Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi, Some Trojans Got By


  • This topic is locked This topic is locked
19 replies to this topic

#1 jdef

jdef

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 11 February 2008 - 07:01 PM

Not sure how to handle this so any help is appreciated :thumbsup:
There seem to be some suspect lines in my log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:29 PM, on 11/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Wireless-N PCI Adapter\WLService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAP Premium\DAP.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\fcccyya.dll (file missing)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP Premium\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP Premium\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201929794308
O20 - Winlogon Notify: fcccyya - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Wireless-N PCI Adapter\WLService.exe

--
End of file - 5224 bytes

BC AdBot (Login to Remove)

 


m

#2 jdef

jdef
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 13 February 2008 - 02:08 AM

My system is killing itself.
It started with some trojans that started slowing everything down from internet access to higher end system functions.
Now my computer cannot maintain a stable internet or even basic windows connection longer than an hour.
It is affecting my computer's ability to read ALL of my secondary HD's.

This is my second application for help. If this place in line is not a priority at least tell me what I need to do to assure an absolutely clean re-format.install of windows sans viruses.

Thank you..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:23 AM, on 13/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Wireless-N PCI Adapter\WLService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAP Premium\DAP.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\fcccyya.dll (file missing)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP Premium\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP Premium\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201929794308
O20 - Winlogon Notify: fcccyya - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Wireless-N PCI Adapter\WLService.exe

--
End of file - 5304 bytes

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 20 February 2008 - 11:18 PM

Hello jdef,

Welcome to Bleeping Computer :thumbsup:

Sorry about the delay.:blink: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 jdef

jdef
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 22 February 2008 - 08:12 PM

Hi Tea, thanks for replying, here is an up to date log: (i know avg is not on right now :thumbsup: )

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:58 PM, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Wireless-N PCI Adapter\WLService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\fcccyya.dll (file missing)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201929794308
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - Winlogon Notify: fcccyya - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Wireless-N PCI Adapter\WLService.exe

--
End of file - 5648 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 25 February 2008 - 05:37 PM

Hello,

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 jdef

jdef
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 28 February 2008 - 06:50 AM

When I downloaded ComboFix, it sped through the DL until the end when it paused for several seconds before the speed slowed to a crawl, then it finished.
When I launched the program I passed the disclaimer screen then it said, "Roughly 1/100 machines failed to make it through the disinfection process !! Are you sure you want to do this?? Yes/No".

I said no to continuing as I was unsure what that meant. When I did this, the program icon on my screen dissapeared. I downloaded the program again but when I did AVG detected virus.Heur.Invader (modification). I obviously denied the virus' action; it seemed logical the DL'ed file was corrupted so I deleted it...

Also in my C:\ I found a kmd.exe file and an empty folder called QooBox whatever that is. Strange.

Is there somewhere else I can get combofix without DL'ing just an .exe?

Here is my log now..

Thanks again,
jD

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:08 AM, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Wireless-N PCI Adapter\WLService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\fcccyya.dll (file missing)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201929794308
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - Winlogon Notify: fcccyya - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Wireless-N PCI Adapter\WLService.exe

--
End of file - 5452 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 28 February 2008 - 10:31 AM

Hello,

It was supposed to look like that, everything you described. It isn't corrupt. Delete Qoobox and kmd.exe and do it again,please, this time saying yes when it asks. This is a warning just like any other warning you find on most everything you buy these days. It isn't meant to scare you, and it isn't saying your system is trashed, just that ComboFix might not make it through the process. If this still bothers you we can do this the hard way, and it will take much longer. Up to you. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 jdef

jdef
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 28 February 2008 - 11:15 PM

Hi tea,
I ran combofix, but it tanked my internet and cd rom accessability. I reinstalled windows over the previous copy and it allowed me to install my wireless drivers
Here are the logs:

HT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:12 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wireless-N PCI Adapter\WLService.exe
C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204249552416
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Wireless-N PCI Adapter\WLService.exe

--
End of file - 2256 bytes






COMBOFIX

ComboFix 08-02-25.3 - jd 2008-02-28 16:39:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.173 [GMT -7:00]
Running from: C:\Documents and Settings\jd\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-20 23:32 . 2008-02-28 15:04 <DIR> d-------- C:\Downloads
2008-02-20 23:10 . 2008-02-20 23:11 <DIR> d-------- C:\Documents and Settings\jd\Application Data\GetRight Pro
2008-02-20 23:07 . 2008-02-28 15:44 <DIR> d-------- C:\Program Files\GetRight
2008-02-20 22:02 . 2008-02-20 22:43 <DIR> d-------- C:\Documents and Settings\jd\Application Data\Download Manager
2008-02-20 21:17 . 2008-02-20 21:17 <DIR> d-------- C:\Program Files\MagicISO
2008-02-20 17:40 . 2007-12-20 10:43 248,448 --a------ C:\WINDOWS\SYSTEM32\PROUnstl.exe
2008-02-18 20:44 . 2008-02-23 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-18 12:45 . 2004-08-04 01:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2008-02-18 12:45 . 2004-08-03 23:58 15,104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
2008-02-18 12:45 . 2004-08-03 23:58 15,104 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\usbscan.sys
2008-02-18 12:45 . 2001-08-17 23:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
2008-02-11 23:44 . 1998-08-20 04:02 140,800 --a------ C:\WINDOWS\SYSTEM32\tm20dec.ax
2008-02-11 23:44 . 1998-09-02 01:28 38,160 --a------ C:\WINDOWS\SYSTEM32\LMRTREND.dll
2008-02-11 23:44 . 2008-02-11 23:44 289 --a------ C:\WINDOWS\EReg072.dat
2008-02-11 23:43 . 1998-08-26 21:51 182,032 --a------ C:\WINDOWS\SYSTEM32\dxtmsft3.dll
2008-02-11 23:42 . 1998-09-02 01:02 194,320 --a------ C:\WINDOWS\SYSTEM32\qcut.dll
2008-02-11 23:42 . 1998-09-02 01:28 63,488 --a------ C:\WINDOWS\SYSTEM32\unam4ie.exe
2008-02-11 23:42 . 1998-08-17 02:21 11,776 --a------ C:\WINDOWS\SYSTEM32\mciqtz.drv
2008-02-11 23:42 . 1998-08-17 02:21 10,240 --a------ C:\WINDOWS\SYSTEM32\vidx16.dll
2008-02-11 23:42 . 1998-08-17 02:21 5,672 --a------ C:\WINDOWS\SYSTEM32\quartz.vxd
2008-02-11 23:42 . 2008-02-11 23:42 4,608 --a------ C:\WINDOWS\SYSTEM32\w95inf32.dll
2008-02-11 23:42 . 2008-02-11 23:42 2,272 --a------ C:\WINDOWS\SYSTEM32\w95inf16.dll
2008-02-11 23:33 . 2008-02-11 23:33 <DIR> d-------- C:\Program Files\Electronic Arts
2008-02-11 23:33 . 2008-02-11 23:33 <DIR> d-------- C:\Documents and Settings\jd\WINDOWS
2008-02-11 23:33 . 1996-11-05 17:13 299,008 --a------ C:\WINDOWS\uninst.exe
2008-02-10 23:32 . 2008-02-18 20:45 174,080 --a------ C:\WINDOWS\Adobe Photoshop CS3 Keygen.exe
2008-02-08 20:15 . 2008-02-08 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-02-08 20:14 . 2008-02-08 23:27 <DIR> d-------- C:\Documents and Settings\jd\Application Data\Azureus
2008-02-08 20:08 . 2008-02-09 09:11 <DIR> d-------- C:\Program Files\Azureus
2008-02-08 00:06 . 2008-02-08 00:07 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-02-08 00:06 . 2008-02-08 00:06 <DIR> d-------- C:\Documents and Settings\jd\Application Data\DAEMON Tools
2008-02-07 23:34 . 2008-02-07 23:34 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-02-07 23:23 . 2008-02-08 00:03 716,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
2008-02-07 20:55 . 2008-02-07 20:55 <DIR> d-------- C:\Program Files\WinImage
2008-02-07 20:55 . 2005-10-16 09:00 12,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\filedisk.sys
2008-02-06 20:22 . 2008-02-06 22:10 <DIR> d-------- C:\Program Files\EA GAMES
2008-02-03 12:10 . 2008-02-03 12:10 <DIR> d-------- C:\Program Files\Soulseek-Test
2008-02-03 01:15 . 2008-02-03 01:16 <DIR> d-------- C:\Documents and Settings\jd\Application Data\Media Player Classic
2008-02-03 01:07 . 2008-02-03 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-02-02 15:01 . 2008-02-03 01:07 24 ---hs---- C:\WINDOWS\S3E6B0EA0.tmp
2008-02-02 15:00 . 2008-02-02 15:00 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-02-02 14:59 . 2008-02-02 14:59 <DIR> d-------- C:\Program Files\SlySoft
2008-02-02 14:10 . 2008-02-02 14:10 <DIR> d-------- C:\Documents and Settings\jd\Application Data\DivX
2008-02-02 13:45 . 2007-12-06 19:21 6,066,176 -----c--- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2008-02-02 13:45 . 2007-06-30 20:31 2,455,488 -----c--- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dat
2008-02-02 13:45 . 2007-06-30 20:36 991,232 -----c--- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll.mui
2008-02-02 13:45 . 2007-12-06 19:21 459,264 -----c--- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2008-02-02 13:45 . 2007-12-06 19:21 383,488 -----c--- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2008-02-02 13:45 . 2007-12-06 19:21 267,776 -----c--- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2008-02-02 13:45 . 2007-12-06 19:21 63,488 -----c--- C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2008-02-02 13:45 . 2007-12-06 19:21 52,224 -----c--- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2008-02-02 13:45 . 2007-12-06 04:00 13,824 -----c--- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-02-02 13:29 . 2008-02-02 13:29 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-02 13:26 . 2008-02-02 13:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-02-02 13:26 . 2008-02-03 10:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-02-02 13:15 . 2008-02-02 13:15 <DIR> d-------- C:\Program Files\DivX
2008-02-02 13:06 . 2008-02-02 13:06 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-02 12:05 . 2008-02-02 12:07 <DIR> d-------- C:\Program Files\SpeedBit Video Accelerator
2008-02-02 12:03 . 2008-02-20 20:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-02 12:00 . 2008-02-02 12:02 172,032 --a------ C:\WINDOWS\SYSTEM32\AniGIF.ocx
2008-02-02 10:23 . 2008-02-02 11:31 91,700 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2008-02-02 10:23 . 2008-02-02 11:31 85,860 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2008-02-02 10:21 . 2008-02-02 10:21 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-02 10:21 . 2008-02-28 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-02 10:21 . 2008-02-28 16:53 7,354,400 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-02-02 10:21 . 2008-02-28 16:54 312,096 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-02-02 10:21 . 2008-02-28 16:51 121,472 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-02-02 10:21 . 2008-02-28 16:51 36,572 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-02-02 10:20 . 2008-02-02 11:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-02-02 04:25 . 2008-02-02 04:31 <DIR> d-------- C:\Documents and Settings\jd\Application Data\ICAClient
2008-02-02 04:24 . 2008-02-02 04:24 <DIR> d-------- C:\Program Files\Citrix
2008-02-02 02:48 . 2008-02-02 03:59 8 --a------ C:\WINDOWS\SYSTEM32\nvModes.dat
2008-02-02 02:41 . 2008-02-02 02:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-02-02 02:39 . 2008-02-02 02:39 <DIR> d-------- C:\WINDOWS\nview
2008-02-02 02:39 . 2007-12-05 02:41 356,352 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2008-02-02 02:39 . 2008-02-20 21:53 163,353 --a------ C:\WINDOWS\SYSTEM32\nvapps.xml
2008-02-02 02:39 . 2007-12-05 02:41 17,737 --a------ C:\WINDOWS\SYSTEM32\nvdisp.nvu
2008-02-02 02:38 . 2007-12-05 03:53 356,352 --a------ C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2008-02-02 00:42 . 2008-02-23 14:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-02 00:29 . 2008-02-02 00:29 130 --a------ C:\WINDOWS\ODBC.INI
2008-02-02 00:26 . 2008-02-02 00:26 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-02 00:22 . 2008-02-02 00:22 <DIR> d-------- C:\NVIDIA
2008-02-02 00:17 . 2008-02-02 00:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-02 00:17 . 2008-02-02 00:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 00:17 . 2008-02-02 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 23:59 . 2008-02-03 13:18 <DIR> d-------- C:\Program Files\Winamp
2008-02-01 23:59 . 2008-02-03 13:38 <DIR> d-------- C:\Documents and Settings\jd\Application Data\Winamp
2008-02-01 23:35 . 2008-02-01 23:36 <DIR> d-------- C:\Program Files\BitLord
2008-02-01 23:07 . 2008-02-12 20:07 <DIR> d-------- C:\Program Files\Wireless-N PCI Adapter
2008-02-01 23:07 . 2008-02-07 23:25 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-02-01 23:07 . 2008-02-02 02:38 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-02-01 23:07 . 2008-02-01 23:07 <DIR> d-------- C:\Program Files\Broadcom
2008-02-01 23:07 . 2006-04-25 00:51 3,149,824 --a------ C:\WINDOWS\SYSTEM32\BCMCFG.CPL
2008-02-01 23:04 . 2008-02-01 23:04 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
2008-02-01 23:04 . 2008-02-01 23:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-02-01 23:01 . 2004-08-04 11:00 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\msir3jp.lex
2008-02-01 23:00 . 2004-08-04 11:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2008-02-01 22:59 . 2008-02-01 22:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
2008-02-01 22:59 . 2008-02-01 22:59 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-02-01 22:58 . 2008-02-02 00:01 316,640 --a------ C:\WINDOWS\WMSysPr9.prx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 21:06 266 --sh--w C:\Program Files\desktop.ini
2008-02-01 21:06 11,079 ---ha-w C:\Program Files\folder.htt
2008-02-01 20:59 5,166 --sh--w C:\SUHDLOG.DAT
2008-02-01 20:52 --------- d-----w C:\Program Files\PLUS!
2008-02-01 20:52 --------- d-----w C:\Program Files\CHAT
2008-02-01 20:52 --------- d-----r C:\Program Files\Accessories
2007-12-15 04:05 35,424 ----a-w C:\WINDOWS\SYSTEM32\e100bmsg.dll
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-11-29 14:38 40,056 ----a-w C:\WINDOWS\SYSTEM32\NicInst.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-04-25 00:51 1273856]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 13:51 218376]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 12:21 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccyya]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-02-02 12:05]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe -start []
R2 WMP300NSvc;WMP300NSvc;"C:\Program Files\Wireless-N PCI Adapter\WLService.exe" "WMP300N.exe" []
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 15:58]

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 16:54:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-28 16:57:05 - machine was rebooted [jd]
ComboFix-quarantined-files.txt 2008-02-28 23:56:47
.
2008-02-13 09:49:39 --- E O F ---

Edited by jdef, 28 February 2008 - 11:34 PM.


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 29 February 2008 - 11:42 PM

Hello,

So the ComboFix report was taken before you did the over the top? Downloaded any more cracks since then? :thumbsup: What little there is in your log looks clean, but I doubt it will stay that way long. Are you going to reinstall Kaspersky? If you'd rather, AVG, Avira OR Avast are good FREE antivirus.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 jdef

jdef
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 01 March 2008 - 02:21 AM

Yeah combofix log is from before the over the top.
AVG Free, gotcha :thumbsup:

Thanks again tea

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 02 March 2008 - 03:33 PM

Hi there,

Everything running all right still? :thumbsup:

You're most welcome for the help. If you just can't help yourself, please be very careful in the future with those cracks. Next time you might not be so lucky. Scan those files before you install them.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 09 March 2008 - 06:07 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 10 March 2008 - 10:33 PM

Topic reopened. :thumbsup: Please post a new HijackThis log for me.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 jdef

jdef
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 12 March 2008 - 09:51 PM

hi tea!
appreciate the help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:27 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wireless-N PCI Adapter\WLService.exe
C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204249552416
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Wireless-N PCI Adapter\WLService.exe

--
End of file - 3879 bytes

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 12 March 2008 - 10:31 PM

Hi there :thumbsup:

You're going to have to tell me what the system is up to, as there isn't much to go by in that log. Looks pretty good actually, and I see you have AVG installed. :blink:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users