# Virus/Threat in .dll file



## justin7g7

I've come across a problem with a .dll file located in my Program Files instead of my system32 folder. AVG has picked it up as a threat so I healed it and moved it to vault but everytime I reboot comes right back. I went into safe mode and tried to replace the file but it said access denied. The threat that AVG picks up is Trojan Horse Backdoor....not sure exactly what the other stuff was. The .dll file is named Wab64.dll. Looking for any possible help.

Also I'm running Windows XP

Thanks in advance.


----------



## patrickv

you can post a hijack this logs , probably there can be other causes for it


----------



## ceewi1

It's likely an infection, please post a HijackThis log:

Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
_Most of what it lists will be harmless or even essential, don't fix anything yet._


----------



## justin7g7

Alright, here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:34 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1143825502\ee\AOLSoftware.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {03C3F85C-33EF-1042-EC6B-192312BBC79B} - C:\WINDOWS\system32\tjjngwsg.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11E65333-9880-E724-82FD-B069358C8BCB} - C:\WINDOWS\system32\ayqntj.dll (file missing)
O2 - BHO: ShopGuide Class - {3CB0CF42-DA54-47d2-8999-23928A2DEA42} - c:\program files\ShopGuide\shpguide9b.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7E8DB7F3-2C67-23E2-1483-2027528EEEBF} - C:\WINDOWS\system32\mwnjun.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {D11FB0F3-7930-25E1-13A3-72F2CE2615BE} - C:\WINDOWS\system32\wolsuxs.dll
O2 - BHO: (no name) - {DF17B4FB-2D33-74B9-13A3-72F2CE2615BE} - C:\WINDOWS\system32\wolsuxs.dll
O2 - BHO: (no name) - {FEBE7D48-B780-B10B-A838-BB5E651A65B0} - C:\WINDOWS\system32\hnwxz.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143825502\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKCU\..\Run: [zqlgzkf] C:\WINDOWS\zqlgzkf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Wsjwjj] C:\WINDOWS\system32\RSS~1.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Wsjwjj] C:\WINDOWS\system32\RSS~1.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ¼¥°¡ÀÌµå - {EC9679F6-42B7-4593-9E1C-AF421066C123} - http://www.shop-guide.co.kr (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
O16 - DPF: {21FDDE58-51A6-402A-8040-39DA033DC196} (Pull0PlayerX Control) - http://image.pullbbang.com/newTop/Pull0Control.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120606045939
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BCA935CA-7E41-4F73-BA9C-FAB4393DBAC0} (MADanalCtrl Control) - http://www.csafer.net/ActiveX/MAStreamCtrl.cab
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {BD6F8792-B90E-4431-B0AB-08CF414E9D35} (DamoimBGMPlayerX Control) - http://bgm.iple.com/Cab/SMMusicPlayerX.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/p3Instal.cab
O16 - DPF: {EACD6BE5-C0EE-4909-9B71-B2807C8A245C} (JukeOn Login Control) - http://dl.jukeon.co.kr/jukeon/jukeon2/2005122201/jukeonax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61314217-FED6-456A-AC63-75BAAF5F9355}: NameServer = 68.105.28.11,68.105.29.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA2FA797-2AE7-46C0-BB44-A7BCA6F772A2}: NameServer = 65.32.5.74,65.32.5.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{61314217-FED6-456A-AC63-75BAAF5F9355}: NameServer = 68.105.28.11,68.105.29.11
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: spool32.dll             C:\WINDOWS\system32\scanregw.dll C:\WINDOWS\system32\spool32.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device -   - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 13200 bytes


----------



## Zurrieqmalta

I got the same problem
The threat found is Trojan horse BackDoor.Hupigon3.MRB. The file infected is Wab64.dll that should be found in the following directory C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll.
I tried searching for the file using the search companion in this folder but it could not find it. And i tried searching manually and i could not find it even when i revealed all hidden files. When i tried scanning the Speech folder no threats were found....

Any ideas? I posted my log below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:36 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\KYE\ERGOME~1\SyTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Adobe\Acrobat\Distillr\acrotray.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onvol.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ErgoMedia] C:\PROGRA~1\KYE\ERGOME~1\SyTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\system32\My_Server.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Adobe\Acrobat\Distillr\acrotray.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stephencamilleridonly1.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174683785625
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5140/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awttuss - awttuss.dll (file missing)
O20 - Winlogon Notify: qomnkhi - qomnkhi.dll (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe
O24 - Desktop Component 1: (no name) - http://www.manutd.com/

--
End of file - 11262 bytes

Thanks


----------



## justin7g7

Zurrieqmalta said:


> I got the same problem
> The threat found is Trojan horse BackDoor.Hupigon3.MRB. The file infected is Wab64.dll that should be found in the following directory C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll.



This is the same exact virus I have and it is in the same exact folder.


----------



## somebodies

justin7g7 said:


> This is the same exact virus I have and it is in the same exact folder.



Hi all 

It's in the folder but when u go there it cannot be found.
New trojan/backdoor?


----------



## diroga

in an open window click on the top toolbar tool>folder options>view tab> uncheck the hiden options (all three)


----------



## justin7g7

Alright, I see the file now, do I delete it?

EDIT: I deleted it, and just returns after I reboot.


----------



## ceewi1

I notice that a number of people have been posting their own HijackThis logs in this thread, quite possibly since it is the first result on a Google search for Wab64.dll.  Managing multiple logs in one thread is next to impossible, so if you need help with your logfiles, even if it appears to be the same problem, please make a new thread.

justin7g7, my apologies for the delay.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
*
C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll*

Then click Submit.  Allow the file to be scanned, and then please copy and paste the results here for me to see.

If that scanner is busy, please use this one: http://www.virustotal.com/

Once done, please do the following:
1. Please download this file - *Combofix* to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall


----------



## Zurrieqmalta

Today i booted and i got no threat detected i think the problem solved on its own lol.... Btw i still could not find the file when i arranged it from the folder options. Ill do the following



> Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
> 
> C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll
> 
> Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
> 
> If that scanner is busy, please use this one: http://www.virustotal.com/
> 
> Once done, please do the following:
> 1. Please download this file - Combofix to your desktop
> 2. Double click ComboFix.exe & follow the prompts.
> 3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.



if i get the threat message again

THanks guys


----------



## justin7g7

Neither of the virus scan sites will let me upload the file.  It says a firewall or perhaps malware is blocking it.

EDIT:  Think I fixed the problem.


----------



## taurus9mm

*Hupigon3.mrb in Wab64.dll*

I have the same annoying virus, it doesnt seem to do anything yet but i dont want to wait for the trigger. heres a combofix and hijack this log.

ComboFix 07-11-19.4C - Owner 2007-11-29  2:15:08.1 - *FAT32*x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.621 [GMT -8:00]
Running from: E:\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin18.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin20.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin21.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin9.zip
C:\WINDOWS\cnsinfo.dat
C:\WINDOWS\Downloaded Program Files\Update

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CNSMINKP


(((((((((((((((((((((((((   Files Created from 2007-10-28 to 2007-11-29  )))))))))))))))))))))))))))))))
.

2007-11-28 09:01	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui
2007-11-28 09:01	25,944	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-28 09:01	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui
2007-11-28 09:01	20,312	--a------	C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-28 08:38	138,752	--a------	C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-11-28 08:35	<DIR>	d--------	C:\Program Files\Spyware Terminator
2007-11-28 08:35	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2007-11-28 08:35	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-11-27 23:05	<DIR>	d--------	C:\Program Files\Trend Micro
2007-11-26 01:34	<DIR>	d--------	C:\Program Files\Eidos Interactive
2007-11-26 00:57	496,535,411	--a------	C:\Hitman 2 Silent Assassin (PC GAME FULL).exe
2007-11-25 20:48	<DIR>	d--------	C:\Step.Up[2006]DvDrip[Eng]-aXXo
2007-11-25 16:57	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-25 16:57	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-24 17:34	<DIR>	d--------	C:\Shes.The.Man.DVDRip.XviD-ANTH
2007-11-24 00:37	<DIR>	d--------	C:\Movies
2007-11-22 20:15	<DIR>	d--------	C:\Desperate Housewives
2007-11-20 19:45	<DIR>	d--------	C:\Paul Anka.21 Golden Hits[P]1963(Pugz.128k.mp3)
2007-11-18 20:04	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\X10 Commander
2007-11-16 15:00	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\ATI MMC
2007-11-16 10:12	<DIR>	d--------	C:\AeriaGames
2007-11-10 02:25	<DIR>	d--------	C:\Jay-Z-American_Gangster-Retail-2007-CR
2007-11-09 00:51	<DIR>	d--------	C:\The Tony Rich Project - Pictures [2006] [R&B] [www.file24ever.com]
2007-11-07 15:33	22	--a------	C:\WINDOWS\system32\ati64hlp.stb
2007-11-07 15:17	664	--a------	C:\WINDOWS\system32\d3d9caps.dat
2007-11-07 15:14	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-11-07 15:14	22	--a------	C:\WINDOWS\system32\ati64hl2.stb
2007-11-07 15:12	<DIR>	d--------	C:\Program Files\ATI Multimedia
2007-11-07 15:12	257,872	---------	C:\WINDOWS\system32\drivers\atirwvd.sys
2007-11-07 15:12	9,091	---------	C:\WINDOWS\system32\drivers\atirwrf.sys
2007-11-07 15:11	<DIR>	d--------	C:\Program Files\msaccrt
2007-11-07 15:10	<DIR>	d--------	C:\WINDOWS\system32\windows media
2007-11-07 15:10	<DIR>	d--h-----	C:\WINDOWS\msdownld.tmp
2007-11-07 15:10	<DIR>	d--------	C:\Program Files\Windows Media Components
2007-11-07 15:09	<DIR>	d--------	C:\Program Files\Common Files\CyberLink
2007-11-07 15:09	<DIR>	d--------	C:\Program Files\Common Files\ATI
2007-11-02 10:22	<DIR>	dr-------	C:\UDC Output Files

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 10:52	---------	d-----w	C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-23 10:52	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-23 10:51	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-23 10:51	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg7
2007-10-23 10:21	98,304	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2007-10-23 10:01	---------	d-----w	C:\Program Files\THQ
2007-10-20 18:19	30,363,648	----a-w	C:\Documents and Settings\Owner\Main.dat
2007-10-20 12:50	---------	d-----w	C:\Program Files\BPK
2007-10-20 07:04	---------	d-----w	C:\Documents and Settings\Owner\Application Data\ATI
2007-10-20 07:01	---------	d-----w	C:\Program Files\Common Files\ATI Technologies
2007-10-20 02:17	---------	d-----w	C:\Program Files\Steam
2007-10-20 02:00	---------	d-----w	C:\Program Files\ATI Technologies
2007-10-19 04:47	10,040	----a-w	C:\WINDOWS\system32\lmimirr2.dll
2007-10-17 07:04	---------	d-----w	C:\Program Files\Boris FX, Inc
2007-10-15 09:43	---------	d-----w	C:\Program Files\Morgan
2007-10-15 01:50	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Publish Providers
2007-10-15 01:40	---------	d-----w	C:\Program Files\Microsoft SQL Server
2007-10-15 01:39	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Sony
2007-10-15 01:33	---------	d-----w	C:\Program Files\Vstplugins
2007-10-15 01:33	---------	d-----w	C:\Program Files\Sony
2007-10-15 01:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Sony
2007-10-15 01:14	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Sony Setup
2007-10-15 01:13	---------	d-----w	C:\Program Files\Sony Setup
2007-10-13 08:47	---------	d-----w	C:\Program Files\Jetico
2007-10-11 06:10	---------	d-----w	C:\Program Files\PQDVD
2007-10-07 03:04	82,432	----a-w	C:\WINDOWS\system32\msxml4r.dll
2007-10-07 03:04	1,233,920	----a-w	C:\WINDOWS\system32\msxml4.dll
2007-10-06 10:30	---------	d-----w	C:\Program Files\PowerISO
2007-10-06 10:26	---------	d-----w	C:\Program Files\MagicDisc
2007-08-31 07:45	411,956	----a-w	C:\WINDOWS\SAAB_1.scr
2007-08-31 07:45	2,541,631	----a-w	C:\WINDOWS\SAAB_1.exe
2007-08-29 10:27	253,952	----a-w	C:\WINDOWS\BCUnInstall.exe
2002-11-18 14:26	61,440	----a-w	C:\WINDOWS\inf\i386\onetUSD.dll
2002-10-24 16:29	36,864	----a-w	C:\WINDOWS\inf\i386\Vizmicro.dll
2002-10-24 16:28	172,032	----a-w	C:\WINDOWS\inf\i386\viceo.dll
2002-10-24 16:02	225,280	----a-w	C:\WINDOWS\inf\i386\rtscan.dll
2001-08-04 02:29	13,824	----a-w	C:\WINDOWS\inf\i386\Usbscan.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 11:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 11:51]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 02:51]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 17:05]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-11-28 08:38]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 02:51]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-10-06 02:26:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Smart Wizard Wireless Settings.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
backup=C:\WINDOWS\pss\Smart Wizard Wireless Settings.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility.lnk
backup=C:\WINDOWS\pss\Wireless Configuration Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=C:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^GpsGate.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\GpsGate.lnk
backup=C:\WINDOWS\pss\GpsGate.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
			C:\Program Files\802.11 WLAN\ACU.exe -nogui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
2004-06-15 22:17	69705	--a------	C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
2004-06-15 22:22	106571	--a------	C:\Program Files\ATI Multimedia\main\launchpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
2004-04-16 06:43	196608	--a------	C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
			C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-07-10 21:10	339968	--a------	C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
			BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCWipeTM Startup]
			C:\Program Files\Jetico\BCWipe\BCWipeTM.exe startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
			C:\WINDOWS\VM_STI.EXE USB PC Camera 301P

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]
			C:\WINDOWS\system32\BMUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
			C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-09 20:29	49152	---------	C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]
			C:\Program Files\eMule\emule.exe -AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
			C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
			C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
			KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
			MMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-09-24 17:22	1916928	---------	C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50	155648	--a------	C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
2002-11-18 06:17	94208	--a------	C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\peakinternet]
2006-10-20 00:41	417792	--a------	C:\Program Files\BPK\peakinternet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\Ringz Studio\Storm Codec\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
			C:\Program Files\Real\RealPlayer\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
			C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
			C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 04:00	132496	--a------	C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
			C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
			C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
			C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SM_ml1600_FUService"=3 (0x3)
"SavRoam"=3 (0x3)
"P4P Service"=2 (0x2)
"IDriverT"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"CiSvc"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"wscsvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"aswUpdSv"=2 (0x2)
"ACS"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"x10nets"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R3 AR5523;802.11 WLAN USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys
S2 NetCM;Network Connection Manager;C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe
S3 ATHFMWDL;WLAN USB Wireless Adapter Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\H:\INSTAL~E\Core\BVRPMPR5.SYS
S3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;C:\WINDOWS\system32\Drivers\LUsbKbd.Sys
S3 PID_0920;Labtec WebCam(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS
S3 XDva020;XDva020;\??\C:\WINDOWS\system32\XDva020.sys
S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.sys
S4 SM_ml1600_FUService;ML-2010 Status Monitor Service;"C:\Program Files\Samsung ML-2010 Series\CommonSM\ssmsrvc /Service

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 02:21:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-11-29  2:22:38 - machine was rebooted
.
	--- E O F ---





HIJACK THIS! -------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:27, on 2007-11-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196269234718
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B80F3B7-AAFF-42E9-B2C4-26FB8C866663}: NameServer = 192.168.0.1,192.168.0.100
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 4636 bytes


----------



## justin7g7

Hey, I went into Safe Mode (Tap F8 when rebooting PC) and I deleted the whole "Speech" folder along with the virus.


----------



## taurus9mm

so its all taken care of? what about registry?


----------



## ceewi1

justin7g7, your logfile is showing a lot more than this one infection.  I do suggest starting with ComboFix.

Everyone else who's posting logfiles in this thread, please create a new thread of your own.


----------



## taurus9mm

fixed, just did a safe mode start and deleted the C:/program files/common files/speech

no more virus. sorry for the log, im a noob.


----------

