Updated HJT.

D

dunerider5

New Member
I ran VundoFix as you said (a while back). Now I can run it and no infected files come up. Heres the new HJT. Thanks, btw.

Logfile of HijackThis v1.99.1
Scan saved at 8:28:51 PM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Brendan\LOCALS~1\Temp\tmp3C.tmp.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\Brendan\LOCALS~1\Temp\tmp24.tmp.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock2.dll
O20 - AppInit_DLLs: c:\windows\system32\pmnnonn.dll
O20 - Winlogon Notify: geggghei - C:\WINDOWS\system32\geggghei.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Brendan\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: DomainService - - C:\DOCUME~1\Brendan\LOCALS~1\Temp\tmp3C.tmp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Looks like a lot of junk, to me.
 
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
ComboFix 07-06-21.3 - C:\Documents and Settings\Brendan\Desktop\ComboFix.exe
"Brendan" - 2007-06-22 18:22:17 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\awtstu.dll
C:\WINDOWS\awwwut.dll
C:\WINDOWS\gebyvt.dll
C:\WINDOWS\iiighi.dll
C:\WINDOWS\jkkkih.dll
C:\WINDOWS\mlklmj.dll
C:\WINDOWS\opqqnm.dll
C:\WINDOWS\pmlihi.dll
C:\WINDOWS\pmnnll.dll
C:\WINDOWS\qopmki.dll
C:\WINDOWS\tusrro.dll
C:\WINDOWS\urpmkl.dll
C:\WINDOWS\yabyyw.dll
C:\WINDOWS\utstwa.ini
C:\WINDOWS\tuwwwa.ini
C:\WINDOWS\tvybeg.ini
C:\WINDOWS\ihgiii.ini
C:\WINDOWS\hikkkj.ini
C:\WINDOWS\jmlklm.ini
C:\WINDOWS\mnqqpo.ini
C:\WINDOWS\ihilmp.ini
C:\WINDOWS\llnnmp.ini
C:\WINDOWS\ikmpoq.ini
C:\WINDOWS\orrsut.ini
C:\WINDOWS\lkmpru.ini
C:\WINDOWS\wyybay.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



Infected copy of C:\WINDOWS\system32\winlogon.exe was found & disinfected
C:\as.txt
C:\DOCUME~1\Name\LOCALS~1\APPLIC~1.\Microsoft\Internet Explorer\Filters
C:\Program Files\Common Files\{60A05~1
C:\Program Files\Common Files\{60A05~1\services.dll
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\drivers\hd_dirs.cfg
C:\WINDOWS\system32\drivers\hd_files.cfg
C:\WINDOWS\system32\drivers\hd_proc.cfg
C:\WINDOWS\system32\drivers\hd_rkeys.cfg
C:\WINDOWS\system32\drivers\hd_rvals.cfg
C:\WINDOWS\system32\drivers\hd_self.cfg
C:\WINDOWS\system32\drivers\hflt_ipf.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\setup.exe.tmp
C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmp4F.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp5A.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp79.tmp.dll
C:\WINDOWS\system32\tmp7F.tmp.dll
C:\WINDOWS\system32\tmp90.tmp.dll
C:\WINDOWS\system32ghynf.exe
C:\WINDOWS\winhp32.exe
Restored copy from - C:\WINDOWS\system32\dllcache\winlogon.exe
ws2_32.dll: deleted 21504 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_EXAMPLE
-------\LEGACY_HFLT_IPF
-------\LEGACY_MSDIRECT
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\EXAMPLE
-------\hflt_ipf
-------\msdirect
-------\NDnet1
-------\Runtime

((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))

2007-06-22 18:22 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 00:29 81,408 --a------ C:\WINDOWS\system32\TFR85.dll
2007-06-22 00:29 168,960 --a------ C:\WINDOWS\awwxvs.dll
2007-06-21 23:41 <DIR> d-------- C:\Program Files\Fire Client
2007-06-20 00:52 <DIR> d-------- C:\VundoFix Backups
2007-06-19 19:05 81,408 --a------ C:\WINDOWS\system32\TFR74.dll
2007-06-19 00:33 81,408 --a------ C:\WINDOWS\system32\TFR6B.dll
2007-06-19 00:17 81,408 --a------ C:\WINDOWS\system32\TFR68.dll
2007-06-19 00:15 81,408 --a------ C:\WINDOWS\system32\TFR66.dll
2007-06-18 00:41 81,408 --a------ C:\WINDOWS\system32\TFR43.dll
2007-06-16 13:15 81,408 --a------ C:\WINDOWS\system32\TFR27.dll
2007-06-15 21:11 81,408 --a------ C:\WINDOWS\system32\TFR12.dll
2007-06-15 01:12 81,408 --a------ C:\WINDOWS\system32\TFR22.dll
2007-06-15 00:42 168,960 --------- C:\WINDOWS\rqomlk.dll
2007-06-13 20:53 168,960 --------- C:\WINDOWS\efdaya.dll
2007-06-12 23:54 168,960 --------- C:\WINDOWS\awtutr.dll
2007-06-09 12:15 75,264 --a------ C:\WINDOWS\system32\TFR2A.dll
2007-06-09 12:15 168,960 --------- C:\WINDOWS\fcccdc.dll
2007-06-09 00:39 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-09 00:39 <DIR> d-------- C:\Program Files\zMUD
2007-06-08 10:15 75,264 --a------ C:\WINDOWS\system32\TFR39.dll
2007-06-08 10:15 168,960 --------- C:\WINDOWS\qonkhf.dll
2007-06-07 09:02 75,264 --a------ C:\WINDOWS\system32\TFR34.dll
2007-06-07 09:02 168,960 --------- C:\WINDOWS\awtqrr.dll
2007-06-05 09:44 67,072 --a------ C:\WINDOWS\system32\TFR37.dll
2007-06-03 18:01 67,072 --a------ C:\WINDOWS\system32\TFRD.dll
2007-06-03 17:50 168,960 --------- C:\WINDOWS\ddddba.dll
2007-06-02 00:05 67,072 --a------ C:\WINDOWS\system32\TFR32.dll
2007-06-02 00:04 168,960 --------- C:\WINDOWS\wvwuvu.dll
2007-06-02 00:02 67,072 --a------ C:\WINDOWS\system32\TFR30.dll
2007-06-01 08:01 991,232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2007-06-01 08:01 90,112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll
2007-06-01 08:01 589,824 --a------ C:\WINDOWS\system32\NCTVideoView.dll
2007-06-01 08:01 458,752 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll
2007-06-01 08:01 4,085,904 --a------ C:\WINDOWS\system32\wmfdist.exe
2007-06-01 08:01 3,031,040 --a------ C:\WINDOWS\system32\NCTVideoTransform.dll
2007-06-01 08:01 294,912 --a------ C:\WINDOWS\system32\NCTAVIFile.dll
2007-06-01 08:01 282,624 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll
2007-06-01 08:01 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-06-01 08:01 2,658,304 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll
2007-06-01 08:01 2,260,992 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll
2007-06-01 08:01 196,608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2007-06-01 08:01 139,264 --a------ C:\WINDOWS\system32\NCTVideoPlayer.dll
2007-06-01 08:01 139,264 --a------ C:\WINDOWS\system32\NCTVideoFile.dll
2007-06-01 08:01 1,810,432 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll
2007-06-01 08:01 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-06-01 08:01 <DIR> d-------- C:\Program Files\FunnySoft
2007-06-01 02:31 87,608 --a------ C:\DOCUME~1\Name\APPLIC~1\inst.exe
2007-06-01 02:31 47,360 --a------ C:\DOCUME~1\Name\APPLIC~1\pcouffin.sys
2007-06-01 02:31 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2007-06-01 02:31 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2007-06-01 02:31 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2007-06-01 02:31 <DIR> d-------- C:\DOCUME~1\Name\APPLIC~1\Vso
2007-06-01 02:30 <DIR> d-------- C:\Program Files\VSO
2007-06-01 02:28 <DIR> d-------- C:\SDVDTemp
2007-06-01 02:25 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-06-01 02:25 <DIR> d-------- C:\Program Files\Super DVD Creator 8.0
2007-05-31 23:45 67,072 --a------ C:\WINDOWS\system32\TFR23.dll
2007-05-31 23:39 168,960 --------- C:\WINDOWS\hgdbxx.dll
2007-05-31 23:20 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-31 23:20 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-31 23:20 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-31 23:20 5,376 --a------ C:\WINDOWS\system32\MSPCLOCK.sys
2007-05-31 23:20 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-31 23:20 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-31 23:20 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-31 23:20 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-31 23:20 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-31 23:19 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2007-05-31 23:19 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2007-05-31 23:19 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2007-05-31 23:19 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2007-05-31 23:19 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2007-05-31 23:19 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2007-05-31 23:19 <DIR> d-------- C:\Drivers
2007-05-30 23:30 67,072 --a------ C:\WINDOWS\system32\TFRE8.dll
2007-05-30 23:30 168,960 --------- C:\WINDOWS\rqppqp.dll
2007-05-30 17:42 67,072 --a------ C:\WINDOWS\system32\TFRD5.dll
2007-05-29 23:34 67,072 --a------ C:\WINDOWS\system32\TFRC9.dll
2007-05-29 09:36 67,072 --a------ C:\WINDOWS\system32\TFR8E.dll
2007-05-29 00:49 67,072 --a------ C:\WINDOWS\system32\TFR8A.dll
2007-05-28 01:36 65,024 --a------ C:\WINDOWS\system32\TFR2E.dll
2007-05-26 20:45 67,072 --a------ C:\WINDOWS\system32\TFRB.dll
2007-05-26 20:45 65,024 --a------ C:\WINDOWS\system32\TFRA.dll
2007-05-26 01:40 65,024 --a------ C:\WINDOWS\system32\TFR132.dll
2007-05-26 01:40 168,960 --------- C:\WINDOWS\rqromj.dll
2007-05-23 22:26 65,024 --a------ C:\WINDOWS\system32\TFR87.dll
2007-05-23 22:26 168,960 --------- C:\WINDOWS\gedbxv.dll
2007-05-22 23:25 65,024 --a------ C:\WINDOWS\system32\TFR42.dll
2007-05-22 23:25 168,960 --------- C:\WINDOWS\ddbxwv.dll
2007-05-22 23:13 65,024 --a------ C:\WINDOWS\system32\TFR40.dll
2007-05-22 23:13 168,960 --------- C:\WINDOWS\jkhiij.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-15 07:42:44 81,408 ----a-w C:\WINDOWS\system32\TFR1E.dll
2007-06-05 06:58:33 67,072 ----a-w C:\WINDOWS\system32\TFR2C.dll
2007-06-01 06:19:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-28 08:37:00 67,072 ----a-w C:\WINDOWS\system32\TFR2F.dll
2007-05-22 06:47:32 168,960 ------w C:\WINDOWS\cbyywx.dll
2007-05-21 16:20:58 168,960 ------w C:\WINDOWS\nnmnmn.dll
2007-05-21 16:20:57 65,024 ----a-w C:\WINDOWS\system32\TFR8.dll
2007-05-19 21:59:02 -------- d-----w C:\Program Files\DVD Shrink
2007-05-19 21:55:00 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-18 20:06:13 65,024 ----a-w C:\WINDOWS\system32\TFR7.dll
2007-05-18 20:05:59 168,960 ------w C:\WINDOWS\hggdba.dll
2007-05-17 15:40:55 65,024 ----a-w C:\WINDOWS\system32\TFR3.dll
2007-05-17 15:40:50 168,960 ------w C:\WINDOWS\opqnkh.dll
2007-05-15 15:14:16 168,960 ----a-w C:\WINDOWS\jkhfee.dll
2007-05-15 06:15:27 82,944 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-05-05 16:34:43 65,536 ----a-w C:\WINDOWS\system32\TFR50.dll
2007-05-05 08:50:12 65,536 ----a-w C:\WINDOWS\system32\TFR4D.dll
2007-05-04 06:54:59 65,536 ----a-w C:\WINDOWS\system32\TFR21.dll
2007-05-02 21:19:09 65,536 ----a-w C:\WINDOWS\system32\TFR113.dll
2007-05-02 21:14:14 65,536 ----a-w C:\WINDOWS\system32\TFR112.dll
2007-05-02 18:54:16 65,536 ----a-w C:\WINDOWS\system32\TFR10E.dll
2007-05-02 11:55:43 65,536 ----a-w C:\WINDOWS\system32\TFR109.dll
2007-05-02 06:38:32 65,536 ----a-w C:\WINDOWS\system32\TFR108.dll
2007-05-02 06:32:41 65,536 ----a-w C:\WINDOWS\system32\TFR107.dll
2007-05-02 06:29:19 65,536 ----a-w C:\WINDOWS\system32\TFR106.dll
2007-05-01 18:12:01 65,536 ----a-w C:\WINDOWS\system32\TFRF5.dll
2007-05-01 10:32:16 65,536 ----a-w C:\WINDOWS\system32\TFRF4.dll
2007-05-01 02:05:52 65,536 ----a-w C:\WINDOWS\system32\TFRDF.dll
2007-05-01 01:36:44 65,536 ----a-w C:\WINDOWS\system32\TFRDE.dll
2007-04-30 10:50:01 65,536 ----a-w C:\WINDOWS\system32\TFRD9.dll
2007-04-29 23:05:59 65,536 ----a-w C:\WINDOWS\system32\TFRCE.dll
2007-04-29 20:20:59 65,536 ----a-w C:\WINDOWS\system32\TFRC0.dll
2007-04-29 01:58:01 65,536 ----a-w C:\WINDOWS\system32\TFR9D.dll
2007-04-28 08:37:45 65,536 ----a-w C:\WINDOWS\system32\TFR46.dll
2007-04-28 07:49:19 65,536 ----a-w C:\WINDOWS\system32\TFR2B.dll
2007-04-27 13:57:47 65,536 ----a-w C:\WINDOWS\system32\TFR99.dll
2007-04-27 10:53:54 65,536 ----a-w C:\WINDOWS\system32\TFR98.dll
2007-04-26 17:42:01 65,536 ----a-w C:\WINDOWS\system32\TFR82.dll
2007-04-26 16:56:02 65,536 ----a-w C:\WINDOWS\system32\TFR81.dll
2007-04-25 15:21:17 65,536 ----a-w C:\WINDOWS\system32\TFR5C.dll
2007-04-23 03:46:01 65,536 ----a-w C:\WINDOWS\system32\TFR19.dll
2007-04-22 18:56:55 168,448 ------w C:\WINDOWS\yaaxyx.dll
2007-04-21 17:29:06 65,536 ----a-w C:\WINDOWS\system32\TFR6F.dll
2007-04-21 17:29:01 168,448 ------w C:\WINDOWS\opqnlk.dll
2007-04-20 06:09:50 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-04-19 04:40:14 168,448 ----a-w C:\WINDOWS\wvtsqp.dll
2007-04-19 03:24:46 65,536 ----a-w C:\WINDOWS\system32\TFR5.dll
2007-04-17 06:32:01 56 ----a-w C:\WINDOWS\system32\geggghei.cmd
2007-04-16 15:07:17 64,512 ----a-w C:\WINDOWS\system32\TFRFF.dll
2007-04-16 11:01:47 64,512 ----a-w C:\WINDOWS\system32\TFRFA.dll
2007-04-15 13:23:39 64,512 ----a-w C:\WINDOWS\system32\TFR35.dll
2007-04-15 09:13:00 64,512 ----a-w C:\WINDOWS\system32\TFR33.dll
2007-04-14 21:48:22 64,512 ----a-w C:\WINDOWS\system32\TFR13.dll
2007-04-10 06:25:24 1,046 ----a-w C:\WINDOWS\system32\mxhpnaxh.exe
2007-04-10 06:25:21 1,046 ----a-w C:\WINDOWS\system32\pxdjcrta.exe
2007-04-10 06:25:14 1,046 ----a-w C:\WINDOWS\system32\pqybxeue.exe
2007-04-10 06:25:10 1,046 ----a-w C:\WINDOWS\system32\axibvpjr.exe
2007-04-09 16:41:29 299,008 ----a-w C:\WINDOWS\system32\mswsock2.dll
2007-04-09 16:41:24 233,472 ----a-w C:\WINDOWS\system32\mtsdsc.exe
2007-04-09 07:08:30 2,816 ----a-w C:\WINDOWS\system32\msdirect.sys
2007-04-09 06:36:51 7,200 ----a-w C:\aqtqbaca.exe
2007-04-09 06:31:46 1,084 ----a-w C:\0xf9.exe
2007-04-09 06:04:00 151,040 ----a-w C:\WINDOWS\system32\geggghei.dll
2007-04-02 01:41:47 1,046 ----a-w C:\WINDOWS\system32\phhkufvf.exe
2007-03-30 17:29:12 7,680 ----a-w C:\WINDOWS\system32\apap1.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DriverLoad"=
"DriverCheck"=
"SystemDriverLoad"=
"SystemDriver"=
"FDriver"=
"ADriver"=
"CDriver"=
"DDriver"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"DriverCheck"=
"Winhost"=
"Winhost2"=
"Winhost4"=
"SystemDriver"=
"FDriver"=
"CDriver"=
"alpha"=c:\DriverLoad\windrv0.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\polociro.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Program Files\Common Files\meje.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geggghei]
C:\WINDOWS\system32\geggghei.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\pmnnonn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nTrayFw"=C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
"nwiz"=nwiz.exe /install
"PathNvidiaTV"=C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
"SoundMan"=SOUNDMAN.EXE

Contents of the 'Scheduled Tasks' folder
2007-06-09 00:21:06 C:\WINDOWS\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 18:25:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-22 18:26:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-22 18:26
 
Just read that other thread you mentioned, you never replied. First off, get yourself an antivirus and firewall, you'll keep getting this crap if you don't. Then run SDfix.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
SDFix: Version 1.89

Run by Name on Thu 07/05/2007 at 12:31 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
dnlsvc

ImagePath:
"C:\DOCUME~1\Name\LOCALS~1\Temp\dnlsvc.exe"

dnlsvc - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\AQTQBACA.EXE - Deleted
C:\162112~1 - Deleted
C:\WINDOWS\system32\msdirect.sys - Deleted
C:\DOCUME~1\Name\LOCALS~1\Temp\tmp3C.tmp.exe - Deleted


Folder C:\DriverLoad - Removed

Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\DOCUME~1\\Name\\LOCALS~1\\Temp\\tmp3C.tmp.exe"="C:\\DOCUME~1\\Name\\LOCALS~1\\Te"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Name\Desktop\New Folder\MSDE2000\SQLRESLD.DLL
C:\Documents and Settings\Name\Shared\MSDE2000\SQLRESLD.DLL
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

=========================================

Logfile of HijackThis v1.99.1
Scan saved at 12:35:49 AM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock2.dll
O20 - AppInit_DLLs: c:\windows\system32\pmnnonn.dll
O20 - Winlogon Notify: geggghei - C:\WINDOWS\system32\geggghei.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DomainService - Unknown owner - C:\DOCUME~1\Name\LOCALS~1\Temp\tmp3C.tmp.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
 
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock2.dll

Kind Check your hard disc drive with Spybot S&D from Kolla.de or LSPFix from Cexx.org. This entry should not be fixed! Your best bet to repair it is to try the LSPFix from Cexx.org.
Click to expand...
got this when i analysed you log, may want to check it out, analyze your logshere
 
It shouldn't be fixed with Hijackthis, use LSPfix and delete the file.

Then run Vundofix again.

Right click the list box (white box) in the main VundoFix window.
Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
In the Window: copy and paste next in the first field: c:\windows\system32\pmnnonn.dll
Copy and paste next in the second field: c:\windows\system32\nnonnmp.*
Click the “Add Files” button.

Do the same for these files.
C:\WINDOWS\system32\geggghei.dll
C:\WINDOWS\system32\iehgggeg.*

Click the "Close Window" button.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Hit Start >Run, type services.msc.
Scroll down until you find the service DomainService, and double-click on it.
Hit "Stop" and change the "Startup Type" to "Disabled".
Hit "Apply", then "Ok".

Run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type DomainService and press OK. OK any prompts, close HijackThis, and restart your computer.

Then post the contents of C:\vundofix.txt and a new HiJackThis log.
 
You must log in or register to reply here.
Back
Top