-06-27 01:14 <DIR> d-------- C:\Temp\syschk3
2008-06-14 17:15 . 2008-06-14 17:15 <DIR> d-------- C:\Program Files\iTunes
2008-06-14 17:15 . 2008-06-14 17:15 <DIR> d-------- C:\Program Files\iPod
2008-06-14 17:12 . 2008-06-14 17:13 <DIR> d-------- C:\Program Files\QuickTime
2008-06-12 09:23 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 09:23 . 2008-06-13 09:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-29 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 01:54 --------- d-----w C:\Program Files\Vstplugins
2008-05-11 01:51 --------- d-----w C:\Program Files\Image-Line
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 04:10 --------- d-----w C:\Program Files\Azureus
2008-03-08 18:31 55,160 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-10-16 21:42 66 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2006-10-14 18:31 745 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{130AADC3-47E0-4A65-BA97-0ACB1B12ACB5}]
C:\WINDOWS\system32\opnmJYRI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ae0c8a35-fc86-4605-9f54-ffbaffb8ff08}]
2008-06-29 15:28 103424 --a------ C:\WINDOWS\system32\dnasnj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D01B8AF3-932C-4E2D-8491-1943AC64027E}]
C:\WINDOWS\system32\urqOFvwX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F566BC4E-21DE-7E21-FB4F-7AA2E79B43B0}]
C:\WINDOWS\system32\tcm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-09 02:48 1481968]
"Vfvpq"="C:\Program Files\?ecurity\m?iexec.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 12:47 71328]
"SoundMan"="SOUNDMAN.EXE" [2004-07-02 04:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-09-02 23:44 249856]
"SiSPower"="SiSPower.dll" [2004-09-02 23:47 49152 C:\WINDOWS\system32\SiSPower.dll]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 05:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 21:50 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 05:20 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 05:20 499712]
"XPFix"="C:\Program Files\Wireless 802.11g" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-09 02:32 100056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 15:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 15:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 15:00 455168]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"e0156602"="C:\WINDOWS\system32\apfhmqke.dll" [2008-06-29 15:26 82432]
"BMe326559e"="C:\WINDOWS\system32\kkpdvktf.dll " [2008-06-29 15:26 90624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26 29696]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-10-02 06:40:41 331776]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFH WSIS.sys [2004-09-08 21:38]
S3 AMDMSRIO;AMDMSRIO;C:\DOCUME~1\Owner\LOCALS~1\Temp\ Safe To Delete 3_0_4_8\AMDMSRIO.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 21:05:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-02-22 03:53:34 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-05-17 00:25:51 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2006-02-26 23:39:13 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 16:11:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\ekqmhfpa.ini 294 bytes

scan completed successfully
hidden files: 1

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m chInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\apfhmqke.dll
-> C:\WINDOWS\system32\kkpdvktf.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVSCAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Wireless 802.11g Monitor\XPFix.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
************************************************** ************************
.
Completion time: 2008-06-29 16:16:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 20:16:16

Pre-Run: 25,437,212,672 bytes free
Post-Run: 25,414,774,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microso ft Windows XP Home Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

206 --- E O F --- 2008-06-21 14:31:43
  #4  
Old 06-30-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,960
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Hijacked?
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


O2 - BHO: (no name) - {130AADC3-47E0-4A65-BA97-0ACB1B12ACB5} - C:\WINDOWS\system32\opnmJYRI.dll (file missing)
O2 - BHO: {80ff8bff-abff-45f9-5064-68cf53a8c0ea} - {ae0c8a35-fc86-4605-9f54-ffbaffb8ff08} - C:\WINDOWS\system32\dnasnj.dll
O2 - BHO: (no name) - {D01B8AF3-932C-4E2D-8491-1943AC64027E} - C:\WINDOWS\system32\urqOFvwX.dll (file missing)
O2 - BHO: (no name) - {F566BC4E-21DE-7E21-FB4F-7AA2E79B43B0} - C:\WINDOWS\system32\tcm.dll (file missing)
O4 - HKLM\..\Run: [e0156602] rundll32.exe "C:\WINDOWS\system32\apfhmqke.dll",b
O4 - HKLM\..\Run: [BMe326559e] Rundll32.exe "C:\WINDOWS\system32\kkpdvktf.dll",s
O4 - HKCU\..\Run: [Vfvpq] "C:\Program Files\?ecurity\m?iexec.exe"


Reboot................................

============================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:


http://www.pchelpforum.com/new-hijac...tml#post274060

Collect::
C:\WINDOWS\BMe326559e.xml
C:\WINDOWS\system32\qbkuqgcn.dll
C:\WINDOWS\system32\dnasnj.dll
C:\WINDOWS\system32\kkpdvktf.dll
C:\WINDOWS\system32\apfhmqke.dll
C:\WINDOWS\system32\uimbvsjm.dll
C:\WINDOWS\system32\ugiaot.dll
C:\WINDOWS\system32\flafqtld.dll
C:\WINDOWS\system32\jlnjrswd.dll
C:\WINDOWS\system32\fkzldh.dll
C:\WINDOWS\system32\gpqhfmqb.dll
C:\WINDOWS\system32\efcawuUK.dll
C:\WINDOWS\system32\iiffCVnm.dll
C:\WINDOWS\system32\axjvusnb.dll
Folder::
C:\WINDOWS\system32\modtrux01
C:\Temp\syschk3
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{130AADC3-47E0-4A65-BA97-0ACB1B12ACB5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ae0c8a35-fc86-4605-9f54-ffbaffb8ff08}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D01B8AF3-932C-4E2D-8491-1943AC64027E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F566BC4E-21DE-7E21-FB4F-7AA2E79B43B0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Vfvpq"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"e0156602"=-
"BMe326559e"=-
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #5  
Old 06-30-2008
Bronze Member
My PC
 
Join Date: Jun 2008
Posts: 3
PC Experience: Experienced
zito48 - See this Members User comments on their Profile page
Default Re: Hijacked?
Okay. Made the deletions with HJT, ran combofix with the text file, and submitted my log to Bleeping Computer.

Here's my new combofix log:

ComboFix 08-06-20.4 - Owner 2008-06-30 11:54:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.131 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\syschk3
C:\Temp\syschk3\tdirp5.log
C:\WINDOWS\BMe326559e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apfhmqke.dll
C:\WINDOWS\system32\axjvusnb.dll
C:\WINDOWS\system32\efcawuUK.dll
C:\WINDOWS\system32\fkzldh.dll
C:\WINDOWS\system32\flafqtld.dll
C:\WINDOWS\system32\gpqhfmqb.dll
C:\WINDOWS\system32\iiffCVnm.dll
C:\WINDOWS\system32\jlnjrswd.dll
C:\WINDOWS\system32\kkpdvktf.dll
C:\WINDOWS\system32\modtrux01
C:\WINDOWS\system32\modtrux01\modtrux011065.exe
C:\WINDOWS\system32\qbkuqgcn.dll
C:\WINDOWS\system32\ugiaot.dll
C:\WINDOWS\system32\uimbvsjm.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 16:12 . 2008-06-29 16:16 354 ---hs---- C:\WINDOWS\system32\ekqmhfpa.ini
2008-06-14 17:15 . 2008-06-14 17:15 <DIR> d-------- C:\Program Files\iTunes
2008-06-14 17:15 . 2008-06-14 17:15 <DIR> d-------- C:\Program Files\iPod
2008-06-14 17:12 . 2008-06-14 17:13 <DIR> d-------- C:\Program Files\QuickTime
2008-06-12 09:23 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 09:23 . 2008-06-13 09:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-29 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 01:54 --------- d-----w C:\Program Files\Vstplugins
2008-05-11 01:51 --------- d-----w C:\Program Files\Image-Line
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 04:10 --------- d-----w C:\Program Files\Azureus
2008-03-08 18:31 55,160 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-10-16 21:42 66 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2006-10-14 18:31 745 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-06-29_16.15.41.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 20:10:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 15:58:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-09 02:48 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 12:47 71328]
"SoundMan"="SOUNDMAN.EXE" [2004-07-02 04:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2004-09-02 23:44 249856]
"SiSPower"="SiSPower.dll" [2004-09-02 23:47 49152 C:\WINDOWS\system32\SiSPower.dll]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 05:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 21:50 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 05:20 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 05:20 499712]
"XPFix"="C:\Program Files\Wireless 802.11g" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-09 02:32 100056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 15:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 15:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 15:00 455168]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"BMe326559e"="C:\WINDOWS\system32\kkpdvktf.dll " [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26 29696]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-10-02 06:40:41 331776]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFH WSIS.sys [2004-09-08 21:38]
S3 AMDMSRIO;AMDMSRIO;C:\DOCUME~1\Owner\LOCALS~1\Temp\ Safe To Delete 3_0_4_8\AMDMSRIO.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 21:05:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-02-22 03:53:34 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-05-17 00:25:51 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2006-02-26 23:39:13 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 11:59:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [472] 0x84128610

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m chInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVSCAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Wireless 802.11g Monitor\XPFix.exe
C:\Program Files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2008-06-30 12:05:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 16:05:08
ComboFix2.txt 2008-06-29 20:16:36

Pre-Run: 25,390,702,592 bytes free
Post-Run: 25,375,543,296 bytes free

153 --- E O F --- 2008-06-21 14:31:43
  #6  
Old 07-01-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,960
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page