DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   I seem to have a bunch of infections...arghhh (http://www.daniweb.com/forums/thread103855.html)

Garet-Jax Jan 7th, 2008 4:57 pm
I seem to have a bunch of infections...arghhh
 
Hi Everyone

I seem to have acquired an infection which:

- Has stopped me accessing Control Panel, I cant even find it.
- Keeps popping up windows all the time.
- When I boot the PC it says I have c:/windows/system/shell.exe missing...can I replace this?

Trend Micro Housecall said I have troj_renos, pa_trat, pa_resoucer and generic_vs.

Please help me to get rid of these as Spybot and Adaware hasnt. I dont know what to do now.

PS> I was given this laptop by work so I dont have the original Windows set up discs.

Thanks for any help anyone can give me!
Garet

-------------------------------------------------

Here's an Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53, on 2008-01-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
C:\WINDOWS\lsass .exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher .exe
C:\Program Files\TalkTalk\bin\sprtcmd .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gary\Application Data\antivirus.exe
C:\Documents and Settings\gary\Desktop\HiJackThis.exe
C:\Documents and Settings\gary\Application Data\trant.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/u...en/default.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\byvts.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass .exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [EasySpywareCleaner] C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: findfast .exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanne...erAX_Win32.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1183055250346
O16 - DPF: {7CD7C63F-A958-4E85-B21B-5157234F9BD8} (KWClient Control) - http://192.168.0.250/kwclient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prime-medica.com
O17 - HKLM\Software\..\Telephony: DomainName = prime-medica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prime-medica.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = prime-medica.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 9214 bytes

crunchie Jan 8th, 2008 4:53 am
Re: I seem to have a bunch of infections...arghhh
 
I hope you are going to respond this time :)? http://www.daniweb.com/forums/thread8806.html

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Garet-Jax Jan 8th, 2008 5:32 am
Re: I seem to have a bunch of infections...arghhh
 
Thanks Crunchie, I'm sorry I didnt reply to your post in 2004. Unfortunately that machine at the time 'died' and I didnt get another new PC for a while.

Thank you for answering my post - here are the new logs: 1. Combofix log 2. HJT log.

Cheers
Garet

---------------------------------------------------------------------------------------------------

ComboFix 08-01-07.5 - gary 2008-01-08 9:10:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703 [GMT 0:00]
Running from: C:\Documents and Settings\gary\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\gary\Application Data\printer.exe
C:\Documents and Settings\gary\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\gary\Desktop\Free Online Dating.lnk
C:\Documents and Settings\gary\Desktop\Go to Casino.lnk
C:\Documents and Settings\gary\Start Menu\Programs\Outerinfo
C:\Documents and Settings\gary\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\gary\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\gary\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\Helper
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\Outerinfo\Outerinfo.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\OuterinfoUpdate.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\spoolsv.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mgrs.exe
C:\WINDOWS\msettings.ini
C:\WINDOWS\shell.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drvvecr.dll
C:\WINDOWS\system32\ghogthsx.dll
C:\WINDOWS\system32\hgmowqqt.exe
C:\WINDOWS\SYSTEM32\mmpoq.ini
C:\WINDOWS\SYSTEM32\mmpoq.ini2
C:\WINDOWS\system32\opnmmkj.dll
C:\WINDOWS\SYSTEM32\printer .exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\qopmm.dll
C:\WINDOWS\system32\qopmm.exe
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\SYSTEM32\spoolvs .exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\urqrsrp.dll
C:\WINDOWS\system32\uugonvhd.dll
C:\WINDOWS\system32\windrw32.dll
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\SYSTEM32\xshtgohg.ini
C:\WINDOWS\SYSTEM32\xshtgohg.ini2
C:\WINDOWS\SYSTEM32\xshtgohg.tmp
C:\WINDOWS\TEMP\win36.exe
C:\windows\xpupdate.exe

 <pre>

C:\WINDOWS\SYSTEM32\printer .exe ---> QooBox

C:\WINDOWS\SYSTEM32\spoolvs .exe ---> QooBox

</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-08 08:58 . 2008-01-08 08:58 104,448 --a------ C:\WINDOWS\SYSTEM32\drvvec.dll
2008-01-08 01:52 . 2008-01-08 01:53 208 --a------ C:\WINDOWS\wininit.ini
2008-01-07 21:57 . 2008-01-07 21:57 <DIR> d-------- C:\Documents and Settings\gary\Application Data\Grisoft
2008-01-07 21:57 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-07 21:56 . 2008-01-07 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-07 20:49 . 2008-01-07 20:49 <DIR> d-------- C:\Documents and Settings\gary\Application Data\EasySpywareCleaner.com
2008-01-07 20:48 . 2008-01-07 21:20 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-06 22:17 . 2008-01-07 19:32 36,864 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2008-01-06 21:07 . 2008-01-07 21:23 319 --ahs---- C:\WINDOWS\SYSTEM32\stvyb.ini
2008-01-06 21:03 . 2008-01-06 21:03 0 --a------ C:\Install
2008-01-06 21:01 . 2007-12-25 08:12 7,680 --a------ C:\Documents and Settings\gary\keygen.exe
2008-01-06 21:01 . 2007-07-16 15:53 48 --a------ C:\Documents and Settings\gary\readme.bat
2008-01-06 20:44 . 2008-01-06 20:44 <DIR> d-------- C:\Program Files\Cloudbrain
2008-01-06 20:06 . 2008-01-06 20:07 <DIR> d-------- C:\Program Files\MusicBrainz Tagger
2008-01-06 18:32 . 2008-01-07 21:21 <DIR> d-------- C:\Program Files\The GodFather
2008-01-06 18:04 . 2008-01-06 18:28 <DIR> d-------- C:\Documents and Settings\gary\Application Data\TagTuner
2008-01-06 18:04 . 2008-01-06 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-06 18:04 . 2008-01-06 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TagTuner
2007-12-18 21:26 . 2007-12-18 21:26 <DIR> d-------- C:\Documents and Settings\gary\Application Data\Roxio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 09:22 --------- d-----w C:\Program Files\QuickTime
2008-01-07 22:00 --------- d-----w C:\Program Files\iTunes
2008-01-07 19:32 --------- d-----w C:\Program Files\NavNT
2008-01-07 19:32 --------- d-----w C:\Program Files\Apoint
2008-01-06 22:38 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-01-06 22:38 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-05 23:36 --------- d-----w C:\Program Files\iPod
2007-12-05 23:32 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-05 23:32 --------- d-----w C:\Program Files\Apple Software Update
2007-12-05 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-20 20:51 --------- d-----w C:\Documents and Settings\gary\Application Data\AdobeUM
2007-11-20 20:46 --------- d-----w C:\Documents and Settings\gary\Application Data\ACD Systems
2007-11-20 20:42 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-11-20 20:42 --------- d-----w C:\Program Files\ACD Systems
2007-11-20 20:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-11-20 20:41 9,856 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2004-05-20 12:29 15,364 ---ha-w C:\Program Files\.DS_Store
2005-06-02 16:17 10,856 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2007-07-31 20:10 16,384 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
2007-07-31 20:10 16,384 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
2007-07-31 20:10 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
<pre>

----a-w            57,344 2008-01-07 19:32:52  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe

----a-w           159,744 2008-01-07 19:32:35  C:\Program Files\Apoint\Apoint .exe

----a-w           180,269 2008-01-07 19:32:46  C:\Program Files\Common Files\Real\Update_OB\realsched .exe

----a-w            68,856 2008-01-07 19:32:59  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe

----a-w            94,208 2008-01-07 19:32:48  C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe

----a-w           267,048 2008-01-07 19:32:59  C:\Program Files\iTunes\iTunesHelper .exe

----a-w            49,263 2008-01-07 19:32:46  C:\Program Files\Java\jre1.5.0_08\bin\jusched .exe

----a-w            81,920 2008-01-07 19:32:46  C:\Program Files\NavNT\vptray .exe

----a-w         1,449,984 2008-01-07 19:33:01  C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 .exe

----a-w         2,658,304 2008-01-07 19:32:53  C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher .exe

----a-w           684,032 2008-01-07 19:32:48  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe

----a-w           192,512 2008-01-07 19:32:59  C:\Program Files\TalkTalk\bin\sprtcmd .exe

----a-w            36,864 2008-01-07 19:32:42  C:\WINDOWS\SYSTEM32\DSentry .exe

</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-01-12 12:55 3067904]
"nwiz"="nwiz.exe" [2004-10-26 12:01 921600 C:\WINDOWS\SYSTEM32\nwiz.exe]
"bascstray"="BascsTray.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [ ]
"vptray"="C:\Program Files\NavNT\vptray.exe" [ ]
"NWEReboot"="" []
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 23:56 143360]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 06:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2004-02-19 17:15]
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-02-14 14:03]
S3 wdm_tridwave;Trident 4DWave PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\tridwave.sys [2000-09-02 19:04]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 10:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 09:27:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-01-08 9:29:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-08 09:28:57
ComboFix2.txt 2007-08-03 19:28:55
.
2007-12-12 10:08:32 --- E O F ---


---------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:33, on 2008-01-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gary\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/u...en/default.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanne...erAX_Win32.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1183055250346
O16 - DPF: {7CD7C63F-A958-4E85-B21B-5157234F9BD8} (KWClient Control) - http://192.168.0.250/kwclient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prime-medica.com
O17 - HKLM\Software\..\Telephony: DomainName = prime-medica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prime-medica.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7082 bytes

crunchie Jan 8th, 2008 6:46 am
Re: I seem to have a bunch of infections...arghhh
 
A. Please RUN HijackThis
  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote:
File::
C:\WINDOWS\SYSTEM32\drvvec.dll
C:\WINDOWS\SYSTEM32\stvyb.ini
C:\Documents and Settings\gary\keygen.exe
C:\WINDOWS\system32\ctfmona.exe

RENV::
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\Apoint\Apoint .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched .exe
C:\Program Files\NavNT\vptray .exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 .exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher .exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
C:\Program Files\TalkTalk\bin\sprtcmd .exe
C:\WINDOWS\SYSTEM32\DSentry .exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://i5.photobucket.com/albums/y15...1/CFScript.gif


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Garet-Jax Jan 8th, 2008 4:29 pm
Re: I seem to have a bunch of infections...arghhh
 
Hi Crunchie

Thanks for taking the time to outline all that.
I've done the tasks, and here are the new logs.

Many thanks
Garet

---------------------------------------------------------------------------------------------------------

COMBOFIX
=======

ComboFix 08-01-07.5 - gary 2008-01-08 20:23:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.604 [GMT 0:00]
Running from: C:\Documents and Settings\gary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gary\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\gary\keygen.exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\SYSTEM32\drvvec.dll
C:\WINDOWS\SYSTEM32\stvyb.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\gary\keygen.exe
C:\WINDOWS\SYSTEM32\drvvec.dll
C:\WINDOWS\SYSTEM32\stvyb.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-08 20:18 . 2008-01-08 20:18 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-08 01:52 . 2008-01-08 01:53 208 --a------ C:\WINDOWS\wininit.ini
2008-01-07 21:57 . 2008-01-07 21:57 <DIR> d-------- C:\Documents and Settings\gary\Application Data\Grisoft
2008-01-07 21:57 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-07 21:56 . 2008-01-07 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-07 20:49 . 2008-01-07 20:49 <DIR> d-------- C:\Documents and Settings\gary\Application Data\EasySpywareCleaner.com
2008-01-07 20:48 . 2008-01-07 21:20 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-06 22:17 . 2008-01-07 19:32 36,864 --a------ C:\WINDOWS\SYSTEM32\DSentry.exe
2008-01-06 21:03 . 2008-01-06 21:03 0 --a------ C:\Install
2008-01-06 21:01 . 2007-07-16 15:53 48 --a------ C:\Documents and Settings\gary\readme.bat
2008-01-06 20:44 . 2008-01-06 20:44 <DIR> d-------- C:\Program Files\Cloudbrain
2008-01-06 20:06 . 2008-01-06 20:07 <DIR> d-------- C:\Program Files\MusicBrainz Tagger
2008-01-06 18:32 . 2008-01-07 21:21 <DIR> d-------- C:\Program Files\The GodFather
2008-01-06 18:04 . 2008-01-06 18:28 <DIR> d-------- C:\Documents and Settings\gary\Application Data\TagTuner
2008-01-06 18:04 . 2008-01-06 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-06 18:04 . 2008-01-06 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TagTuner
2007-12-18 21:26 . 2007-12-18 21:26 <DIR> d-------- C:\Documents and Settings\gary\Application Data\Roxio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 20:23 --------- d-----w C:\Program Files\NavNT
2008-01-08 20:23 --------- d-----w C:\Program Files\iTunes
2008-01-08 20:23 --------- d-----w C:\Program Files\Apoint
2008-01-08 09:22 --------- d-----w C:\Program Files\QuickTime
2008-01-06 22:38 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-01-06 22:38 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-12-05 23:36 --------- d-----w C:\Program Files\iPod
2007-12-05 23:32 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-05 23:32 --------- d-----w C:\Program Files\Apple Software Update
2007-12-05 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-20 20:51 --------- d-----w C:\Documents and Settings\gary\Application Data\AdobeUM
2007-11-20 20:46 --------- d-----w C:\Documents and Settings\gary\Application Data\ACD Systems
2007-11-20 20:42 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-11-20 20:42 --------- d-----w C:\Program Files\ACD Systems
2007-11-20 20:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-11-20 20:41 9,856 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2004-05-20 12:29 15,364 ---ha-w C:\Program Files\.DS_Store
2005-06-02 16:17 10,856 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2007-07-31 20:10 16,384 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
2007-07-31 20:10 16,384 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
2007-07-31 20:10 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-08_ 9.28.41.16 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 19:32 68856]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-01-07 19:33 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-07 19:32 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-01-12 12:55 3067904]
"nwiz"="nwiz.exe" [2004-10-26 12:01 921600 C:\WINDOWS\SYSTEM32\nwiz.exe]
"bascstray"="BascsTray.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2008-01-07 19:32 94208]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2008-01-07 19:32 81920]
"NWEReboot"="" []
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 23:56 143360]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2008-01-07 19:32 2658304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 06:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2004-02-19 17:15]
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-02-14 14:03]
S3 wdm_tridwave;Trident 4DWave PCI Audio Driver (WDM);C:\WINDOWS\system32\drivers\tridwave.sys [2000-09-02 19:04]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 10:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:25:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-01-08 20:26:28
ComboFix-quarantined-files.txt 2008-01-08 20:26:12
ComboFix2.txt 2008-01-08 09:29:07
ComboFix3.txt 2007-08-03 19:28:55
.
2007-12-12 10:08:32 --- E O F ---


HIJACKTHIS
========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:30, on 2008-01-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\gary\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/u...en/default.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanne...erAX_Win32.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1183055250346
O16 - DPF: {7CD7C63F-A958-4E85-B21B-5157234F9BD8} (KWClient Control) - http://192.168.0.250/kwclient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prime-medica.com
O17 - HKLM\Software\..\Telephony: DomainName = prime-medica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prime-medica.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7079 bytes

crunchie Jan 9th, 2008 5:00 am
Re: I seem to have a bunch of infections...arghhh
 
Both logs look ok to me. How are the problems now?

Garet-Jax Jan 9th, 2008 9:18 am
Re: I seem to have a bunch of infections...arghhh
 
Hi - I dont seem to have had any problems so far today.

A massive thanks to you Crunchie, you know your stuff!!

I'll amend the thread to Solved.

Once again, thanks for your help, its much appreciated.
Garet

crunchie Jan 9th, 2008 3:42 pm
Re: I seem to have a bunch of infections...arghhh
 
You are welcome :).

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.
  1. Uncheck "Cookies" under "Internet Explorer".
  2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
  3. Close when finished.

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Garet-Jax Jan 10th, 2008 5:13 pm
Re: I seem to have a bunch of infections...arghhh
 
Many thanks for the advice Crunchie, have downloaded CCleaner & Avast which is great and also getting the firewall.

Thanks again!
Garet

crunchie Jan 11th, 2008 2:23 am
Re: I seem to have a bunch of infections...arghhh
 
You are welcome :).

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.


All times are GMT -4. The time now is 8:47 am.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC