Virus Problem

shahid217 · #1 (**permalink**) 01-11-2007, 03:19 PM

Hi,

My PC is a home of virii and the stupid anti virus also can't take of them... I managed to do my work but now the biggest problem has arrived.
That is my Msn Messenger automatically starts sending some hell IMAGE messages to all in my buddies list and they contain my Boss, Manager and colleagues as well.

One by one the window of my buddies open and then closes itself. Meanwhile I can't move even my cursor.

Please help...

Neal · #2 (**permalink**) 01-11-2007, 10:00 PM

Click the link in my signature for hijackthis and scroll down and find hijackthis and follow instructions for that and copy/paste back here.

shahid217 · #3 (**permalink**) 02-11-2007, 06:49 PM

Here is it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:39 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\NavNT\rtvscan.exe
D:\Program Files\SPAMfighter\sfus.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\vptray.exe
D:\Program Files\SPAMfighter\S***ent.exe
D:\WINDOWS\system32\asrsvc.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\PROGRA~1\DAP\DAP.EXE
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SVCHOST] D:\WINDOWS\MDM.EXE
O4 - HKLM\..\Run: [SPAMfighter Agent] "D:\Program Files\SPAMfighter\S***ent.exe" update delay 60
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: QuickDefine - D:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - D:\Program Files\SPAMfighter\sfus.exe

--
End of file - 5840 bytes

Neal · #4 (**permalink**) 03-11-2007, 01:06 AM

Download http://www.forospyware.com/Msncleane...leaner_eng.zip
Unzip it to your desktop, but don't use it yet.

* Now reboot into Safe Mode
* Double-click MsnCleaner_eng.exe to run it.
* Click the Analyze button.
* A report will be created once after you finish scan.
* If it finds an infection, click the Deleted button.
* Now, please reboot back to normal mode.
* Please post the contents of C:\MsnCleaner.txt in a reply to this post.

shahid217 · #5 (**permalink**) 05-11-2007, 01:09 PM

Done with that.
Here's the log file

- Logfile MSNCleaner 1.4.5 by www.forospyware.com
- Created Logfile: 11/5/2007 on 5:04:10 PM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 6
Deleted file: 6
Undeleted Files: 0

D:\autorun.inf <--- Deleted
D:\Documents and Settings\Shahid Khalil\Local Settings\Temp\image25.zip <--- Deleted
D:\Documents and Settings\Shahid Khalil\Local Settings\Temp\image26.zip <--- Deleted
D:\Documents and Settings\Shahid Khalil\Local Settings\Temp\image24.zip <--- Deleted
D:\Documents and Settings\Shahid Khalil\Local Settings\Temp\image23.zip <--- Deleted
D:\Documents and Settings\Shahid Khalil\Local Settings\Temp\image21.zip <--- Deleted

Host file Restored

Neal · #6 (**permalink**) 06-11-2007, 12:21 AM

Well... how is it going now?

shahid217 · #7 (**permalink**) 06-11-2007, 12:37 PM

Ummmm no change...
I'm still having the same problem!

Neal · #8 (**permalink**) 06-11-2007, 08:05 PM

MSN Cleaner got rid of six bad files anyway.

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post a new hijackthis log also please.

shahid217 · #9 (**permalink**) 07-11-2007, 11:44 AM

ComboFix 07-11-07.3 - Shahid Khalil 2007-11-07 15:17:35.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.50 [GMT 5:00]
Running from: D:\Documents and Settings\Shahid Khalil\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
D:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
D:\Documents and Settings\Shahid Khalil\Desktop\Live Safety Center.lnk
D:\Documents and Settings\Shahid Khalil\Desktop\Online Security Guide.lnk
D:\Documents and Settings\Shahid Khalil\Favorites\Online Security Guide.lnk
D:\WINDOWS\cookies.ini
D:\WINDOWS\svchost.ini
D:\WINDOWS\system32\del.bat
D:\WINDOWS\system32\nqtss.bak1
D:\WINDOWS\system32\nqtss.bak2
D:\WINDOWS\system32\nqtss.ini
D:\WINDOWS\system32\nqtss.ini2
D:\WINDOWS\system32\sstqn.dll
D:\WINDOWS\system32\xvifuwrp.dllbox
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 15:33 <DIR> d--hs---- D:\FOUND.020
2007-11-07 15:13 79,936 --a------ D:\WINDOWS\system32\lqncrwkj.dll
2007-11-07 15:13 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-11-07 15:06 86,080 --a------ D:\WINDOWS\system32\iytxsecm.dll
2007-11-07 15:03 71,232 --a------ D:\WINDOWS\system32\tafmkrxp.exe
2007-11-07 15:02 145,984 --a------ D:\WINDOWS\system32\xvifuwrp.dll
2007-11-07 15:02 145,984 --a------ D:\WINDOWS\system32\lxwecspx.dll
2007-11-07 11:55 <DIR> d-------- D:\Documents and Settings\awais\Contacts
2007-11-06 23:19 36,352 --a------ D:\WINDOWS\system32\tuvtusp.dll
2007-11-06 17:05 81,472 --a------ D:\WINDOWS\system32\hvbgjeyp.dll
2007-11-06 13:04 81,472 --a------ D:\WINDOWS\system32\uvcqepix.dll
2007-11-06 13:03 87,104 --a------ D:\WINDOWS\system32\kwfttdoc.dll
2007-11-05 19:57 36,352 --a------ D:\WINDOWS\system32\iifdeee.dll
2007-11-05 19:55 36,352 --a------ D:\WINDOWS\system32\jkkkjgg.dll
2007-11-05 17:02 <DIR> d-------- D:\BackUpMSNCleaner
2007-11-02 22:43 <DIR> d-------- D:\Program Files\Trend Micro
2007-10-31 21:18 33,280 --a------ D:\WINDOWS\system32\cbxustu.dll
2007-10-31 21:04 10,752 -r-hs---- D:\WINDOWS\system32\asrsvc.exe
2007-10-30 17:56 <DIR> d-------- D:\Documents and Settings\Shahid Khalil\Application Data\AdobeUM
2007-10-30 16:51 <DIR> d-------- D:\Program Files\Common Files\Adobe
2007-10-30 16:39 <DIR> d-------- D:\WINDOWS\pss
2007-10-30 14:09 <DIR> d--hs---- D:\FOUND.019
2007-10-27 19:29 <DIR> d-------- D:\Program Files\Google
2007-10-27 13:14 <DIR> d-------- D:\Documents and Settings\awais\Application Data\SPAMfighter
2007-10-27 13:14 <DIR> d-------- D:\Documents and Settings\awais\Application Data\AVG7
2007-10-26 23:11 <DIR> d-------- D:\Program Files\Elcomsoft
2007-10-26 23:07 <DIR> d-------- D:\Program Files\Accent EXCEL Password Recovery
2007-10-26 21:35 <DIR> d--hs---- D:\FOUND.018
2007-10-26 15:20 <DIR> d--hs---- D:\FOUND.017
2007-10-25 18:23 <DIR> d-------- D:\Program Files\Common Files\Ankiro
2007-10-25 18:23 <DIR> d-------- D:\Documents and Settings\Shahid Khalil\Application Data\SPAMfighter
2007-10-25 18:22 <DIR> d-------- D:\Program Files\SPAMfighter
2007-10-25 18:22 <DIR> d-------- D:\Program Files\Common Files\Application
2007-10-25 18:12 <DIR> d-------- D:\Documents and Settings\Shahid Khalil\Application Data\AVG7
2007-10-25 18:11 <DIR> d-------- D:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-25 18:11 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-25 18:11 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\avg7
2007-10-22 17:32 <DIR> d--hs---- D:\FOUND.016
2007-10-18 17:09 <DIR> d--hs---- D:\FOUND.015
2007-10-08 09:28 <DIR> d--hs---- D:\FOUND.014

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-24 07:23 --------- d-----w D:\Program Files\Absolute MP3 Splitter
2007-09-24 07:05 --------- d-----w D:\Program Files\Cool MP3 Splitter
2007-09-21 04:22 --------- d-----w D:\Documents and Settings\awais\Application Data\eAcceleration
2007-09-17 13:11 --------- d-----w D:\Documents and Settings\Shahid Khalil\Application Data\LimeWire
2007-09-17 13:10 --------- d-----w D:\Program Files\LimeWire
2007-09-14 08:27 --------- d-----w D:\Documents and Settings\awais\Application Data\Teleca
2007-09-14 08:26 --------- d-----w D:\Documents and Settings\awais\Application Data\Sony Ericsson
2007-09-13 12:10 --------- d-----w D:\Documents and Settings\Shahid Khalil\Application Data\Teleca
2007-09-13 12:05 --------- d-----w D:\Documents and Settings\Shahid Khalil\Application Data\Sony Ericsson
2007-09-13 12:04 --------- d-----w D:\Program Files\Sony Ericsson
2007-09-13 12:04 --------- d-----w D:\Program Files\Common Files\Teleca Shared
2007-09-13 12:04 --------- d-----w D:\Program Files\Common Files\Sony Ericsson Shared
2007-09-13 12:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\Teleca
2007-09-13 12:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\Sony Ericsson
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1c43f756-9cda-409f-a57b-e06bf4546a8c}]
2007-11-07 15:13 79936 --a------ D:\WINDOWS\system32\lqncrwkj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-05 19:55 36352 --a------ D:\WINDOWS\system32\jkkkjgg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-07 15:02 145984 --a------ D:\WINDOWS\system32\xvifuwrp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= D:\WINDOWS\system32\xvifuwrp.dll [2007-11-07 15:02 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"vptray"="D:\Program Files\NavNT\vptray.exe" [2001-10-31 11:59]
"SPAMfighter Agent"="D:\Program Files\SPAMfighter\S***ent.exe" [2007-10-23 14:56]
"Application Layer Services"="asrsvc.exe" [2007-10-30 12:17 D:\WINDOWS\system32\asrsvc.exe]
"a0512da2"="D:\WINDOWS\system32\iytxsecm.dll" [2007-11-07 15:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= D:\WINDOWS\system32\jkkkjgg.dll [2007-11-05 19:55 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgg]
jkkkjgg.dll 2007-11-05 19:55 36352 D:\WINDOWS\system32\jkkkjgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xvifuwrp]
xvifuwrp.dll 2007-11-07 15:02 145984 D:\WINDOWS\system32\xvifuwrp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 D:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^Shahid Khalil^Start Menu^Programs^Startup^Encarta Dictionary Quickshelf.lnk]
path=D:\Documents and Settings\Shahid Khalil\Start Menu\Programs\Startup\Encarta Dictionary Quickshelf.lnk
backup=D:\WINDOWS\pss\Encarta Dictionary Quickshelf.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
D:\PROGRA~1\DAP\DAP.EXE /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R2 SPAMfighter Update Service;SPAMfighter Update Service;"D:\Program Files\SPAMfighter\sfus.exe"
S3 s125bus;Sony Ericsson Device 125 driver (WDM);D:\WINDOWS\system32\DRIVERS\s125bus.sys
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;D:\WINDOWS\system32\DRIVERS\s125mdfl.sys
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;D:\WINDOWS\system32\DRIVERS\s125mdm.sys
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);D:\WINDOWS\system32\DRIVERS\s125mgmt.sys
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;D:\WINDOWS\system32\DRIVERS\s125obex.sys

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{587a6258-3479-11dc-8cc2-0002a5e36bb9}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{587a6259-3479-11dc-8cc2-0002a5e36bb9}]
\Shell\AutoRun\command - fooool.exe
\Shell\explore\Command - fooool.exe
\Shell\open\Command - fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5b7b6158-cc02-11db-879c-806d6172696f}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d619ad7b-392b-11dc-a4de-806d6172696f}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d619ad7c-392b-11dc-a4de-806d6172696f}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d619ad7d-392b-11dc-a4de-806d6172696f}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 15:37:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-07 15:39:43 - machine was rebooted
.
--- E O F ---

shahid217 · #10 (**permalink**) 07-11-2007, 11:45 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:01 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\NavNT\rtvscan.exe
D:\Program Files\SPAMfighter\sfus.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\NavNT\vptray.exe
D:\Program Files\SPAMfighter\S***ent.exe
D:\WINDOWS\system32\asrsvc.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\xvifuwrp.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "D:\Program Files\SPAMfighter\S***ent.exe" update delay 60
O4 - HKLM\..\Run: [Application Layer Services] asrsvc.exe
O4 - HKLM\..\Run: [a0512da2] rundll32.exe "D:\WINDOWS\system32\iytxsecm.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: QuickDefine - D:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - D:\Program Files\SPAMfighter\sfus.exe

--
End of file - 5354 bytes