Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

“the Application Or Dll C:\windows\system32\wowfx.dll Is Not A Valid Windows Image. Please Check This Against Your Installation Diskette.” Need Help


  • Please log in to reply
4 replies to this topic

#1 Bezt

Bezt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 04 January 2008 - 02:00 AM

I have been getting this message “the Application Or Dll C:\windows\system32\wowfx.dll Is Not A Valid Windows Image. Please Check This Against Your Installation Diskette.” and I here is my hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:12:00 AM, on 2008/01/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Copy Handler\Copy Handler.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\UpsPilot\Winpower.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\netbeans-5.5\bin\netbeans.exe
C:\Program Files\netbeans-5.5\platform6\lib\nbexec.exe
C:\Program Files\netbeans-5.5\platform6\lib\nbexec.exe
C:\Program Files\Java\jdk1.5.0_11\jre\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Copy handler] C:\Program Files\Copy Handler\Copy Handler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPGate.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FlyAway] C:\Documents and Settings\Balleng2\My Documents\FlyAway.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Registration Ghost Recon Advanced Warfighter® 2.LNK = C:\Program Files\UBISOFT\Ghost Recon Advanced Warfighter 2\Support\Register\RegistrationReminder.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mecer.co.za
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153538134062
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E818DB-BAD7-4C80-8883-01974B7B8147}: NameServer = 172.16.254.254 10.0.20.2
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Winpowermanager - Macrovision - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - Macrovision - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - Macrovision - C:\PROGRA~1\UpsPilot\wpRMI.exe

--
End of file - 10237 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 05 January 2008 - 05:12 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Bezt
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Bezt

Bezt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 07 January 2008 - 02:20 AM

ComboFix 08-01-07.4 - Balleng2 2008-01-07 9:05:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278 [GMT 2:00]
Running from: C:\Documents and Settings\Balleng2\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\UpsPilot\classes\com\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\launcher\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\management\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\management\transport\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\servlets\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\beans\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\corba\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\ejb\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\mibs\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\mibs\mibparser\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\rmi\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\sas\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\snmp2\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\snmp2\usm\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\snmp2\vacm\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\ui\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\ui\images\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\snmp\utils\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\utils\_desktop.ini
C:\Program Files\UpsPilot\classes\com\adventnet\utils\images\_desktop.ini
C:\Program Files\UpsPilot\classes\java\_desktop.ini
C:\Program Files\UpsPilot\classes\java\io\_desktop.ini
C:\Program Files\UpsPilot\help\en\images\_desktop.ini
C:\Program Files\UpsPilot\Icon\_desktop.ini
C:\Program Files\UpsPilot\images\_desktop.ini
C:\Program Files\UpsPilot\jdk1.2_classes\com\_desktop.ini
C:\Program Files\UpsPilot\jdk1.2_classes\com\adventnet\_desktop.ini
C:\Program Files\UpsPilot\jdk1.2_classes\com\adventnet\snmp\_desktop.ini
C:\Program Files\UpsPilot\jdk1.2_classes\com\adventnet\snmp\snmp2\_desktop.ini
C:\Program Files\UpsPilot\jdk1.2_classes\com\adventnet\snmp\snmp2\usm\_desktop.ini
C:\Program Files\UpsPilot\sounds\_desktop.ini
C:\WINDOWS\system32\drivers\RKK35.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\mscore.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RKK35


((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 09:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 11:35 . 2008-01-04 11:35 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-04 11:35 . 2008-01-04 11:35 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-01-04 11:33 . 2008-01-04 11:33 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-01-04 11:33 . 2006-11-13 15:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-01-04 11:33 . 2007-06-18 15:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-01-04 10:25 . 2008-01-04 10:35 3,332 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-04 10:23 . 2008-01-04 10:37 <DIR> d-------- C:\Documents and Settings\Balleng2\SmitfraudFix
2008-01-04 07:54 . 2008-01-04 07:54 <DIR> d-------- C:\Program Files\SonicWallES
2008-01-03 15:56 . 2008-01-03 15:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 13:02 . 2008-01-03 13:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-03 13:02 . 2008-01-03 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-03 12:13 . 2008-01-03 12:14 <DIR> d-------- C:\Documents and Settings\Balleng2\Application Data\PrevxCSI
2008-01-03 12:13 . 2008-01-03 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-02 15:08 . 2008-01-04 10:20 4,449 --a------ C:\rollback.ini
2008-01-02 13:14 . 2008-01-02 13:14 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-02 13:14 . 2008-01-03 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-02 13:13 . 2008-01-05 01:20 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-02 13:13 . 2008-01-04 11:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-02 13:13 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-02 13:13 . 2008-01-04 10:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-02 13:03 . 2008-01-02 13:03 29 --a------ C:\WINDOWS\system32\rruwppds.tmp
2008-01-02 13:02 . 2006-02-28 14:00 14,336 --a------ C:\WINDOWS\system32\svchost.exe
2008-01-02 13:02 . 2006-02-28 14:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2008-01-02 12:51 . 2008-01-02 12:51 16,384 --a------ C:\WINDOWS\system32\users32.dat.vzr
2008-01-02 12:50 . 2008-01-02 15:09 0 --a------ C:\WINDOWS\system32\wowfx.dl
2007-12-31 12:24 . 2007-12-31 12:24 <DIR> d-------- C:\Program Files\Motorola
2007-12-27 11:26 . 2007-12-27 11:38 <DIR> d-------- C:\Documents and Settings\Balleng2\Application Data\vlc
2007-12-19 12:50 . 2007-12-20 17:09 <DIR> dr------- C:\UDC Output Files
2007-12-19 12:50 . 2007-12-19 12:50 <DIR> d-------- C:\Program Files\Universal Document Converter
2007-12-19 12:50 . 2007-08-14 20:57 5,632 --a------ C:\WINDOWS\system32\udcpm.dll
2007-12-12 08:27 . 2008-01-07 05:18 <DIR> d-------- C:\Program Files\UpsPilot
2007-12-12 08:27 . 2007-12-12 08:27 60,156 --a------ C:\WINDOWS\system32\jspWinNm.DLL
2007-12-12 08:27 . 2007-12-12 08:27 56,320 --a------ C:\WINDOWS\system32\smemory.dll
2007-12-12 08:27 . 2007-12-12 08:27 53,248 --a------ C:\WINDOWS\system32\jspWinRni.DLL
2007-12-12 08:27 . 2007-12-12 08:27 51,200 --a------ C:\WINDOWS\system32\TrayIcon12.dll
2007-12-12 08:27 . 2007-12-12 08:27 45,056 --a------ C:\WINDOWS\system32\jspWin.dll
2007-12-12 08:27 . 2007-12-12 08:27 35,992 --a------ C:\WINDOWS\system32\jspWinRnia.DLL
2007-12-11 15:45 . 2007-12-11 15:45 <DIR> d-------- C:\Program Files\DivX
2007-12-08 03:03 . 2007-12-08 03:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-08 03:00 . 2007-12-08 03:00 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-12-07 19:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-07 19:31 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-07 19:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-07 13:24 . 2007-12-07 14:21 <DIR> d-------- C:\Documents and Settings\Balleng2\Application Data\Yahoo!
2007-12-07 13:18 . 2007-12-07 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-07 13:14 . 2007-12-11 08:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-07 12:40 . 2007-12-08 03:01 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-12-07 12:40 . 2007-12-07 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-12-07 12:39 . 2008-01-02 12:54 <DIR> d-------- C:\Program Files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 07:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-03 11:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-02 13:58 --------- d-----w C:\Program Files\netbeans-5.5
2008-01-02 10:54 --------- d-----w C:\Program Files\Copy Handler
2008-01-02 10:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 10:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-27 09:25 --------- d-----w C:\Program Files\VideoLAN
2007-12-12 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-26 12:00 --------- d-----w C:\Program Files\Java
2007-11-19 14:14 --------- d-----w C:\Program Files\netbeans-5.5.1
2007-11-19 07:02 --------- d-----w C:\Program Files\Intel
2007-11-16 13:32 --------- d-----w C:\Documents and Settings\pbel5\Application Data\Teleca
2007-11-16 13:32 --------- d-----w C:\Documents and Settings\pbel5\Application Data\Sony Ericsson
2007-11-15 12:15 --------- d-----w C:\Documents and Settings\Balleng2\Application Data\Teleca
2007-11-15 11:46 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-11-15 11:37 --------- d-----w C:\Documents and Settings\Balleng2\Application Data\Sony Ericsson
2007-11-15 11:34 --------- d-----w C:\Program Files\Sony Ericsson
2007-11-15 11:34 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-11-15 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-11-15 11:29 --------- d-----w C:\Program Files\Disc2Phone
2007-11-14 10:33 --------- d-----w C:\Program Files\Google
2007-11-14 10:31 --------- d-----w C:\Documents and Settings\Balleng2\Application Data\Skype
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-22 11:59 471,040 ----a-w C:\WINDOWS\jd_screensaver03-spin.scr
2007-10-22 11:58 12,288 ----a-w C:\WINDOWS\impborl.dll
2007-10-17 15:31 471,040 ----a-w C:\WINDOWS\mp2_screensaver_1024x768.scr
2007-04-12 19:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2007-06-13 08:35 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007061320070614\index.dat
.
Files Infected - Win32.Agent.zb
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Copy Handler\Copy Handler.exe
C:\Program Files\Softick\PPP\Bin\PPPGate.exe
C:\PROGRA~1\SYMANT~1\\vptray.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-02 13:14 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-02 13:14 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-02 12:51 5674352]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"FlyAway"="C:\Documents and Settings\Balleng2\My Documents\FlyAway.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 17:17 9134080]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-02 12:51 132496]
"SigmatelSysTrayApp"="sttray.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-01-02 12:51 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-02 12:51 53408]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 20:29 35328]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2008-01-02 12:51 3739648]
"Copy handler"="C:\Program Files\Copy Handler\Copy Handler.exe" [2008-01-02 12:51 156672]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SoftickPPP"="C:\Program Files\Softick\PPP\Bin\PPPGate.exe" [2008-01-02 12:51 160256]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 13:36 495616]
"Winpower"="C:\Program Files\UpsPilot\Winpower.exe" [2007-12-12 08:27 114688]
"UDC Integration"="" []
"taskmon"="C:\WINDOWS\taskmon.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2008-01-02 12:51 124656]

C:\Documents and Settings\Balleng2\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Registration Ghost Recon Advanced Warfighterr 2.LNK - C:\Program Files\UBISOFT\Ghost Recon Advanced Warfighter 2\Support\Register\RegistrationReminder.exe [2007-10-02 14:12:53]

S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 15:18]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2007-09-10 12:34]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 13:54]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-01-04 13:01]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 12:55]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 12:55]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 12:56]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 12:56]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 12:56]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 12:56]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0edf7710-92b7-11dc-bab5-0019d12a63f8}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0edf7711-92b7-11dc-bab5-0019d12a63f8}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec13d80-a94d-11dc-bad7-0019d12a63f8}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abbd8487-1d8f-11dc-ba8d-0019d12a63f8}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e88d3622-2483-11dc-ba94-0019d12a63f8}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc66536a-6b31-11dc-baa4-0019d12a63f8}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 06:29:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 09:13:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-07 9:18:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 07:18:28
.
2007-12-12 06:15:43 --- E O F ---

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 07 January 2008 - 05:04 AM

You have a Backdoor Trojan present on your pc
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

Let me know how you wish to proceed in your next reply.
Posted Image
Posted Image

#5 Bezt

Bezt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 22 January 2008 - 05:58 AM

sorry for the delayed reply I was waiting for my boss who was in Egypt... I would like to clean my PC and not format it... how do I go about it???




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users