PDA

View Full Version : HijackThis



mkms
23-11-2007, 09:44 PM
My system is very slow and I have given below the log file for your expertise instruction.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:00 PM, on 23/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\DOCUME~1\mukundh\Desktop\Magic.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\mukundh\LOCALS~1\Temp\Rar$EX04.547\Hij ackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eastern-engineering.com/index.php
F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: DATEwise3.lnk = C:\Program Files\BizWare Magic DATEwise\DATEwise3.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7028 bytes

Please let me know the solution for this.

bevy121
23-11-2007, 11:15 PM
OK - To start with...

Turn off system restore - its in there already probably

can you open task manager?
If you can, click on this entry and end task

C:\WINDOWS\system32\SSCVIHOST.exe

run HJT and fix these (Nasty)

F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe

O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1


Are you in India ?

If not, fix this too
O17 - HKLM\System\CCS\Services\Tcpip\..\{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218.248.240.23,218.248.240.135

bevy121
23-11-2007, 11:45 PM
I would have thought AVG would detect that SOHANAD worm - do a scan see if it picks it up
I think Avira AntiVir (http://www.free-av.com/) does so try that if avg doesn't


Also download and run Rogueremover, Trojan remover and Boclean which you'll find in Speedy Gonzales Sig here (http://forums.pcworld.co.nz/member.php?u=8532)

Hows regedit and control panel ?
can you access those as well, or are they disabled

mkms
24-11-2007, 12:04 AM
I tried with AVG but it did not solve the prob.

The regedit & control panel are working, but not the task manager. It says the task manager is disabled by the administrator.

There was also a Trojen Remover Alert "Restrictive Windows Explorer Policies Found", which says the DisableTaskMgr and NoFolderOptions. Becuase of this
the Folder Options in the Menu of Windows Explorer is not available.

Even after running The trojan Remover, the above is not getting cleared.
:help:

Also, while shutting down the PC, the WMS Idle does not close and every time I need to press end now.

please .......:help:

Speedy Gonzales
24-11-2007, 05:30 AM
Run trojan remover again (and update it), then select all options under the utilities menu.

Put hijackthis in its own folder first, then run hijackthis again

Close browser/s.

Did u tick the entries Bevy posted?

These?

Nasty

C:\WINDOWS\system32\SSCVIHOST.exe

C:\WINDOWS\system32\SSCVIHOST.exe

F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe

Safe

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Safe, but dont have to run on startup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

If you dont use Nero Home, tick this

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

Nasty

O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe

Safe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

Nasty

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Pancake
24-11-2007, 01:17 PM
You will need to clean this right out as it does contain other files...

C:\WINDOWS\system32\SSCVIHOST.exe


Download SDFix and save it to your desktop. http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

======================
As many are left in the registry and will need removing run this...

This will help to identify any other files still on your system.
Please download Combofix from HERE (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe) or HERE (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)


Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

mkms
27-11-2007, 11:14 PM
The report.txt file is attached below for your reference.


SDFix: Version 1.115

Run by mukundh on Tue 27/11/2007 at 04:02 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\TEST3.EXE - Deleted
C:\WINDOWS\SYSTEM32\NHATQU~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\SCVSHO~1.EXE - Deleted
C:\WINDOWS\SSCVIHOST.exe - Deleted
C:\WINDOWS\system32\autorun.ini - Deleted
C:\WINDOWS\system32\blastclnnn.exe - Deleted
C:\WINDOWS\system32\scvshosts.exe - Deleted
C:\WINDOWS\system32\setting.ini - Deleted
C:\WINDOWS\system32\SSCVIHOST.exe - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 16:06:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yah oo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Spamihilator\\dccproc.exe"="C:\\Program Files\\Spamihilator\\dccproc.exe:*:Enabled:dccproc"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 5 Nov 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 23 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Wed 11 Jul 2007 20 A..H. --- "C:\Documents and Settings\mukundh\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 11 Jul 2007 4,348 A..H. --- "C:\Documents and Settings\mukundh\My Documents\My Music\License Backup\drmv1key.bak"
Thu 17 May 2007 312 A.SH. --- "C:\Documents and Settings\mukundh\My Documents\My Music\License Backup\drmv2key.bak"

Finished!
=========================================

The Hijackthis log is also given below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:57 PM, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eastern-engineering.com/index.php
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6310 bytes

Now,I will try the Combofix and post it here later.

regards
mkms

Speedy Gonzales
27-11-2007, 11:37 PM
Hijackthis log looks good, but tick these entries

Close browser/s.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

These are safe, but dont have to run on startup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

mkms
28-11-2007, 12:08 AM
Here is the latest hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:29 PM, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\mukundh\Desktop\Magic.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eastern-engineering.com/index.php
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5867 bytes
======================================

Below is the Combofix report file:

ComboFix 07-11-19.4 - mukundh 2007-11-27 16:27:41.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.76 [GMT 5.5:30]
Running from: C:\Documents and Settings\mukundh\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 16:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-27 15:57 <DIR> d--hs---- C:\FOUND.003
2007-11-27 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-27 14:25 <DIR> d--hs---- C:\FOUND.002
2007-11-22 09:28 <DIR> dr-h----- C:\$VAULT$.AVG
2007-11-20 11:19 <DIR> d-------- C:\Program Files\BizWare Magic DATEwise
2007-11-16 17:26 <DIR> d--hs---- C:\FOUND.001
2007-11-16 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-16 16:42 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-16 16:42 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Simply Super Software
2007-11-16 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-15 09:08 <DIR> d--hs---- C:\FOUND.000
2007-11-05 11:55 38,400 --a------ C:\WINDOWS\HPLTLNK.EXE
2007-11-03 12:59 <DIR> d-------- C:\Documents and Settings\mukundh\Phone Browser
2007-11-03 12:59 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Datalayer
2007-11-03 12:55 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Nokia
2007-11-03 12:53 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\PC Suite
2007-11-03 12:52 <DIR> d-------- C:\Program Files\Nokia
2007-11-03 12:52 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-03 12:52 <DIR> d-------- C:\Program Files\Common Files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-26 10:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-26 09:46 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-26 08:08 278,528 ----a-w C:\WINDOWS\system32\livesnth.dll
2007-10-25 07:06 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-25 07:06 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Teleca
2007-10-25 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-25 07:05 --------- d-----w C:\Program Files\Sony Ericsson
2007-10-25 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-10-25 07:00 89,872 ----a-w C:\WINDOWS\system32\drivers\k750mdm.sys
2007-10-25 07:00 81,728 ----a-w C:\WINDOWS\system32\drivers\k750mgmt.sys
2007-10-25 07:00 79,488 ----a-w C:\WINDOWS\system32\drivers\k750obex.sys
2007-10-25 07:00 6,576 ----a-w C:\WINDOWS\system32\drivers\k750mdfl.sys
2007-10-25 07:00 6,144 ----a-w C:\WINDOWS\system32\drivers\k750cmnt.sys
2007-10-25 07:00 6,144 ----a-w C:\WINDOWS\system32\drivers\k750cm.sys
2007-10-25 07:00 55,216 ----a-w C:\WINDOWS\system32\drivers\k750bus.sys
2007-10-25 07:00 5,744 ----a-w C:\WINDOWS\system32\drivers\k750whnt.sys
2007-10-25 07:00 5,744 ----a-w C:\WINDOWS\system32\drivers\k750wh.sys
2007-10-22 05:21 --------- d-----w C:\Program Files\Lavasoft
2007-10-22 05:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 05:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 05:07 --------- d-----w C:\Program Files\CCleaner
2007-10-20 06:51 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Share-to-Web Upload Folder
2007-10-20 06:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-10-20 06:49 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-20 06:48 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-10-20 04:20 --------- d-----w C:\Program Files\Common Files\xing shared
2007-10-20 04:19 --------- d-----w C:\Program Files\Real
2007-10-20 04:19 --------- d-----w C:\Program Files\Google
2007-10-20 04:19 --------- d-----w C:\Program Files\Common Files\Real
2007-10-20 04:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-20 04:01 --------- d-----w C:\Documents and Settings\mukundh\Application Data\AdobeUM
2007-10-19 11:30 --------- d-----w C:\Program Files\Spamihilator
2007-10-19 11:28 1,878,120 ----a-w C:\Program Files\spamihilator_0_9_9_32.exe
2007-10-19 10:29 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Ahead
2007-10-19 10:27 --------- d-----w C:\Program Files\Nero
2007-10-19 10:27 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-19 10:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-19 10:22 --------- d-----w C:\Program Files\InstallShield Installation Information
2007-10-19 10:22 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Corel
2007-10-19 10:21 --------- d-----w C:\Program Files\Corel
2007-10-19 10:21 --------- d-----w C:\Program Files\Common Files\Corel
2007-10-19 10:20 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-19 10:17 --------- d-----w C:\Documents and Settings\mukundh\Application Data\AVG7
2007-10-19 10:17 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-19 10:16 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-19 10:16 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-10-19 10:16 --------- d-----w C:\Program Files\Mjuice Media Player
2007-10-19 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-19 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-19 10:15 --------- d-----w C:\Program Files\Winamp
2007-10-19 10:15 --------- d-----w C:\Program Files\MSN Messenger
2007-10-19 10:14 --------- d-----w C:\Program Files\Yahoo!
2007-10-19 10:06 --------- d-----w C:\Program Files\AnswerWorks 4.0
2007-10-19 10:04 --------- d-----w C:\Program Files\AutoCAD 2006
2007-10-19 10:04 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Autodesk
2007-10-19 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-10-19 10:03 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-19 10:03 --------- d-----w C:\Program Files\Autodesk
2007-10-19 09:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-19 09:05 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-15 04:49 2,852,532 ----a-w C:\Program Files\core.aawdef
2007-10-15 04:17 1,702,219 ----a-w C:\Program Files\defs.ref
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-06 15:33]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2007-09-28 13:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-25 07:34]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-10-25 07:34]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe" [2004-03-04 20:16]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2007-08-17 20:54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-20 09:49]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-11 13:42]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 07:34]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2002-10-16 12:35 114688 -ra------ C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2002-10-16 12:48 155648 -ra------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2001-05-01 02:27 10752 --a------ C:\Program Files\Winamp\Winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{55e69da5-8091-11dc-abec-000ae6dec701}]
\Shell\AutoRun\command - G:\SSCVIHOST.exe
\Shell\Open\command - G:\SSCVIHOST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9dcb1c32-8b66-11dc-abfd-000ae6dec701}]
\Shell\AutoRun\command - G:\SSCVIHOST.exe
\Shell\Open\command - G:\SSCVIHOST.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 09:33:08 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe

"2007-11-27 09:53:22 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 16:29:14
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-27 16:29:43
.
--- E O F ---
==============================

Dear Mr.Speedy

pls let me know how to remove the said files from startup.

reg/mkms

Speedy Gonzales
28-11-2007, 08:42 AM
Whats G??

A hard drive, a removable USB hard drive, or something like a USB flash drive / Ipod??

Follow my previous post. Tick the entries I posted then tick fix checked.

Pancake
28-11-2007, 09:51 AM
Make sure you have your flash drive inserted before you do this fix.There are also a few hidden nasties that need to come out.



Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:




KillAll::
File::
G:\SSCVIHOST.exe
C:\WINDOWS\system32\blastclnnn.exe
Folder::
C:\FOUND.003
C:\FOUND.002
C:\FOUND.001
C:\FOUND.000
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{55e69da5-8091-11dc-abec-000ae6dec701}]
\Shell\AutoRun\command - G:\SSCVIHOST.exe
\Shell\Open\command - G:\SSCVIHOST.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9dcb1c32-8b66-11dc-abfd-000ae6dec701}]
\Shell\AutoRun\command - G:\SSCVIHOST.exe
\Shell\Open\command - G:\SSCVIHOST.exe




Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

mkms
28-11-2007, 04:49 PM
Here is the Combofix report and the hijackthis log file for your reference.

ComboFix 07-11-19.4 - mukundh 2007-11-28 9:42:57.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.101 [GMT 5.5:30]
Running from: C:\Documents and Settings\mukundh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mukundh\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\blastclnnn.exe
G:\SSCVIHOST.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.000
C:\FOUND.000\FILE0000.CHK
C:\FOUND.001
C:\FOUND.001\FILE0000.CHK
C:\FOUND.001\FILE0001.CHK
C:\FOUND.001\FILE0002.CHK
C:\FOUND.001\FILE0003.CHK
C:\FOUND.001\FILE0004.CHK
C:\FOUND.001\FILE0005.CHK
C:\FOUND.001\FILE0006.CHK
C:\FOUND.001\FILE0007.CHK
C:\FOUND.001\FILE0008.CHK
C:\FOUND.001\FILE0009.CHK
C:\FOUND.001\FILE0010.CHK
C:\FOUND.001\FILE0011.CHK
C:\FOUND.001\FILE0012.CHK
C:\FOUND.001\FILE0013.CHK
C:\FOUND.001\FILE0014.CHK
C:\FOUND.001\FILE0015.CHK
C:\FOUND.001\FILE0016.CHK
C:\FOUND.001\FILE0017.CHK
C:\FOUND.001\FILE0018.CHK
C:\FOUND.001\FILE0019.CHK
C:\FOUND.001\FILE0020.CHK
C:\FOUND.001\FILE0021.CHK
C:\FOUND.001\FILE0022.CHK
C:\FOUND.001\FILE0023.CHK
C:\FOUND.001\FILE0024.CHK
C:\FOUND.001\FILE0025.CHK
C:\FOUND.001\FILE0026.CHK
C:\FOUND.001\FILE0027.CHK
C:\FOUND.001\FILE0028.CHK
C:\FOUND.001\FILE0029.CHK
C:\FOUND.001\FILE0030.CHK
C:\FOUND.001\FILE0031.CHK
C:\FOUND.001\FILE0032.CHK
C:\FOUND.001\FILE0033.CHK
C:\FOUND.001\FILE0034.CHK
C:\FOUND.001\FILE0035.CHK
C:\FOUND.001\FILE0036.CHK
C:\FOUND.001\FILE0037.CHK
C:\FOUND.001\FILE0038.CHK
C:\FOUND.001\FILE0039.CHK
C:\FOUND.001\FILE0040.CHK
C:\FOUND.001\FILE0041.CHK
C:\FOUND.002
C:\FOUND.002\FILE0000.CHK
C:\FOUND.002\FILE0001.CHK
C:\FOUND.002\FILE0002.CHK
C:\FOUND.002\FILE0003.CHK
C:\FOUND.002\FILE0004.CHK
C:\FOUND.003
C:\FOUND.003\FILE0000.CHK
C:\FOUND.003\FILE0001.CHK
C:\FOUND.003\FILE0002.CHK
C:\FOUND.003\FILE0003.CHK
C:\FOUND.003\FILE0004.CHK
C:\FOUND.003\FILE0005.CHK
G:\SSCVIHOST.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 17:40 <DIR> d-------- C:\Program Files\FDRLab
2007-11-27 16:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-27 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 09:28 <DIR> dr-h----- C:\$VAULT$.AVG
2007-11-20 11:19 <DIR> d-------- C:\Program Files\BizWare Magic DATEwise
2007-11-16 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-16 16:42 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-16 16:42 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Simply Super Software
2007-11-16 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-05 11:55 38,400 --a------ C:\WINDOWS\HPLTLNK.EXE
2007-11-03 12:59 <DIR> d-------- C:\Documents and Settings\mukundh\Phone Browser
2007-11-03 12:59 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Datalayer
2007-11-03 12:55 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Nokia
2007-11-03 12:53 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\PC Suite
2007-11-03 12:52 <DIR> d-------- C:\Program Files\Nokia
2007-11-03 12:52 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-03 12:52 <DIR> d-------- C:\Program Files\Common Files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-26 10:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-26 09:46 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-26 08:08 278,528 ----a-w C:\WINDOWS\system32\livesnth.dll
2007-10-25 07:06 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-25 07:06 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Teleca
2007-10-25 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-25 07:05 --------- d-----w C:\Program Files\Sony Ericsson
2007-10-25 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-10-25 07:00 89,872 ----a-w C:\WINDOWS\system32\drivers\k750mdm.sys
2007-10-25 07:00 81,728 ----a-w C:\WINDOWS\system32\drivers\k750mgmt.sys
2007-10-25 07:00 79,488 ----a-w C:\WINDOWS\system32\drivers\k750obex.sys
2007-10-25 07:00 6,576 ----a-w C:\WINDOWS\system32\drivers\k750mdfl.sys
2007-10-25 07:00 6,144 ----a-w C:\WINDOWS\system32\drivers\k750cmnt.sys
2007-10-25 07:00 6,144 ----a-w C:\WINDOWS\system32\drivers\k750cm.sys
2007-10-25 07:00 55,216 ----a-w C:\WINDOWS\system32\drivers\k750bus.sys
2007-10-25 07:00 5,744 ----a-w C:\WINDOWS\system32\drivers\k750whnt.sys
2007-10-25 07:00 5,744 ----a-w C:\WINDOWS\system32\drivers\k750wh.sys
2007-10-22 05:21 --------- d-----w C:\Program Files\Lavasoft
2007-10-22 05:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-22 05:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 05:07 --------- d-----w C:\Program Files\CCleaner
2007-10-20 06:51 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Share-to-Web Upload Folder
2007-10-20 06:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-10-20 06:49 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-20 06:48 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-10-20 04:20 --------- d-----w C:\Program Files\Common Files\xing shared
2007-10-20 04:19 --------- d-----w C:\Program Files\Real
2007-10-20 04:19 --------- d-----w C:\Program Files\Google
2007-10-20 04:19 --------- d-----w C:\Program Files\Common Files\Real
2007-10-20 04:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-20 04:01 --------- d-----w C:\Documents and Settings\mukundh\Application Data\AdobeUM
2007-10-19 11:30 --------- d-----w C:\Program Files\Spamihilator
2007-10-19 11:28 1,878,120 ----a-w C:\Program Files\spamihilator_0_9_9_32.exe
2007-10-19 10:29 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Ahead
2007-10-19 10:27 --------- d-----w C:\Program Files\Nero
2007-10-19 10:27 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-19 10:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-19 10:22 --------- d-----w C:\Program Files\InstallShield Installation Information
2007-10-19 10:22 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Corel
2007-10-19 10:21 --------- d-----w C:\Program Files\Corel
2007-10-19 10:21 --------- d-----w C:\Program Files\Common Files\Corel
2007-10-19 10:20 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-19 10:17 --------- d-----w C:\Documents and Settings\mukundh\Application Data\AVG7
2007-10-19 10:17 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-19 10:16 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-19 10:16 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-10-19 10:16 --------- d-----w C:\Program Files\Mjuice Media Player
2007-10-19 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-19 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-19 10:15 --------- d-----w C:\Program Files\Winamp
2007-10-19 10:15 --------- d-----w C:\Program Files\MSN Messenger
2007-10-19 10:14 --------- d-----w C:\Program Files\Yahoo!
2007-10-19 10:06 --------- d-----w C:\Program Files\AnswerWorks 4.0
2007-10-19 10:04 --------- d-----w C:\Program Files\AutoCAD 2006
2007-10-19 10:04 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Autodesk
2007-10-19 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2007-10-19 10:03 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-19 10:03 --------- d-----w C:\Program Files\Autodesk
2007-10-19 09:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-19 09:05 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-15 04:49 2,852,532 ----a-w C:\Program Files\core.aawdef
2007-10-15 04:17 1,702,219 ----a-w C:\Program Files\defs.ref
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_16.29.17.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 05:27:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-06 15:33]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2007-09-28 13:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-25 07:34]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-10-25 07:34]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe" [2004-03-04 20:16]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2007-08-17 20:54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-20 09:49]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-11 13:42]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 07:34]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2002-10-16 12:35 114688 -ra------ C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2002-10-16 12:48 155648 -ra------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2001-05-01 02:27 10752 --a------ C:\Program Files\Winamp\Winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{55e69da4-8091-11dc-abec-000ae6dec701}]
\Shell\AutoRun\command - G:\SSCVIHOST.exe
\Shell\Open\command - G:\SSCVIHOST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{55e69da5-8091-11dc-abec-000ae6dec701}]
\Shell\AutoRun\command - G:\SSCVIHOST.exe
\Shell\Open\command - G:\SSCVIHOST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9dcb1c32-8b66-11dc-abfd-000ae6dec701}]
\Shell\AutoRun\command - G:\SSCVIHOST.exe
\Shell\Open\command - G:\SSCVIHOST.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 09:33:08 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe

"2007-11-27 09:53:22 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 09:45:34
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-28 9:45:57
C:\ComboFix2.txt ... 2007-11-27 16:29
.
--- E O F ---

========================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:54 AM, on 28/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eastern-engineering.com/index.php
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5828 bytes

Speedy Gonzales
28-11-2007, 05:15 PM
Tick these, for the 3rd-4th time

Then tick fix checked.

Close browser/s.

We'll wait for Pancake to tell you about the Comobofix log.

These are safe.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

Run these manually

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

Pancake
28-11-2007, 06:48 PM
Ok.Although they still appear in the registry as htm thay are now dead...you should be fine now...