For a while now my computer has been acting weird. For some reason each time I do a search in google I always ended with alot of "buy here" links. At first I didn't pay much attention to it. But since the last few days I've been getting continuous messages from Panda (my anti-virus) that it has deleted a malicious file named "prefc000.dat" containing the "Trj/Spammer.ZX" trojan. But it seems to be recreating itself each time. As far as I know my computers up to date and after running a full scan of my computer with panda, ad-aware, spybot and windows defender and nothing seems to be able to get rid of this. Tried to search it out on google but aside from all the "shop here" and "buy now" crap that I usualy get, I only found a link to stop-sign software that
could supposly get rid of it for a fee. I found this fishy, since no one else seems to have figured it out. (Think their the ones who set it loose in the first place) Anyways I've been reading some of the other post about this but can't seem to make sens of what's what so I'm starting this in hopes that someone can figure it out. I sort of figured you guys use hijackthis alot so I downloaded it and here's the log it gave me. (Hope I did it right)
Thanks in advance for the help.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:31:50, on 29/05/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\Scan.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\avciman.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimreal.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ADS TVR Agent] C:\Program Files\ADS Tech\INSTANT TV PVR\Scheduled.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130736963937
O17 - HKLM\System\CCS\Services\Tcpip\..\{694584FD-272B-4AF2-8854-22C433F3CF8D}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{A41E46B2-7C25-451A-BE6D-0C6BF412BC1F}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0FA0ED3-9F1C-4C5E-8777-842A43943532}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB77CF16-B174-45DF-9119-2E5EB6AEAB1F}: NameServer = 194.54.90.226
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Service de planification Media Center (ehSched) - Unknown owner - C:\WINDOWS\eHome\ehSched.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Unknown owner - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe
--
End of file - 8753 bytes
Full Version: Trj/spammer.zx
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hi,
First of all, I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [ADS TVR Agent] C:\Program Files\ADS Tech\INSTANT TV PVR\Scheduled.exe <==not required to start up with Windows
O17 - HKLM\System\CCS\Services\Tcpip\..\{694584FD-272B-4AF2-8854-22C433F3CF8D}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{A41E46B2-7C25-451A-BE6D-0C6BF412BC1F}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0FA0ED3-9F1C-4C5E-8777-842A43943532}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB77CF16-B174-45DF-9119-2E5EB6AEAB1F}: NameServer = 194.54.90.226
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if you receive an error in HijackThis, this is normal.
Then, Go to Start -> Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Click OK twice, and restart your computer.
* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
I really hope that Panda won't interfere with the removal tools we're going to use, because it may flag some components as infected in the removaltools (Combofix). So make sure, when you download Combofix and run it and Panda gives an alert (nircmd.exe, process.exe, reboot.exe..), that you don't let Panda delete it.
First of all, I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [ADS TVR Agent] C:\Program Files\ADS Tech\INSTANT TV PVR\Scheduled.exe <==not required to start up with Windows
O17 - HKLM\System\CCS\Services\Tcpip\..\{694584FD-272B-4AF2-8854-22C433F3CF8D}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{A41E46B2-7C25-451A-BE6D-0C6BF412BC1F}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0FA0ED3-9F1C-4C5E-8777-842A43943532}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB77CF16-B174-45DF-9119-2E5EB6AEAB1F}: NameServer = 194.54.90.226
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if you receive an error in HijackThis, this is normal.
Then, Go to Start -> Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Click OK twice, and restart your computer.
* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
I really hope that Panda won't interfere with the removal tools we're going to use, because it may flag some components as infected in the removaltools (Combofix). So make sure, when you download Combofix and run it and Panda gives an alert (nircmd.exe, process.exe, reboot.exe..), that you don't let Panda delete it.
As expected I had a little runnin with Panda but in the end I think it went well. Here are the two logs you requested.
"Razgoth" - 2007-05-30 19:38:29 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Razgoth\Bureau\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\perfc000.dat"
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))
2007-05-30 18:22 335 --a------ C:\WINDOWS\mozregistry.dat
2007-05-30 18:22 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-29 17:48 <REP> d-------- C:\DOCUME~1\Razgoth\APPLIC~1\Talkback
2007-05-29 17:47 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-29 17:41 <REP> d-------- C:\Program Files\Windows Defender
2007-05-29 17:40 <REP> d-------- C:\Program Files\SpywareBlaster
2007-05-29 17:38 <REP> d-------- C:\Program Files\Lavasoft
2007-04-03 23:50 <REP> d-------- C:\Program Files\MSBuild
2007-04-03 23:47 <REP> d-------- C:\WINDOWS\system32\XPSViewer
2007-04-03 23:46 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-04-03 23:46 <REP> d-------- C:\Program Files\Reference Assemblies
2007-04-03 23:45 <REP> d-------- C:\34e8b13993a0220a823931c9cb
2007-04-01 12:35 <REP> d-------- C:\NVIDIA
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-30 23:42:46 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000006-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-30 23:42:46 384 ----a-w C:\WINDOWS\system32\DVCState-{00000006-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-30 22:15:00 -------- d-----w C:\Program Files\MSN Messenger
2007-05-29 21:56:02 -------- d-----w C:\DOCUME~1\Razgoth\APPLIC~1\Lavasoft
2007-05-29 21:53:49 -------- d-----w C:\Program Files\WinAce
2007-05-29 21:38:15 -------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-05-29 01:57:19 -------- d-----w C:\Program Files\Electronic Arts
2007-05-29 01:53:11 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 01:53:11 -------- d-----w C:\Program Files\Sierra
2007-05-29 00:58:39 83,924 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-05-29 00:58:39 507,248 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-05-26 02:52:08 -------- d-----w C:\Program Files\GUILD WARS
2007-05-25 01:18:31 -------- d-----w C:\Program Files\World of Warcraft
2007-05-03 02:34:06 -------- d-----w C:\DOCUME~1\Razgoth\APPLIC~1\teamspeak2
2007-04-18 16:14:18 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:44:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:37:50 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:37:50 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:37:50 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:58 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-15 23:56]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2006-12-18 19:38]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2006-02-01 18:13]
"ISUSPM Startup"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 10:59]
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\perfc000.dat"
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))
2007-05-29 17:39 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-30 23:42:46 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000006-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-30 23:42:46 384 ----a-w C:\WINDOWS\system32\DVCState-{00000006-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-30 22:15:00 -------- d-----w C:\Program Files\MSN Messenger
2007-05-29 21:56:02 -------- d-----w C:\DOCUME~1\Razgoth\APPLIC~1\Lavasoft
2007-05-29 21:53:49 -------- d-----w C:\Program Files\WinAce
2007-05-29 21:38:15 -------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-05-29 01:57:19 -------- d-----w C:\Program Files\Electronic Arts
2007-05-29 01:53:11 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 01:53:11 -------- d-----w C:\Program Files\Sierra
2007-05-29 00:58:39 83,924 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-05-29 00:58:39 507,248 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-05-26 02:52:08 -------- d-----w C:\Program Files\GUILD WARS
2007-05-25 01:18:31 -------- d-----w C:\Program Files\World of Warcraft
2007-05-03 02:34:06 -------- d-----w C:\DOCUME~1\Razgoth\APPLIC~1\teamspeak2
2007-04-18 16:14:18 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:44:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:37:50 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:37:50 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:37:50 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:58 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-15 23:56]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2006-12-18 19:38]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2006-02-01 18:13]
"ISUSPM Startup"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 10:59]
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:01, on 2007-05-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\22729.cfexe
C:\Program Files\HijackThis\Scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130736963937
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB77CF16-B174-45DF-9119-2E5EB6AEAB1F}: NameServer = 10.100.1.1
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Service de planification Media Center (ehSched) - Unknown owner - C:\WINDOWS\eHome\ehSched.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Unknown owner - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe
--
End of file - 7252 bytes
"Razgoth" - 2007-05-30 19:38:29 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Razgoth\Bureau\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\perfc000.dat"
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))
2007-05-30 18:22 335 --a------ C:\WINDOWS\mozregistry.dat
2007-05-30 18:22 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-29 17:48 <REP> d-------- C:\DOCUME~1\Razgoth\APPLIC~1\Talkback
2007-05-29 17:47 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-29 17:41 <REP> d-------- C:\Program Files\Windows Defender
2007-05-29 17:40 <REP> d-------- C:\Program Files\SpywareBlaster
2007-05-29 17:38 <REP> d-------- C:\Program Files\Lavasoft
2007-04-03 23:50 <REP> d-------- C:\Program Files\MSBuild
2007-04-03 23:47 <REP> d-------- C:\WINDOWS\system32\XPSViewer
2007-04-03 23:46 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-04-03 23:46 <REP> d-------- C:\Program Files\Reference Assemblies
2007-04-03 23:45 <REP> d-------- C:\34e8b13993a0220a823931c9cb
2007-04-01 12:35 <REP> d-------- C:\NVIDIA
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-30 23:42:46 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000006-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-30 23:42:46 384 ----a-w C:\WINDOWS\system32\DVCState-{00000006-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-30 22:15:00 -------- d-----w C:\Program Files\MSN Messenger
2007-05-29 21:56:02 -------- d-----w C:\DOCUME~1\Razgoth\APPLIC~1\Lavasoft
2007-05-29 21:53:49 -------- d-----w C:\Program Files\WinAce
2007-05-29 21:38:15 -------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-05-29 01:57:19 -------- d-----w C:\Program Files\Electronic Arts
2007-05-29 01:53:11 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 01:53:11 -------- d-----w C:\Program Files\Sierra
2007-05-29 00:58:39 83,924 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-05-29 00:58:39 507,248 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-05-26 02:52:08 -------- d-----w C:\Program Files\GUILD WARS
2007-05-25 01:18:31 -------- d-----w C:\Program Files\World of Warcraft
2007-05-03 02:34:06 -------- d-----w C:\DOCUME~1\Razgoth\APPLIC~1\teamspeak2
2007-04-18 16:14:18 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:44:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:37:50 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:37:50 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:37:50 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:58 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-15 23:56]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2006-12-18 19:38]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2006-02-01 18:13]
"ISUSPM Startup"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 10:59]
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\perfc000.dat"
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))
2007-05-29 17:39 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-30 23:42:46 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000006-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-30 23:42:46 384 ----a-w C:\WINDOWS\system32\DVCState-{00000006-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-30 22:15:00 -------- d-----w C:\Program Files\MSN Messenger
2007-05-29 21:56:02 -------- d-----w C:\DOCUME~1\Razgoth\APPLIC~1\Lavasoft
2007-05-29 21:53:49 -------- d-----w C:\Program Files\WinAce
2007-05-29 21:38:15 -------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-05-29 01:57:19 -------- d-----w C:\Program Files\Electronic Arts
2007-05-29 01:53:11 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 01:53:11 -------- d-----w C:\Program Files\Sierra
2007-05-29 00:58:39 83,924 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-05-29 00:58:39 507,248 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-05-26 02:52:08 -------- d-----w C:\Program Files\GUILD WARS
2007-05-25 01:18:31 -------- d-----w C:\Program Files\World of Warcraft
2007-05-03 02:34:06 -------- d-----w C:\DOCUME~1\Razgoth\APPLIC~1\teamspeak2
2007-04-18 16:14:18 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:44:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:37:50 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:37:50 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:37:50 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:58 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-15 23:56]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2006-12-18 19:38]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2006-02-01 18:13]
"ISUSPM Startup"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 10:59]
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:01, on 2007-05-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\22729.cfexe
C:\Program Files\HijackThis\Scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130736963937
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB77CF16-B174-45DF-9119-2E5EB6AEAB1F}: NameServer = 10.100.1.1
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Service de planification Media Center (ehSched) - Unknown owner - C:\WINDOWS\eHome\ehSched.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Unknown owner - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe
--
End of file - 7252 bytes
Hi,
Your Combofix never completed.... there was still a related component running to check for rootkits - but I guess Panda already deleted the related components.
No worries though, we'll use another rootkitchecker instead as a final check..
First, delete next folder:
C:\Qoobox
Then, Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
Your Combofix never completed.... there was still a related component running to check for rootkits - but I guess Panda already deleted the related components.
No worries though, we'll use another rootkitchecker instead as a final check..
First, delete next folder:
C:\Qoobox
Then, Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
Blacklight didn't find anything. Guess that's a good sign. Here's the log.
05/31/07 02:59:14 [Info]: BlackLight Engine 1.0.61 initialized
05/31/07 02:59:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/31/07 02:59:14 [Note]: 7019 4
05/31/07 02:59:14 [Note]: 7005 0
05/31/07 02:59:20 [Note]: 7006 0
05/31/07 02:59:20 [Note]: 7011 2356
05/31/07 02:59:20 [Note]: 7026 0
05/31/07 02:59:21 [Note]: 7026 0
05/31/07 02:59:27 [Note]: FSRAW library version 1.7.1021
05/31/07 03:06:58 [Note]: 2000 1012
05/31/07 03:07:19 [Note]: 7007 0
05/31/07 02:59:14 [Info]: BlackLight Engine 1.0.61 initialized
05/31/07 02:59:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/31/07 02:59:14 [Note]: 7019 4
05/31/07 02:59:14 [Note]: 7005 0
05/31/07 02:59:20 [Note]: 7006 0
05/31/07 02:59:20 [Note]: 7011 2356
05/31/07 02:59:20 [Note]: 7026 0
05/31/07 02:59:21 [Note]: 7026 0
05/31/07 02:59:27 [Note]: FSRAW library version 1.7.1021
05/31/07 03:06:58 [Note]: 2000 1012
05/31/07 03:07:19 [Note]: 7007 0
Yes, that's a good sign. 
Your HijackThislog looks clean again as well. How are things now?
Your HijackThislog looks clean again as well. How are things now?
Everything seems to be back in working order. There's even icons of softwares I didn't even noticed that went missing that came back. There's a few windows updates that are now available that where'nt even there before. (Though it might just be a coincidance) And to think I came this close to a full fledge format. Anyways I'll probably just run a scandisk and a defrag to help speed things up a bit but thats it. Thanks alot for the help.
Glad I could help.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Happy Surfing again!
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Happy Surfing again!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.