Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

I think I have a virus problem...

•

Join Date: Dec 2007

Posts: 14

Reputation: Droicut is an unknown quantity at this point

Solved Threads: 0

Droicut

Offline

Newbie Poster

I think I have a virus problem...

Dec 21st, 2007

I think it all started with a MSN virus my brother gotten lately... but in that process I found more things that just didn't really seem to make any sense. I downloaded AVG and it showed some files to be Trojan Backdoor.agent something. Can't really remember... (my bad...

)

Searched up that string of letters and found this place and thought it might help. Here's a ComboFix and HijackThis log.

ComboFix 07-12-21.4 - NICHOLAS CHEW 2007-12-21 17:46:09.1 - NTFSx86
Running from: C:\Documents and Settings\NICHOLAS CHEW\desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\autorun.inf
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\SYSTEM32\bmehgltd.ini
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\dtlghemb.dll
C:\WINDOWS\SYSTEM32\lndpcegs.ini
C:\WINDOWS\system32\nnnmkji.dll
C:\WINDOWS\SYSTEM32\qrtwa.ini
C:\WINDOWS\SYSTEM32\qrtwa.ini2
C:\WINDOWS\system32\sgecpdnl.dll
C:\WINDOWS\system32\upbdgpmb.dll
C:\WINDOWS\SYSTEM32\vuutv.ini2
C:\WINDOWS\system32\vwtvwosy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-21 17:56 . 2007-12-21 17:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 17:56 . 2007-12-21 17:56 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-21 17:31 . 2007-12-21 17:31 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-21 16:01 . 2007-12-21 16:01 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-12-21 16:01 . 2007-12-21 16:01 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-12-21 15:50 . 2007-12-21 15:50 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\Application Data\Sunbelt Software
2007-12-21 03:23 . 2007-12-21 13:12 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-21 02:59 . 2007-12-21 02:59 <DIR> d-------- C:\Program Files\WIZET
2007-12-20 05:50 . 2007-12-20 06:02 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-20 05:49 . 2007-12-21 17:21 <DIR> d-------- C:\Program Files\Windows Live
2007-12-20 05:48 . 2007-12-21 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-20 05:40 . 2007-12-21 09:30 <DIR> d-------- C:\BackUpMSNCleaner
2007-12-20 03:41 . 2007-12-20 03:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-20 03:39 . 2007-12-20 03:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-20 03:39 . 2007-12-21 04:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-20 03:16 . 2007-12-20 03:16 <DIR> d-------- C:\Program Files\Plasma Pong
2007-12-20 02:50 . 2007-12-21 12:59 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\Application Data\AVG7
2007-12-20 02:47 . 2007-12-20 03:16 <DIR> d-------- C:\Program Files\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7(2)
2007-12-20 02:21 . 2007-12-20 02:21 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\DoctorWeb
2007-12-19 21:54 . 2007-12-19 21:54 74,304 --a------ C:\WINDOWS\SYSTEM32\pwajtnmk.exe
2007-12-19 11:33 . 2007-12-19 11:33 74,304 --a------ C:\WINDOWS\SYSTEM32\mnfnwrop.exe
2007-12-18 09:53 . 2007-12-18 10:17 6,630 --ahs---- C:\WINDOWS\SYSTEM32\fhkmp.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 09:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 09:29 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Skype
2007-12-20 20:29 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Azureus
2007-12-20 19:15 --------- d-----w C:\Program Files\Azureus
2007-12-19 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 15:39 729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-04 15:39 --------- d-----w C:\Program Files\Warcraft III
2007-11-21 17:11 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\mIRC
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 15:14 --------- d-----w C:\Documents and Settings\SIMON CHEW\Application Data\mIRC
2007-11-08 10:59 --------- d-----w C:\Program Files\mIRC
2007-11-03 17:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-21 13:45 --------- d-----w C:\Program Files\iTunes
2007-10-21 13:45 --------- d-----w C:\Program Files\iPod
2007-10-21 13:44 --------- d-----w C:\Program Files\QuickTime
2007-10-21 13:42 --------- d-----w C:\Program Files\Apple Software Update
2007-10-21 13:41 --------- d-----w C:\Program Files\Common Files\Apple
2007-10-21 13:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2006-01-21 02:00 4,234 ----a-w C:\Documents and Settings\SIMON CHEW\!versions.dat
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 03:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 13:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 11:14 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 02:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 05:16 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 16:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 02:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 03:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 01:05 127035 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 01:02 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54 57344 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 14:42 1404928 --a------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"NetSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

S3 CEDRIVER51;CEDRIVER51;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\DBK32.sys []
S3 CEDRIVER52;CEDRIVER52;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\Cheat Engine\dbk32.sys []
S3 geebers12;geebers12;C:\Documents and Settings\SIMON CHEW\Desktop\Msea V0.42 hacks pack\Buffy Engine 2\nvid888.sys [2007-05-03 14:37]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\NICHOLAS CHEW\My Documents\PSP Games\moonlight engine 1105.1\moonlight engine 1105.1\IlvMoney1105.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-JEANNIE CHAR).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-07 10:30:02 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-SIMON CHEW).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-20 09:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-21 09:58:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 17:56:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-21 17:58:53 - machine was rebooted [NICHOLAS CHEW]
.
2007-12-20 19:05:22 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 6:07:35 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NICHOLAS CHEW\My Documents\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/.../SpeedCtrl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138189840578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

Hope there's someone who can save me. Thanks!

(Oh yes anyway, some of the files I mentioned seem to be picked up by ComboFix and deleted by CF. o.o)

•

Join Date: Feb 2004

Posts: 9,997

Reputation: crunchie is a splendid one to behold

Solved Threads: 756

crunchie

Offline

Spyware Killer

Re: I think I have a virus problem...

Dec 21st, 2007

Hi and welcome to Daniweb forums

.

===============

Download the newest version of HiJackThis; version 2.0.2. Place it in a permanent folder before scanning. Repost your log after following the steps below. This version has features that might be more helpful in 'cleaning' up your system.

===============

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\SYSTEM32\pwajtnmk.exe
C:\WINDOWS\SYSTEM32\mnfnwrop.exe

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Dec 2007

Posts: 14

Reputation: Droicut is an unknown quantity at this point

Solved Threads: 0

Droicut

Offline

Newbie Poster

Re: I think I have a virus problem...

Dec 21st, 2007

Here's the new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:45 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NICHOLAS CHEW\My Documents\hijackthis\HiJackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/.../SpeedCtrl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138189840578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 6609 bytes

Now the issue is... I can't upload both files to jotti to scan. Says something about me uploading 0 bytes.

I also can't attach it in hotmail. Something about zero byte as well...

•

Join Date: Feb 2004

Posts: 9,997

Reputation: crunchie is a splendid one to behold

Solved Threads: 756

crunchie

Offline

Spyware Killer

Re: I think I have a virus problem...

Dec 21st, 2007

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

•

FileLook::
C:\WINDOWS\SYSTEM32\pwajtnmk.exe
C:\WINDOWS\SYSTEM32\mnfnwrop.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://i5.photobucket.com/albums/y15...1/CFScript.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt
A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Dec 2007

Posts: 14

Reputation: Droicut is an unknown quantity at this point

Solved Threads: 0

Droicut

Offline

Newbie Poster

Re: I think I have a virus problem...

Dec 21st, 2007

ComboFix 07-12-21.4 - NICHOLAS CHEW 2007-12-21 21:27:01.2 - NTFSx86
Running from: C:\Documents and Settings\NICHOLAS CHEW\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NICHOLAS CHEW\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-21 17:31 . 2007-12-21 17:31 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-21 16:01 . 2007-12-21 16:01 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-12-21 16:01 . 2007-12-21 16:01 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-12-21 15:50 . 2007-12-21 15:50 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\Application Data\Sunbelt Software
2007-12-21 03:23 . 2007-12-21 13:12 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-21 02:59 . 2007-12-21 02:59 <DIR> d-------- C:\Program Files\WIZET
2007-12-20 05:50 . 2007-12-20 06:02 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-20 05:49 . 2007-12-21 17:21 <DIR> d-------- C:\Program Files\Windows Live
2007-12-20 05:48 . 2007-12-21 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-20 05:40 . 2007-12-21 09:30 <DIR> d-------- C:\BackUpMSNCleaner
2007-12-20 03:41 . 2007-12-20 03:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-20 03:39 . 2007-12-20 03:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-20 03:39 . 2007-12-21 04:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-20 03:16 . 2007-12-20 03:16 <DIR> d-------- C:\Program Files\Plasma Pong
2007-12-20 02:50 . 2007-12-21 12:59 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\Application Data\AVG7
2007-12-20 02:47 . 2007-12-20 03:16 <DIR> d-------- C:\Program Files\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7(2)
2007-12-20 02:21 . 2007-12-20 02:21 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\DoctorWeb
2007-12-19 21:54 . 2007-12-19 21:54 74,304 --a------ C:\WINDOWS\SYSTEM32\pwajtnmk.exe
2007-12-19 11:33 . 2007-12-19 11:33 74,304 --a------ C:\WINDOWS\SYSTEM32\mnfnwrop.exe
2007-12-18 09:53 . 2007-12-18 10:17 6,630 --ahs---- C:\WINDOWS\SYSTEM32\fhkmp.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 13:35 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Skype
2007-12-21 09:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 20:29 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Azureus
2007-12-20 19:15 --------- d-----w C:\Program Files\Azureus
2007-12-19 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 15:39 729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-04 15:39 --------- d-----w C:\Program Files\Warcraft III
2007-11-21 17:11 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\mIRC
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 15:14 --------- d-----w C:\Documents and Settings\SIMON CHEW\Application Data\mIRC
2007-11-08 10:59 --------- d-----w C:\Program Files\mIRC
2007-11-03 17:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 09:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 09:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-21 13:45 --------- d-----w C:\Program Files\iTunes
2007-10-21 13:45 --------- d-----w C:\Program Files\iPod
2007-10-21 13:44 --------- d-----w C:\Program Files\QuickTime
2007-10-21 13:42 --------- d-----w C:\Program Files\Apple Software Update
2007-10-21 13:41 --------- d-----w C:\Program Files\Common Files\Apple
2007-10-21 13:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-18 03:31 51,224 ----a-w C:\WINDOWS\SYSTEM32\sirenacm.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet(2).dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\urlmon(2).dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil(2).dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\SYSTEM32\url(2).dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2006-01-21 02:00 4,234 ----a-w C:\Documents and Settings\SIMON CHEW\!versions.dat
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 03:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 13:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 11:14 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 02:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 05:16 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 16:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 02:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 03:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 01:05 127035 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 01:02 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54 57344 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 14:42 1404928 --a------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"NetSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

S3 CEDRIVER51;CEDRIVER51;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\DBK32.sys []
S3 CEDRIVER52;CEDRIVER52;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\Cheat Engine\dbk32.sys []
S3 geebers12;geebers12;C:\Documents and Settings\SIMON CHEW\Desktop\Msea V0.42 hacks pack\Buffy Engine 2\nvid888.sys [2007-05-03 14:37]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\NICHOLAS CHEW\My Documents\PSP Games\moonlight engine 1105.1\moonlight engine 1105.1\IlvMoney1105.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-21 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-JEANNIE CHAR).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-21 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-SIMON CHEW).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-20 09:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-21 09:58:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 21:35:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-21 21:37:12
C:\ComboFix2.txt ... 2007-12-21 17:58
.
2007-12-20 19:05:22 --- E O F ---

New CF log here...

EDIT: Oops, forgot the HT logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:31 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\NICHOLAS CHEW\My Documents\hijackthis\HiJackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/.../SpeedCtrl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138189840578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 6607 bytes

Last edited by Droicut; Dec 21st, 2007 at 10:44 am.

•

Join Date: Feb 2004

Posts: 9,997

Reputation: crunchie is a splendid one to behold

Solved Threads: 756

crunchie

Offline

Spyware Killer

Re: I think I have a virus problem...

Dec 21st, 2007

The Filelook:: did not seem to work. I think that maybe it will only work with one file at a time.
Can you locate the two files and get into their Properties and post back all the info on them please.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Dec 2007

Posts: 14

Reputation: Droicut is an unknown quantity at this point

Solved Threads: 0

Droicut

Offline

Newbie Poster

Re: I think I have a virus problem...

Dec 22nd, 2007

http://img299.imageshack.us/img299/1845/pwajtnmkhq9.jpg

http://img444.imageshack.us/img444/2163/mnfnwropml8.jpg

Here we go. Sorry for the delay...

Last edited by Droicut; Dec 22nd, 2007 at 3:37 pm.

•

Join Date: Feb 2004

Posts: 9,997

Reputation: crunchie is a splendid one to behold

Solved Threads: 756

crunchie

Offline

Spyware Killer

Re: I think I have a virus problem...

Dec 22nd, 2007

Judging by their size and date I would definitely say they are bad.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

•

File::
C:\WINDOWS\SYSTEM32\pwajtnmk.exe
C:\WINDOWS\SYSTEM32\mnfnwrop.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://i5.photobucket.com/albums/y15...1/CFScript.gif

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt
A new HijackThis log.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster

•

Join Date: Dec 2007

Posts: 14

Reputation: Droicut is an unknown quantity at this point

Solved Threads: 0

Droicut

Offline

Newbie Poster

Re: I think I have a virus problem...

Dec 23rd, 2007

Here's the new CF log. I had to reboot because CF stopped and left me with only my wallpaper.

ComboFix 07-12-21.4 - NICHOLAS CHEW 2007-12-24 0:09:39.3 - NTFSx86
Running from: C:\Documents and Settings\NICHOLAS CHEW\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NICHOLAS CHEW\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\mnfnwrop.exe
C:\WINDOWS\SYSTEM32\pwajtnmk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\mnfnwrop.exe
C:\WINDOWS\SYSTEM32\pwajtnmk.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.

2007-12-24 00:21 . 2007-12-24 00:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-24 00:21 . 2007-12-24 00:21 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-23 03:19 . 2007-12-23 03:19 2,855 --a------ C:\WINDOWS\SYSTEM32\mnfnwrop.PIF
2007-12-23 03:10 . 2007-12-23 03:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-23 03:10 . 2007-12-23 03:19 2,855 --a------ C:\WINDOWS\SYSTEM32\pwajtnmk.PIF
2007-12-21 17:31 . 2007-12-21 17:31 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-21 16:01 . 2007-12-21 16:01 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-12-21 16:01 . 2007-12-21 16:01 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-12-21 15:50 . 2007-12-21 15:50 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\Application Data\Sunbelt Software
2007-12-21 03:23 . 2007-12-21 13:12 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-21 02:59 . 2007-12-21 02:59 <DIR> d-------- C:\Program Files\WIZET
2007-12-20 05:50 . 2007-12-20 06:02 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-20 05:49 . 2007-12-21 17:21 <DIR> d-------- C:\Program Files\Windows Live
2007-12-20 05:48 . 2007-12-21 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-20 05:40 . 2007-12-21 09:30 <DIR> d-------- C:\BackUpMSNCleaner
2007-12-20 03:41 . 2007-12-20 03:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-20 03:39 . 2007-12-20 03:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-20 03:39 . 2007-12-21 04:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-20 03:16 . 2007-12-20 03:16 <DIR> d-------- C:\Program Files\Plasma Pong
2007-12-20 02:50 . 2007-12-24 00:02 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\Application Data\AVG7
2007-12-20 02:47 . 2007-12-20 03:16 <DIR> d-------- C:\Program Files\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7(2)
2007-12-20 02:21 . 2007-12-20 02:21 <DIR> d-------- C:\Documents and Settings\NICHOLAS CHEW\DoctorWeb
2007-12-18 09:53 . 2007-12-18 10:17 6,630 --ahs---- C:\WINDOWS\SYSTEM32\fhkmp.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 16:04 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Skype
2007-12-21 09:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 20:29 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Azureus
2007-12-20 19:15 --------- d-----w C:\Program Files\Azureus
2007-12-19 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 15:39 729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-04 15:39 --------- d-----w C:\Program Files\Warcraft III
2007-11-21 17:11 --------- d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\mIRC
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 15:14 --------- d-----w C:\Documents and Settings\SIMON CHEW\Application Data\mIRC
2007-11-08 10:59 --------- d-----w C:\Program Files\mIRC
2007-11-03 17:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2006-01-21 02:00 4,234 ----a-w C:\Documents and Settings\SIMON CHEW\!versions.dat
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 03:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 13:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 11:14 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 02:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 05:16 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 16:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 02:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 03:40]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 01:05 127035 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 01:02 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54 57344 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 14:42 1404928 --a------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"NetSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

S3 CEDRIVER51;CEDRIVER51;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\DBK32.sys []
S3 CEDRIVER52;CEDRIVER52;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\Cheat Engine\dbk32.sys []
S3 geebers12;geebers12;C:\Documents and Settings\SIMON CHEW\Desktop\Msea V0.42 hacks pack\Buffy Engine 2\nvid888.sys [2007-05-03 14:37]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\NICHOLAS CHEW\My Documents\PSP Games\moonlight engine 1105.1\moonlight engine 1105.1\IlvMoney1105.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-21 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-JEANNIE CHAR).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-21 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-SIMON CHEW).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-20 09:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-23 16:23:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 00:22:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 0:25:02 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-21 21:37
C:\ComboFix3.txt ... 2007-12-21 17:58
.
2007-12-20 19:05:22 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:38 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NICHOLAS CHEW\My Documents\hijackthis\HiJackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/.../SpeedCtrl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138189840578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 6643 bytes

I bolded two files in the CF log. Doesn't look promising.

•

Join Date: Feb 2004

Posts: 9,997

Reputation: crunchie is a splendid one to behold

Solved Threads: 756

crunchie

Offline

Spyware Killer

Re: I think I have a virus problem...

#10

Dec 23rd, 2007

See if you can delete those two manually. They should be no problem.
Your logs look ok. How is the pc?

Uninstall MyWebSearch from add/remove too. Almost missed it.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster