Help me with win32: TratBHO [Trj]!!!

Viruses and worms
1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:19 AM, on 12/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
f:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\maxtor bu\MaxBackServiceInt.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
F:\Program Files\Computer Alarm Clock\cac.exe
F:\Program Files\maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
F:\Program Files\maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
F:\Program Files\Easy Share\Kodak EasyShare software\bin\EasyShare.exe
F:\Program Files\Last.fm\LastFMHelper.exe
f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\OpenOffice.org 2.3\program\soffice.exe
F:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\Program Files\iTunes\iTunes.exe
F:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
f:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Shane\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O4 - HKLM..\Run: [avast!] f:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [lxcrmon.exe] “C:\Program Files\Lexmark 2400 Series\lxcrmon.exe”
O4 - HKLM..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [Computer Alarm Clock] F:\Program Files\Computer Alarm Clock\cac.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [MaxtorOneTouch] F:\Program Files\maxtor\ManagerApp\Onetouch.exe
O4 - HKLM..\Run: [mxomssmenu] “C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe”
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\BitTorrent_DNA\dna.exe”
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = F:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: OpenOffice.org 2.3.lnk = F:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 8\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Acrobat 8\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Kodak EasyShare software.lnk = F:\Program Files\Easy Share\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Helix Server - RealNetworks, Inc. - F:\Program Files\Helix Server\Bin\rmserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\maxtor bu\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - F:\Program Files\maxtor\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe


End of file - 7891 bytes

2

Download ComboFix from
Hi welcome to the forum. I don’t see anyhting obvious, so let’s see what we can turn up.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)

Close all other browsers/windows, click fix, close HJT.

Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:50 AM, on 12/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
f:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\maxtor bu\MaxBackServiceInt.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
F:\Program Files\Computer Alarm Clock\cac.exe
F:\Program Files\maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
F:\Program Files\maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
F:\Program Files\Easy Share\Kodak EasyShare software\bin\EasyShare.exe
F:\Program Files\Last.fm\LastFMHelper.exe
f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\OpenOffice.org 2.3\program\soffice.exe
F:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\Program Files\iTunes\iTunes.exe
F:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Shane\LOCALS~1\Temp\Rar$EX00.531\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [avast!] f:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [lxcrmon.exe] “C:\Program Files\Lexmark 2400 Series\lxcrmon.exe”
O4 - HKLM..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [Computer Alarm Clock] F:\Program Files\Computer Alarm Clock\cac.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [MaxtorOneTouch] F:\Program Files\maxtor\ManagerApp\Onetouch.exe
O4 - HKLM..\Run: [mxomssmenu] “C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe”
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\BitTorrent_DNA\dna.exe”
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = F:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: OpenOffice.org 2.3.lnk = F:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 8\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Acrobat 8\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Kodak EasyShare software.lnk = F:\Program Files\Easy Share\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - f:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - f:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Helix Server - RealNetworks, Inc. - F:\Program Files\Helix Server\Bin\rmserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\maxtor bu\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - F:\Program Files\maxtor\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe


End of file - 7650 bytes

4

ComboFix 08-01-11.3 - Shane 2008-01-12 12:15:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.433 [GMT 11:00]
Running from: C:\Documents and Settings\Shane\Desktop\ComboFix.exe

  • Created a new restore point
    .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\vtsts.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-12 12:15 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 21:24 . 2008-01-10 21:24 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-10 20:27 . 2008-01-10 20:27 39,424 --a------ C:\WINDOWS\system32\qomllmk.dll
2008-01-10 20:26 . 2008-01-10 20:26 39,424 --a------ C:\WINDOWS\system32\fccyyxu.dll.vir
2008-01-10 20:08 . 2008-01-10 20:08 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-08 21:52 . 2008-01-08 21:52 d-------- C:\Documents and Settings\Shane.DownloadManager
2007-12-22 00:26 . 2007-12-22 00:26 d-------- C:\Program Files\DivX
2007-12-19 10:46 . 2007-12-19 10:46 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-19 10:46 . 2004-01-01 11:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-15 16:33 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-12-15 16:33 . 2006-12-14 00:39 40,832 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2007-12-15 16:33 . 2006-12-13 17:52 20,992 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-12-15 16:33 . 2007-12-15 16:33 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-15 16:33 . 2007-12-15 16:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-12-12 09:34 . 2007-12-12 09:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-12 09:34 . 2007-12-12 09:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 01:20 --------- d-----w C:\Documents and Settings\Shane\Application Data\BitTorrent DNA
2008-01-11 22:31 --------- d-----w C:\Documents and Settings\Shane\Application Data\OpenOffice.org2
2008-01-11 06:04 --------- d-----w C:\Documents and Settings\Shane\Application Data\dvdcss
2008-01-10 12:06 --------- d-----w C:\Documents and Settings\Shane\Application Data\BitTorrent
2008-01-10 10:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 08:54 --------- d-----w C:\Program Files\Bonjour
2007-12-19 00:05 --------- d-----w C:\Program Files\lx_cats
2007-12-10 04:46 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-28 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-17 02:04 --------- d-----w C:\Program Files\Java
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-17 06:37 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-17 02:00 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-10-17 02:00 22,328 -c–a-w C:\Documents and Settings\Shane\Application Data\PnkBstrK.sys
2007-10-17 02:00 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-02-13 19:28 76 —ha-w C:\Program Files\Desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-08-16 17:19 5728112]
“BitTorrent DNA”=“C:\Program Files\BitTorrent_DNA\dna.exe” [2007-11-03 18:38 286016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“f:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-05 00:00 79224]
“lxcrmon.exe”=“C:\Program Files\Lexmark 2400 Series\lxcrmon.exe” [2006-03-07 08:48 286720]
“LXCRCATS”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll” [2006-02-25 02:54 65536]
“Computer Alarm Clock”=“F:\Program Files\Computer Alarm Clock\cac.exe” [2005-04-12 12:27 694784]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-06-29 07:24 286720]
“MaxtorOneTouch”=“F:\Program Files\maxtor\ManagerApp\Onetouch.exe” [2006-08-11 09:45 712704]
“mxomssmenu”=“C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe” [2006-08-11 12:15 81920]
“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 13:35 90112]
“SoundMan”=“SOUNDMAN.EXE” [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” [2006-12-15 22:23 75520]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-01-01 11:00 15360]

C:\Documents and Settings\Shane\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-14 05:01:00]
Last.fm Helper.lnk - F:\Program Files\Last.fm\LastFMHelper.exe [2007-07-05 22:18:44]
OpenOffice.org 2.3.lnk - F:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 8\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - F:\Program Files\Adobe\Acrobat 8\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
Kodak EasyShare software.lnk - F:\Program Files\Easy Share\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 23:29:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“UIHost”=“LogonUI.EXE”

[HKLM~\startupfolder\C:^Documents and Settings^Shane^Start Menu^Programs^Startup^Konfabulator.lnk]
path=C:\Documents and Settings\Shane\Start Menu\Programs\Startup\Konfabulator.lnk
backup=C:\WINDOWS\pss\Konfabulator.lnkStartup

[HKLM~\startupfolder\C:^Documents and Settings^Shane^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Shane\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
–a------ 2007-09-26 15:42 267064 F:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“iPod Service”=3 (0x3)

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2005-04-21 19:19]
R2 TE88IR;TE DTV IR Decoder;C:\WINDOWS\system32\Drivers\TE88IR.sys [2004-08-14 13:22]
R2 TE88XBar;TE DTV Crossbar;C:\WINDOWS\system32\Drivers\TE88XBar.sys [2004-03-03 14:16]
R2 TETV;TE 2388x Tuner (TCL-2002);C:\WINDOWS\system32\Drivers\TE88tune.sys [2004-07-28 13:42]
R3 TE88XVid;TE DTV Video Capture;C:\WINDOWS\system32\Drivers\TE88Vid.sys [2005-01-01 11:09]
S3 Helix Server;Helix Server;F:\Program Files\Helix Server\Bin\rmserver.exe [2007-07-18 23:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 00:39]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2006-12-13 17:52]
S3 SQLWriter;SQL Server VSS Writer;“C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe” [2007-02-10 06:29]
S3 TE88XAud;TE88XAud;C:\WINDOWS\system32\Drivers\TE88Aud.sys [2004-08-04 17:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{799ce7d4-b9be-11db-9495-806d6172696f}]
\Shell\AutoRun\command - H:\Autorun.exe

Newly Created Service - PROCEXP90
.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-11 04:16:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 12:23:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-12 12:23:56
ComboFix-quarantined-files.txt 2008-01-12 01:23:54
.
2007-12-18 23:52:27 — E O F —

5

Do this for now I have to check a couple of things. You can attach logs by using the additional options button on the reply page.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\qomllmk.dll C:\WINDOWS\system32\fccyyxu.dll.vir

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

6

Log file attached

thanks for help so far

7

Looks okay. Any problems? If not we’ll clean up the tools you used.

  1. Click the start button, click run, copy and paste this line into the box and click ok

  2. Open hijackthis, click the misc tools button, slide the slider down, click uninstall.

  3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  1. Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
  1. Your java is waaay out of date. It is an entry for malware.

Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Reboot your computer.

And you may want to look at this:

  1. It looks like you are using windows firewall. It doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

Also a good little cleaner utility:

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

8

yeah everything seems to be in working order again.
that is to say avast hasn’t told me anything is wrong.

as for running old Java, i need to use this version as for some reason the newer java makes firefox freeze on my uni student message board (and several other java based sites)

9

I can’t comment on why the new java won’t work, but if you’re happy so am I. Take care.