Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me Before I Kill Myself Due To Annoying Computer Stress!i Will Buy You A Beer If You Do! Please Help Me!


  • This topic is locked This topic is locked
6 replies to this topic

#1 es4286

es4286

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 14 February 2008 - 09:27 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:48 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eric\My Documents\?racle\w?crtupd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhff.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\system32\winload.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\system32\yatool.dll (file missing)
O2 - BHO: (no name) - {5ca51847-a9d3-49f7-99f0-5c965c63677c} - C:\WINDOWS\system32\artivyu.dll (file missing)
O2 - BHO: (no name) - {603FED95-5871-5AF8-0662-2900BCCB8BE8} - C:\WINDOWS\system32\txdo.dll (file missing)
O2 - BHO: (no name) - {9909BE84-3DDE-475F-9C6A-BAE88008E117} - C:\WINDOWS\system32\jkhff.dll (file missing)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\khfeefg.dll (file missing)
O4 - HKLM\..\Run: [UIUCU] -C:\DOCUME~1\Susan\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SunJavaUpdateSched] -C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] -"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] -stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] -C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] -C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] -C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPHUPD05] -C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] -"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] -"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] -C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] -C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] -"C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] -"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] -"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Weather] -C:\Program Files\AWS\WeatherBug\Weather .exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Dot1XCfg] -C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Router] -C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Icmbgrl] "C:\Documents and Settings\Eric\My Documents\?racle\w?crtupd.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1993962763-179605362-839522115-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Andrew')
O4 - HKUS\S-1-5-21-1993962763-179605362-839522115-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Andrew')
O4 - HKUS\S-1-5-21-1993962763-179605362-839522115-1006\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Andrew')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-1993962763-179605362-839522115-1006 Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntolwb.exe (User 'Andrew')
O4 - S-1-5-21-1993962763-179605362-839522115-1006 Startup: DW_Start.lnk = C:\WINDOWS\system32\knwdw64k.exe (User 'Andrew')
O4 - S-1-5-21-1993962763-179605362-839522115-1006 User Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntolwb.exe (User 'Andrew')
O4 - S-1-5-21-1993962763-179605362-839522115-1006 User Startup: DW_Start.lnk = C:\WINDOWS\system32\knwdw64k.exe (User 'Andrew')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntolwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\knwdw64k.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZRxdm069YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - Winlogon Notify: khfeefg - khfeefg.dll (file missing)
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\system32\winload.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - -"C:\Program Files\Viewpoint\Common\ViewpointService.exe" (file missing)

--
End of file - 8781 bytes


BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:10 PM

Posted 15 February 2008 - 12:53 PM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 es4286

es4286
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 16 February 2008 - 12:48 AM

alright thanks buddy.

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:10 PM

Posted 17 February 2008 - 11:08 AM

Hi,

Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 es4286

es4286
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 19 February 2008 - 04:46 PM

ComboFix 08-02-20.2 - Eric 2008-02-19 15:30:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.233 [GMT -6:00]
Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - system32: deleted 5362 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqpoo.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\MSKSSRVV.sys
C:\WINDOWS\system32\geeba.dll
C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Eric\My Documents\RACLE~1
C:\Documents and Settings\Eric\My Documents\RACLE~1\w?crtupd.exe
C:\Documents and Settings\Eric\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Eric\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Eric\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Eric\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Eric\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\Common Files\ystem3~1\?ystem32\
C:\Program Files\Common Files\ystem3~1\ping .exe
C:\Program Files\Common Files\ystem3~1\ping.exe
C:\Program Files\Helper
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Router
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000014_.tmp.dll
C:\WINDOWS\system32\_000015_.tmp.dll
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\awtqpoo.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\MSKSSRVV.sys
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\fkvhijvj.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mt_32.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tuvvssp.dll
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_MSKSSRVV
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_POOF
-------\MSKSSRVV


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 15:18 . 2008-02-19 15:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-17 18:58 . 2008-02-17 18:58 <DIR> d-------- C:\Program Files\PrivacyEraser Computing
2008-02-14 23:33 . 2008-02-14 23:33 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-02-14 20:24 . 2008-02-14 20:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 18:23 . 2008-02-08 18:23 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-02-07 18:29 . 2008-02-07 18:29 101 --a------ C:\WINDOWS\ka.ini
2008-02-07 18:28 . 2008-02-07 18:28 <DIR> d-------- C:\Program Files\JumpStart World
2008-02-07 18:28 . 2008-02-07 18:28 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2008-02-07 18:28 . 2008-02-07 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2008-02-07 18:27 . 2008-02-07 18:27 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\InstallShield
2008-02-07 09:14 . 2008-02-07 09:14 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\School Zone Preferences
2008-02-01 16:34 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-02-01 16:33 . 2008-02-06 22:05 <DIR> d-------- C:\Program Files\sz8049_6
2008-02-01 16:33 . 2008-02-01 16:36 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\School Zone Preferences
2008-01-31 13:45 . 2008-02-01 16:31 <DIR> d-------- C:\Program Files\Ad Annihilator
2008-01-29 20:49 . 2008-02-20 15:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-29 20:49 . 2008-01-29 20:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-29 20:45 . 2008-02-17 20:36 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2008-01-29 20:44 . 2008-01-29 20:44 <DIR> d-------- C:\Program Files\iPod
2008-01-29 20:43 . 2008-01-29 20:44 <DIR> d-------- C:\Program Files\iTunes
2008-01-29 20:43 . 2008-01-29 20:43 <DIR> d-------- C:\Program Files\Bonjour
2008-01-29 20:42 . 2008-01-29 20:43 <DIR> d-------- C:\Program Files\QuickTime
2008-01-29 20:42 . 2008-01-29 20:42 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-29 20:42 . 2008-01-29 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 20:41 . 2008-01-29 20:41 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-29 20:41 . 2008-01-29 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-29 20:33 . 2008-01-29 20:33 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-01-29 19:26 . 2008-02-19 15:21 <DIR> d-------- C:\Program Files\ESET
2008-01-29 19:18 . 2008-01-29 19:18 1,167 --a------ C:\WINDOWS\mozver.dat
2008-01-29 18:55 . 2008-01-29 18:55 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-29 18:09 . 2008-01-29 18:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-29 18:07 . 2008-02-19 14:24 0 --a------ C:\$bootcln.sch
2008-01-29 17:41 . 2008-01-29 17:41 3,072 --a------ C:\WINDOWS\system32\kbdsdf.dll
2008-01-29 17:15 . 2008-01-29 17:15 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-01-29 17:13 . 2008-01-29 17:13 54,764 --a------ C:\WINDOWS\system32\drivers\qwer78.sys
2008-01-29 17:13 . 2008-01-29 17:13 2 --a------ C:\1283524645
2008-01-27 17:21 . 2008-01-29 19:09 <DIR> d-------- C:\Program Files\Trojan Remover
2008-01-27 17:21 . 2008-01-27 17:21 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Simply Super Software
2008-01-27 17:21 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-01-27 17:21 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-01-27 17:21 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-01-27 17:21 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-01-27 17:21 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-01-22 19:43 . 2008-01-27 18:26 483,328 --a------ C:\WINDOWS\system32\hphmon05 .exe
2008-01-22 19:43 . 2008-01-27 18:25 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-22 19:43 . 2008-01-27 18:25 94,208 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-22 19:42 . 2008-01-27 18:25 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-22 19:21 . 2008-01-22 19:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-01-22 19:19 . 2008-01-27 18:22 502 --ahs---- C:\WINDOWS\system32\ffhkj.ini2.ren
2008-01-22 19:19 . 2008-01-27 18:21 502 --ahs---- C:\WINDOWS\system32\ffhkj.ini.ren
2008-01-22 19:17 . 2008-01-29 18:07 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-22 19:14 . 2008-01-27 17:55 <DIR> d--hs---- C:\WINDOWS\c3VzaWUgcG9vcGFudHM
2008-01-22 19:14 . 2008-01-22 19:14 <DIR> d-------- C:\Temp\gTiis19
2008-01-22 19:13 . 2008-01-29 18:36 <DIR> d-------- C:\WINDOWS\system32\winzs6
2008-01-22 19:13 . 2008-01-29 18:36 <DIR> d-------- C:\WINDOWS\system32\nui4
2008-01-22 19:13 . 2008-01-22 19:13 <DIR> d-------- C:\WINDOWS\system32\extz1
2008-01-22 19:13 . 2008-01-29 18:36 <DIR> d-------- C:\WINDOWS\system32\dob3
2008-01-22 19:13 . 2008-01-22 19:41 <DIR> d-------- C:\WINDOWS\system32\comm7
2008-01-22 19:13 . 2008-01-22 19:13 <DIR> d-------- C:\Temp\cXzz9
2008-01-22 19:13 . 2008-02-20 15:31 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 00:46 --------- d-----w C:\Documents and Settings\Eric\Application Data\uTorrent
2008-02-11 00:26 --------- d-----w C:\Program Files\uTorrent
2008-02-09 01:22 802,816 ----a-w C:\WINDOWS\feedingfrenzy.scr
2008-02-09 01:14 --------- d-----w C:\Program Files\Common Files\Real
2008-02-08 00:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 00:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-28 00:27 --------- d-----w C:\Program Files\AIM6
2008-01-28 00:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-26 08:01 --------- d-----w C:\Program Files\Yahoo!
2008-01-26 07:59 --------- d-----w C:\Program Files\Nick Jr. Arcade
2008-01-15 22:08 --------- d-----w C:\Documents and Settings\Andrew\Application Data\acccore
2008-01-06 20:19 --------- d-----w C:\Documents and Settings\Eric\Application Data\CyberLink
2007-12-23 22:03 --------- d-----w C:\Documents and Settings\Eric\Application Data\vlc
2007-12-23 22:02 --------- d-----w C:\Program Files\VideoLAN
2007-12-23 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 19:23 --------- d-----w C:\Program Files\Symantec
2007-12-23 19:23 --------- d-----w C:\Program Files\Google
2007-12-23 19:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-23 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-20 02:42 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-07-29 22:24 472 --sha-r C:\WINDOWS\c3VzaWUgcG9vcGFudHM\wapWuqo0w36Sw3IRxJg.vbs
.
<pre>
----a-w			50,528 2008-01-29 23:15:27  C:\Program Files\AIM6\aim6 .exe
----a-w			53,248 2008-01-28 00:25:48  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			49,152 2008-01-28 00:26:01  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
----a-w			49,152 2008-01-28 00:27:16  C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
----a-w		   221,184 2008-01-28 00:25:59  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w			32,881 2008-01-28 00:25:46  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,694,208 2008-01-28 00:27:27  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,200,128 2008-01-28 00:27:40  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w		   726,608 2008-01-28 00:26:10  C:\Program Files\Trojan Remover\Trjscan .exe
----a-w		   114,688 2008-01-28 00:25:53  C:\WINDOWS\system32\hkcmd .exe
----a-w		   483,328 2008-01-28 00:26:05  C:\WINDOWS\system32\hphmon05 .exe
----a-w			94,208 2008-01-28 00:25:55  C:\WINDOWS\system32\igfxpers .exe
----a-w			98,304 2008-01-28 00:25:50  C:\WINDOWS\system32\igfxtray .exe
----a-w		   188,416 2008-01-28 00:26:06  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C}]
C:\WINDOWS\system32\winload.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54C7D1DD-4296-451e-B756-1E94F665B4FF}]
C:\WINDOWS\system32\yatool.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ca51847-a9d3-49f7-99f0-5c965c63677c}]
C:\WINDOWS\system32\artivyu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{603FED95-5871-5AF8-0662-2900BCCB8BE8}]
C:\WINDOWS\system32\txdo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9909BE84-3DDE-475F-9C6A-BAE88008E117}]
C:\WINDOWS\system32\jkhff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB440D6F-4255-4E86-AA32-2631674BDF23}]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="-C:\Program Files\Messenger\msmsgs.exe" [ ]
"Aim6"="-C:\Program Files\AIM6\aim6.exe" [ ]
"H/PC Connection Agent"="-C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [ ]
"Weather"="-C:\Program Files\AWS\WeatherBug\Weather .exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"Dot1XCfg"="-C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"Router"="-C:\Program Files\Router\Router.exe" [ ]
"Icmbgrl"="C:\Documents and Settings\Eric\My Documents\?racle\w?crtupd.exe" [ ]
"Sen"="C:\PROGRA~1\COMMON~1\YSTEM3~1\ping.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UIUCU"="-C:\DOCUME~1\Susan\LOCALS~1\Temp\UIUCU.exe" [ ]
"SunJavaUpdateSched"="-C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]
"DVDLauncher"="-C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ]
"SigmatelSysTrayApp"="-stsystra.exe" []
"IgfxTray"="-C:\WINDOWS\system32\igfxtray.exe" [ ]
"HotKeysCmds"="-C:\WINDOWS\system32\hkcmd.exe" [ ]
"Persistence"="-C:\WINDOWS\system32\igfxpers.exe" [ ]
"HPHUPD05"="-C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HP Component Manager"="-C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"HP Software Update"="-C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [ ]
"HPHmon05"="-C:\WINDOWS\system32\hphmon05.exe" [ ]
"HPDJ Taskbar Utility"="-C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C}"= C:\WINDOWS\system32\winload.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfeefg]
khfeefg.dll

S2 Viewpoint Manager Service;Viewpoint Manager Service;-"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7FDA5DA0-0C92-E780-F273-B9207984D491}]
C:\WINDOWS\system32:svchost.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-14 14:39:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 15:41:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-20 15:43:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 21:43:37
.
2008-02-18 09:02:06 --- E O F ---

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:10 PM

Posted 21 February 2008 - 06:16 AM

Hello,

One or more of the identified infections is a backdoor Trojan.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.
Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please follow the "REMOVAL INSTRUCIONS", bellow.

If you decided to reformat your PC, please let me know about that in your next reply.


"REMOVAL INSTRUCIONS"

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player‚„s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
4. Do the same for each Viewpoint component.

Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7FDA5DA0-0C92-E780-F273-B9207984D491}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54C7D1DD-4296-451e-B756-1E94F665B4FF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ca51847-a9d3-49f7-99f0-5c965c63677c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{603FED95-5871-5AF8-0662-2900BCCB8BE8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9909BE84-3DDE-475F-9C6A-BAE88008E117}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB440D6F-4255-4E86-AA32-2631674BDF23}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dot1XCfg"=-
"Icmbgrl"=-
"Router"=-
"Sen"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UIUCU"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfeefg]
DirLook::
C:\Program Files\sz8049_6
C:\1283524645
File::
C:\WINDOWS\system32\kbdsdf.dll
C:\WINDOWS\system32\ffhkj.ini2.ren
C:\WINDOWS\system32\ffhkj.ini.ren
C:\WINDOWS\system32\winload.dll
C:\WINDOWS\system32\yatool.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\ddcyy.dll
C:\DOCUME~1\Susan\LOCALS~1\Temp\UIUCU.exe
C:\WINDOWS\system32\khfeefg.dll
C:\WINDOWS\system32\drivers\qwer78.sys
Folder::
C:\Program Files\Dot1XCfg
C:\Program Files\Router
C:\WINDOWS\c3VzaWUgcG9vcGFudHM
C:\Temp\gTiis19
C:\WINDOWS\system32\winzs6
C:\WINDOWS\system32\nui4
C:\WINDOWS\system32\extz1
C:\WINDOWS\system32\dob3
C:\WINDOWS\system32\comm7
C:\Temp\cXzz9
RenV::
----a-w			50,528 2008-01-29 23:15:27  C:\Program Files\AIM6\aim6 .exe
----a-w			53,248 2008-01-28 00:25:48  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			49,152 2008-01-28 00:26:01  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
----a-w			49,152 2008-01-28 00:27:16  C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
----a-w		   221,184 2008-01-28 00:25:59  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w			32,881 2008-01-28 00:25:46  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,694,208 2008-01-28 00:27:27  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,200,128 2008-01-28 00:27:40  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w		   726,608 2008-01-28 00:26:10  C:\Program Files\Trojan Remover\Trjscan .exe
----a-w		   114,688 2008-01-28 00:25:53  C:\WINDOWS\system32\hkcmd .exe
----a-w		   483,328 2008-01-28 00:26:05  C:\WINDOWS\system32\hphmon05 .exe
----a-w			94,208 2008-01-28 00:25:55  C:\WINDOWS\system32\igfxpers .exe
----a-w			98,304 2008-01-28 00:25:50  C:\WINDOWS\system32\igfxtray .exe
----a-w		   188,416 2008-01-28 00:26:06  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 AM

Posted 01 March 2008 - 05:32 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users