 Please Help With Trojan, Been working on this all day |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Aug 29 2008, 04:04 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 6 Joined: 29-August 08 Member No.: 234,371  |
I have run LSPfix Adaware Moveit Trend Micro Internet Security I am now able to boot the computer in regular mode, but the sound blasts are still there, and occassional bursts of multiple windows opening that say "luckyclick..." in title I have been working on this since last night, and then all day today. My brain is fried and I am goign to take a break. I am hoping someone will have some advice when I get back. Thank you in advance Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:01:26 PM, on 8/29/2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINNT\system32\drivers\CDAC11BA.EXE C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\svchost.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\inf\svchoct.exe C:\WINNT\system32\wfxsnt40.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\WinFax\WFXCTL32.EXE C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINNT\system32\DllHost.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\WinFax\WFXMOD32.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [svchost.exe] "C:\WINNT\system32\1024\SVCHOST.EXE" O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINNT\system32\1024\SVCHOST.EXE" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKLM\..\Policies\Explorer\Run: [minitnyus] C:\WINNT\system32\inf\svchosd.exe C:\WINNT\wftadfi16_080819a.dll tanlt88 O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINNT\system32\inf\svchoct.exe C:\WINNT\wftadfi16_080828a.dll tanlt88 O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing) O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Poker - Bodog\Bodog Poker\BPGame.exe (file missing) O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O20 - AppInit_DLLs: zordisa.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IPSE Service (Messager) - Unknown owner - c:\windows\svchost.exe O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe -- End of file - 7165 bytes -----this is from an earlier Hijackthis run so you can see files I have disabled and deleted in case it makes something I missed pop out------ ------please keep in mind I deleted a lot of things fromt he one below already------------------------- O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINNT\system32\AFinding.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINNT\system32\macidwe.exe O23 - Service: IPSE Service (Messager) - Unknown owner - c:\windows\svchost.exe O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINNT\system32\Nobicyt.exe O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing) O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe O23 - Service: routing Service (routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing) O23 - Service: roxtctm Settings storage service (roxtctm) - Unknown owner - C:\WINNT\system32\roxtctm.exe O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINNT\system32\sobicyt.exe O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINNT\system32\tdxdowkc.exe O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINNT\system32\WServing.exe |
 |
 
|
|
Aug 29 2008, 06:41 PM
Post
#2
|
|
 Forum Addict Group: HJT Team Posts: 2,340 Joined: 27-October 06 From: somewhere Member No.: 92,376 |
Hello spaulds
Welcome to BleepingComputer  ======================== One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please read this for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? =============================== First:: The first thing I will need you to do is to Download ONE of these anti-virus programs and install it. These are free. AVG free 8.0 Note this is free antispyware protection and Antivirus protection. or Antivir ===================== Then:: Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Link 1 Link 2 Link 3 **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts.
-------------------- If I have helped you then please consider donating to continue the fight against malware
 |
|
|
|
|
Aug 29 2008, 07:51 PM
Post
#3
|
|
|
New Member Group: Members Posts: 6 Joined: 29-August 08 Member No.: 234,371 |
Hello Kahdah
Thank you for your quick response. I followed your instructions (I think) I had a problem rebooting, it took two tries but it was able to boot the second try without having to go to safe mode. I am getting all kinds of error messages when it does boot. ComboFix 08-08-29.02 - chris 08/29/2008 20:22:36.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1738 [GMT -4:00] Running from: C:\Documents and Settings\chris.SERVER\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\DOCUME~1\CHRIS~1.SER\LOCALS~1\Temp\WowInitcode.dll C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\bin.clearspring.com C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com\ud.sol C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\chris\Local Settings\Temporary Internet Files\index.dat C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\bin.clearspring.com C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\interclick.com C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\interclick.com\ud.sol C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\WINNT\dcbdcatys32_080823a.dll C:\WINNT\dcbdcatys32_080828a.dll C:\WINNT\Install.txt C:\WINNT\system\sgcxcxxaspf080828.exe C:\WINNT\system32\comsa32.sys C:\WINNT\system32\dbi102.dll C:\WINNT\system32\drivers\secdrv.sys C:\WINNT\system32\inf\scsys16_080828.dll C:\WINNT\system32\inf\sppdcrs080828.scr C:\WINNT\system32\inf\svchoct.exe C:\WINNT\system32\inf\svchosd.exe C:\WINNT\system32\Install.txt C:\WINNT\system32\KarnaDrv.dll C:\WINNT\system32\mdm.exe C:\WINNT\system32\mmchost.dll C:\WINNT\system32\mywfhit.ini C:\WINNT\system32\mywfhit.ini.tmp C:\WINNT\system32\REGOBJ.DLL C:\WINNT\system32\rtl60.bpl C:\WINNT\system32\syspilog.pil C:\WINNT\system32\tmp0_185021627040.bk C:\WINNT\system32\tmp0_203809273674.bk C:\WINNT\system32\tmp0_71020647038.bk C:\WINNT\system32\tmpacj0.exe C:\WINNT\system32\zordisa.dll C:\WINNT\tawisys.ini C:\WINNT\Web\default.htt C:\WINNT\wftadfi16_080828a.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFINDING -------\Legacy_MACIDWE -------\Legacy_PANDRV -------\Legacy_PERFS -------\Legacy_ROUTING -------\Legacy_ROXTCTM -------\Legacy_SEICTRL -------\Legacy_SOBICYT -------\Legacy_TDXDOWKC -------\Legacy_WSERVING -------\Service_afinding -------\Service_macidwe -------\Service_Pandrv -------\Service_perfs -------\Service_routing -------\Service_roxtctm -------\Service_seictrl -------\Service_sobicyt -------\Service_tdxdowkc -------\Service_wserving ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 ))))))))))))))))))))))))))))))) . 2008-08-29 20:22 . 08-08-29 20:22 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_300.dat 2008-08-29 13:43 . 08-08-29 13:43 <DIR> d-------- C:\Program Files\Registry Booster 2008-08-29 13:10 . 08-08-29 13:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-29 13:09 . 08-08-29 13:22 <DIR> d-------- C:\Program Files\hijack 2008-08-29 12:59 . 08-08-29 12:59 <DIR> d-------- C:\Program Files\ProcessExplorer 2008-08-29 11:53 . 08-08-29 11:53 <DIR> d-------- C:\WINNT\msiinst.tmp 2008-08-29 11:31 . 08-08-29 11:31 <DIR> d-------- C:\Program Files\Lavasoft 2008-08-29 11:31 . 08-08-29 11:39 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft 2008-08-29 11:26 . 08-08-29 11:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-29 11:24 . 08-08-29 11:25 <DIR> d-------- C:\Program Files\AdAware 2008-08-29 10:20 . 08-08-29 10:37 <DIR> d-------- C:\Program Files\LSPFix 2008-08-23 16:51 . 08-08-23 16:51 <DIR> d-------- C:\WINNT\system32\1024 2008-08-23 16:51 . 08-08-23 16:51 108,336 --a------ C:\WINNT\system32\MSWINSCK.OCX 2008-08-22 13:20 . 08-08-25 14:29 <DIR> d-------- C:\Documents and Settings\chris.SERVER\.housecall6.6 2008-08-21 05:14 . 08-08-21 05:14 <DIR> d-------- C:\windows 2008-08-20 12:57 . 08-08-20 12:57 <DIR> d---s---- C:\Documents and Settings\Default User.WINNT\UserData 2008-08-18 22:53 . 08-08-29 20:23 <DIR> d-------- C:\WINNT\system32\inf 2008-08-10 18:13 . 08-08-10 18:13 12,586 --a------ C:\Program Files\wsv.exe 2008-07-12 12:23 . 08-07-12 12:23 <DIR> d-------- C:\Documents and Settings\chris.SERVER\Application Data\Uniblue 2008-07-10 06:00 . 08-07-10 06:00 251,152 --a------ C:\WINNT\system32\es.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-29 14:36 --------- d-----w C:\Program Files\Google 2008-08-29 04:00 --------- d---a-w C:\Program Files\PokerStars 2008-08-08 04:28 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-08 04:28 --------- d-----w C:\Documents and Settings\chris.SERVER\Application Data\Verizon 2008-06-25 19:35 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL 2008-06-25 19:35 601,088 ----a-w C:\WINNT\system32\INETCOMM.DLL 2008-06-25 19:35 47,616 ----a-w C:\WINNT\system32\INETRES.DLL 2008-06-25 19:35 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL 2008-06-25 19:34 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL 2008-06-25 12:51 69,904 ----a-w C:\WINNT\system32\mscms.dll 2008-06-25 09:41 64,784 ----a-w C:\WINNT\system32\mswsock.dll 2008-06-25 09:41 105,744 ----a-w C:\WINNT\system32\msafd.dll 2008-06-20 13:53 575,488 ----a-w C:\WINNT\system32\WININET.DLL 2008-05-16 15:58 12,632 ----a-w C:\WINNT\system32\lsdelete.exe 2005-08-15 18:43 271 ---h--w C:\Program Files\desktop.ini 2005-08-15 18:43 21,952 ---h--w C:\Program Files\folder.htt 2004-12-16 15:02 7,741,352 ----a-w C:\Program Files\DivX521XP2K.exe 2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys 2000-02-02 00:01 40,960 --sh--r C:\WINNT\system32\Karna1Drv.dll . ------- Sigcheck ------- 01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [06-11-30 22:49 4662776] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [07-03-01 10:37 2321600] "ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE] -------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:49, on 2008-08-29 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINNT\system32\drivers\CDAC11BA.EXE C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\svchost.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\wfxsnt40.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\WinFax\WFXCTL32.EXE C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\WINNT\system32\wuauclt.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\WinFax\WFXMOD32.EXE C:\WINNT\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\system32\DllHost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe O4 - HKLM\..\Run: [combofix] C:\WINNT\system32\CF25768.exe /c C:\ComboFix\Combobatch.bat O4 - HKLM\..\Run: [svchost.exe] "C:\WINNT\system32\1024\SVCHOST.EXE" O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINNT\system32\1024\SVCHOST.EXE" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing) O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Poker - Bodog\Bodog Poker\BPGame.exe (file missing) O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IPSE Service (Messager) - Unknown owner - c:\windows\svchost.exe O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe -- End of file - 6894 bytes Thank you for your help!!! |
|
|
|
|
Aug 29 2008, 08:47 PM
Post
#4
|
|
|
Forum Addict Group: HJT Team Posts: 2,340 Joined: 27-October 06 From: somewhere Member No.: 92,376 |
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: CODE File:: C:\Program Files\wsv.exe C:\WINNT\system32\Karna1Drv.dll c:\windows\svchost.exe Folder:: C:\WINNT\system32\1024 Driver:: Messager Save this as CFScript.txt, in the same location as ComboFix.exe  Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. -------------------- If I have helped you then please consider donating to continue the fight against malware
|
|
|
|
|
Aug 29 2008, 09:09 PM
Post
#5
|
|
|
New Member Group: Members Posts: 6 Joined: 29-August 08 Member No.: 234,371 |
Hi Kahdah
It booted first shot this time...still an error message or two. ComboFix 08-08-29.02 - chris 2008-08-29 21:53:29.2 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1763 [GMT -4:00] Running from: C:\Documents and Settings\chris.SERVER\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\chris.SERVER\Desktop\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\Program Files\wsv.exe c:\windows\svchost.exe C:\WINNT\system32\Karna1Drv.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\wsv.exe c:\windows\svchost.exe C:\WINNT\system32\1024 C:\WINNT\system32\1024\svchost.exe C:\WINNT\system32\Karna1Drv.dll . ---- Previous Run ------- . C:\DOCUME~1\CHRIS~1.SER\LOCALS~1\Temp\WowInitcode.dll C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\bin.clearspring.com C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com\ud.sol C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\chris\Local Settings\Temporary Internet Files\index.dat C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\bin.clearspring.com C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\interclick.com C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\interclick.com\ud.sol C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\WINNT\dcbdcatys32_080823a.dll C:\WINNT\dcbdcatys32_080828a.dll C:\WINNT\Install.txt C:\WINNT\system\sgcxcxxaspf080828.exe C:\WINNT\system32\comsa32.sys C:\WINNT\system32\dbi102.dll C:\WINNT\system32\drivers\secdrv.sys C:\WINNT\system32\inf\scsys16_080828.dll C:\WINNT\system32\inf\sppdcrs080828.scr C:\WINNT\system32\inf\svchoct.exe C:\WINNT\system32\inf\svchosd.exe C:\WINNT\system32\Install.txt C:\WINNT\system32\KarnaDrv.dll C:\WINNT\system32\mdm.exe C:\WINNT\system32\mmchost.dll C:\WINNT\system32\mywfhit.ini C:\WINNT\system32\mywfhit.ini.tmp C:\WINNT\system32\REGOBJ.DLL C:\WINNT\system32\rtl60.bpl C:\WINNT\system32\syspilog.pil C:\WINNT\system32\tmp0_185021627040.bk C:\WINNT\system32\tmp0_203809273674.bk C:\WINNT\system32\tmp0_71020647038.bk C:\WINNT\system32\tmpacj0.exe C:\WINNT\system32\zordisa.dll C:\WINNT\tawisys.ini C:\WINNT\Web\default.htt C:\WINNT\wftadfi16_080828a.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFINDING -------\Legacy_MACIDWE -------\Legacy_PANDRV -------\Legacy_PERFS -------\Legacy_ROUTING -------\Legacy_ROXTCTM -------\Legacy_SEICTRL -------\Legacy_SOBICYT -------\Legacy_TDXDOWKC -------\Legacy_WSERVING -------\Service_afinding -------\Service_macidwe -------\Service_Pandrv -------\Service_perfs -------\Service_routing -------\Service_roxtctm -------\Service_seictrl -------\Service_sobicyt -------\Service_tdxdowkc -------\Service_wserving -------\Legacy_MESSAGER -------\Service_Messager ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 ))))))))))))))))))))))))))))))) . 2008-08-29 13:43 . 08-08-29 13:43 <DIR> d-------- C:\Program Files\Registry Booster 2008-08-29 13:10 . 08-08-29 13:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-29 13:09 . 08-08-29 13:22 <DIR> d-------- C:\Program Files\hijack 2008-08-29 12:59 . 08-08-29 12:59 <DIR> d-------- C:\Program Files\ProcessExplorer 2008-08-29 11:53 . 08-08-29 11:53 <DIR> d-------- C:\WINNT\msiinst.tmp 2008-08-29 11:31 . 08-08-29 11:31 <DIR> d-------- C:\Program Files\Lavasoft 2008-08-29 11:31 . 08-08-29 11:39 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft 2008-08-29 11:26 . 08-08-29 11:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-29 11:24 . 08-08-29 11:25 <DIR> d-------- C:\Program Files\AdAware 2008-08-29 10:20 . 08-08-29 10:37 <DIR> d-------- C:\Program Files\LSPFix 2008-08-23 16:51 . 08-08-23 16:51 108,336 --a------ C:\WINNT\system32\MSWINSCK.OCX 2008-08-22 13:20 . 08-08-25 14:29 <DIR> d-------- C:\Documents and Settings\chris.SERVER\.housecall6.6 2008-08-21 05:14 . 08-08-29 21:53 <DIR> d-------- C:\windows 2008-08-20 12:57 . 08-08-20 12:57 <DIR> d---s---- C:\Documents and Settings\Default User.WINNT\UserData 2008-08-18 22:53 . 08-08-29 20:23 <DIR> d-------- C:\WINNT\system32\inf 2008-07-12 12:23 . 08-07-12 12:23 <DIR> d-------- C:\Documents and Settings\chris.SERVER\Application Data\Uniblue 2008-07-10 06:00 . 08-07-10 06:00 251,152 --a------ C:\WINNT\system32\es.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-29 14:36 --------- d-----w C:\Program Files\Google 2008-08-29 04:00 --------- d---a-w C:\Program Files\PokerStars 2008-08-08 04:28 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-08 04:28 --------- d-----w C:\Documents and Settings\chris.SERVER\Application Data\Verizon 2005-08-15 18:43 271 ---h--w C:\Program Files\desktop.ini 2005-08-15 18:43 21,952 ---h--w C:\Program Files\folder.htt 2004-12-16 15:02 7,741,352 ----a-w C:\Program Files\DivX521XP2K.exe . ------- Sigcheck ------- 01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [06-11-30 22:49 4662776] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [BU] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [07-03-01 10:37 2321600] "ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 13:03 36975] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-06-04 00:09 282624] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 39792] "Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [08-05-14 15:17 2682216] "Synchronization Manager"="mobsync.exe" [03-06-19 15:05 111376 C:\WINNT\system32\mobsync.exe] "WinFaxAppPortStarter"="wfxsnt40.exe" [00-09-29 00:58 43008 C:\WINNT\system32\WFXSNT40.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 15:05 186640] C:\Documents and Settings\chris\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2002-06-24 14:45:24 282624] C:\Documents and Settings\chris.SERVER\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2002-06-24 14:45:24 282624] C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\ Controller.LNK - C:\Program Files\WinFax\WFXCTL32.EXE [2006-02-14 14:14:56 542208] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-03-10 10:40:30 757760] Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [98-07-27 05:54 38400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=zordisa.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= mmdrv.dll R2 ptssvc;ptssvc;C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe [05-03-10 08:30 ] R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 15:05 ] S0 lannui;LAN MSFW adapter;C:\WINNT\system32\lannui.sys [] S4 nobicyt;nobicyt Service;C:\WINNT\system32\Nobicyt.exe [] S4 wfxsvc;WinFax PRO;C:\WINNT\system32\WFXSVC.EXE [00-09-29 00:58 ] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-29 21:59:17 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-29 22:03:05 - machine was rebooted [chris] ComboFix-quarantined-files.txt 2008-08-30 02:02:58 Pre-Run: 593,588,224 bytes free Post-Run: 582,934,528 bytes free 173 --- E O F --- 2008-08-29 15:54:32 |
|
|
|
|
Aug 29 2008, 09:14 PM
Post
#6
|
|
|
Forum Addict Group: HJT Team Posts: 2,340 Joined: 27-October 06 From: somewhere Member No.: 92,376 |
1. Please open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window: CODE Driver:: lannui nobicyt File:: C:\WINNT\system32\lannui.sys C:\WINNT\system32\Nobicyt.exe Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
-------------------- If I have helped you then please consider donating to continue the fight against malware
|
|
|
|
|
Aug 29 2008, 09:46 PM
Post
#7
|
|
|
New Member Group: Members Posts: 6 Joined: 29-August 08 Member No.: 234,371 |
I am getting less error messages.
ComboFix 08-08-29.02 - chris 08/29/2008 22:32:00.3 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1750 [GMT -4:00] Running from: C:\Documents and Settings\chris.SERVER\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\chris.SERVER\Desktop\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINNT\system32\lannui.sys C:\WINNT\system32\Nobicyt.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com\ud.sol C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NOBICYT -------\Service_lannui -------\Service_nobicyt ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 ))))))))))))))))))))))))))))))) . 2008-08-29 13:43 . 08-08-29 13:43 <DIR> d-------- C:\Program Files\Registry Booster 2008-08-29 13:10 . 08-08-29 13:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-29 13:09 . 08-08-29 13:22 <DIR> d-------- C:\Program Files\hijack 2008-08-29 12:59 . 08-08-29 12:59 <DIR> d-------- C:\Program Files\ProcessExplorer 2008-08-29 11:53 . 08-08-29 11:53 <DIR> d-------- C:\WINNT\msiinst.tmp 2008-08-29 11:31 . 08-08-29 11:31 <DIR> d-------- C:\Program Files\Lavasoft 2008-08-29 11:31 . 08-08-29 11:39 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft 2008-08-29 11:26 . 08-08-29 11:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-29 11:24 . 08-08-29 11:25 <DIR> d-------- C:\Program Files\AdAware 2008-08-29 10:20 . 08-08-29 10:37 <DIR> d-------- C:\Program Files\LSPFix 2008-08-23 16:51 . 08-08-23 16:51 108,336 --a------ C:\WINNT\system32\MSWINSCK.OCX 2008-08-22 13:20 . 08-08-25 14:29 <DIR> d-------- C:\Documents and Settings\chris.SERVER\.housecall6.6 2008-08-21 05:14 . 08-08-29 21:53 <DIR> d-------- C:\windows 2008-08-20 12:57 . 08-08-20 12:57 <DIR> d---s---- C:\Documents and Settings\Default User.WINNT\UserData 2008-08-18 22:53 . 08-08-29 20:23 <DIR> d-------- C:\WINNT\system32\inf 2008-07-12 12:23 . 08-07-12 12:23 <DIR> d-------- C:\Documents and Settings\chris.SERVER\Application Data\Uniblue 2008-07-10 06:00 . 08-07-10 06:00 251,152 --a------ C:\WINNT\system32\es.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-29 14:36 --------- d-----w C:\Program Files\Google 2008-08-29 04:00 --------- d---a-w C:\Program Files\PokerStars 2008-08-08 04:28 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-08 04:28 --------- d-----w C:\Documents and Settings\chris.SERVER\Application Data\Verizon 2005-08-15 18:43 271 ---h--w C:\Program Files\desktop.ini 2005-08-15 18:43 21,952 ---h--w C:\Program Files\folder.htt 2004-12-16 15:02 7,741,352 ----a-w C:\Program Files\DivX521XP2K.exe 2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys . ------- Sigcheck ------- 01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [06-11-30 22:49 4662776] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [BU] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [07-03-01 10:37 2321600] "ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 13:03 36975] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-06-04 00:09 282624] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 39792] "Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [08-05-14 15:17 2682216] "Synchronization Manager"="mobsync.exe" [03-06-19 15:05 111376 C:\WINNT\system32\mobsync.exe] "WinFaxAppPortStarter"="wfxsnt40.exe" [00-09-29 00:58 43008 C:\WINNT\system32\WFXSNT40.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 15:05 186640] C:\Documents and Settings\chris\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2002-06-24 14:45:24 282624] C:\Documents and Settings\chris.SERVER\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2002-06-24 14:45:24 282624] C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\ Controller.LNK - C:\Program Files\WinFax\WFXCTL32.EXE [2006-02-14 14:14:56 542208] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-03-10 10:40:30 757760] Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [98-07-27 05:54 38400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= mmdrv.dll R2 ptssvc;ptssvc;C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe [05-03-10 08:30 ] R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 15:05 ] S4 wfxsvc;WinFax PRO;C:\WINNT\system32\WFXSVC.EXE [00-09-29 00:58 ] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-29 22:37:10 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-29 22:40:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-30 02:40:40 ComboFix2.txt 2008-08-30 02:03:05 Pre-Run: 836,153,344 bytes free Post-Run: 830,291,968 bytes free 107 --- E O F --- 2008-08-29 15:54:32 --------------------------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:43:20 PM, on 8/29/2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINNT\system32\drivers\CDAC11BA.EXE C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\wfxsnt40.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\WinFax\WFXCTL32.EXE C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\Handspring\HOTSYNC.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\WinFax\WFXMOD32.EXE C:\WINNT\explorer.exe C:\WINNT\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\system32\DllHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing) O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Poker - Bodog\Bodog Poker\BPGame.exe (file missing) O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe -- End of file - 6658 bytes |
|
|
|
|
Aug 29 2008, 09:52 PM
Post
#8
|
|
|
Forum Addict Group: HJT Team Posts: 2,340 Joined: 27-October 06 From: somewhere Member No.: 92,376 |
Ok good they will stop by the time we are done Go ahead and install one of the anti virus programs below: AVG free 8.0 Note this is free antispyware protection and Antivirus protection. or Antivir as long as you only install one. ===================== Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application.
|