Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

X_cool.exe Running....


  • Please log in to reply
1 reply to this topic

#1 apm

apm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 27 February 2008 - 06:40 PM

Hi Guys

I would appreciate some help with this machine. I believe it suffered Vundo a few months ago but still has signes of infection as X_Cool.exe was visible using Sysinternals Filmon. I have uninstalled the entry in Add/Remove Programs.
Here is the HiJackThis log & ComboFix Log - HijackThis was installed post ComboFix run/log: Regards

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:34:23, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1184223758\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AOL\Broadband Assistant\bin\mpbtn.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xm...dir.asp?Ext=pps
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11C72D10-D9EA-4B5A-91D3-9C64BF9928F6} - C:\Program Files\MSN Gaming Zone\mezoheke4444.dll (file missing)
O2 - BHO: (no name) - {2CF2ADA5-9910-4649-31AC-E7F87F568FC3} - C:\Program Files\MSN\qula.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F1128B2-3811-4B08-BF3B-5EBC61F48BE0} - C:\Program Files\MSN Gaming Zone\mezoheke555077.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C234147E-AC64-46C6-94C2-E0D758F3D728} - C:\Program Files\MSN Gaming Zone\mezoheke83122.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll (file missing)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1184223758\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL Broadband Assistant.lnk = C:\Program Files\AOL\Broadband Assistant\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZJxdm172YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://webgames.d.tmsrv.com/c=9bc651382105...sh.1.0.0.47.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8DD6A90-5615-46C2-B738-0C1C313E850F}: NameServer = 212.139.132.6,208.67.220.220
O20 - Winlogon Notify: gebywur - gebywur.dll (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11952 bytes

ComboFix 08-02-25.3 - Keith Weston 2008-02-27 23:10:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.148 [GMT 0:00]
Running from: C:\Documents and Settings\Keith Weston\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-27 22:51 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-27 22:50 . 2008-02-27 22:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-27 20:45 . 2008-02-27 20:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-27 20:41 . 2007-12-07 02:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-27 20:41 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-27 20:41 . 2007-07-01 03:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-27 20:41 . 2007-12-07 02:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-27 20:41 . 2007-12-07 02:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-27 20:41 . 2007-12-07 02:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-27 20:41 . 2007-12-07 02:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-27 20:41 . 2007-12-07 02:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-27 20:41 . 2007-12-06 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-27 20:27 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-27 20:19 . 2008-02-27 20:19 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 20:13 . 2008-02-27 21:34 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 20:12 . 2008-02-27 20:12 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 20:10 . 2008-02-27 20:10 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-27 20:10 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-27 20:09 . 2006-10-04 14:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-02-27 20:09 . 2006-10-04 14:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-02-27 20:09 . 2006-10-04 14:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-02-27 20:08 . 2008-02-27 20:08 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-27 20:00 . 2008-02-27 20:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-27 20:00 . 2008-02-27 20:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-27 19:34 . 2006-11-13 06:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-02-27 19:34 . 2006-11-13 06:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-02-27 19:34 . 2006-11-13 06:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-02-23 08:00 . 2008-02-23 08:00 47,596 --a------ C:\WINDOWS\system32\drivers\REGSYS701.SYS
2008-02-22 18:17 . 2008-02-22 18:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-22 18:17 . 2008-02-22 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 18:54 . 2008-02-07 18:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 18:47 . 2008-02-07 18:48 <DIR> d-------- C:\Program Files\QuickTime
2008-02-06 16:53 . 2008-02-06 16:53 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-03 13:30 . 2008-02-03 13:44 <DIR> d-------- C:\Program Files\RegistryPatrol3.0
2008-02-02 23:25 . 2006-08-21 09:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-02-02 23:25 . 2006-08-21 09:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-02-02 23:25 . 2006-08-21 12:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-02-02 23:23 . 2008-02-02 23:23 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-02 19:25 . 2007-07-09 13:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-02 17:11 . 2008-02-27 23:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 15:28 . 2008-02-27 21:27 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-02 15:18 . 2008-02-02 15:18 <DIR> d-------- C:\WINDOWS\peernet
2008-02-02 15:17 . 2008-02-02 15:17 <DIR> d-------- C:\WINDOWS\provisioning
2008-02-02 15:10 . 2008-02-02 15:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-02 14:49 . 2008-02-02 14:49 <DIR> d-------- C:\WINDOWS\EHome
2008-02-01 17:35 . 2003-01-10 21:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 22:51 --------- d-----w C:\Program Files\Java
2008-02-27 22:40 --------- d-----w C:\Program Files\Cool
2008-02-27 19:23 --------- d-----w C:\Documents and Settings\Keith Weston\Application Data\AVG7
2008-02-24 20:38 --------- d-----w C:\Documents and Settings\Sue Gallagher\Application Data\AVG7
2008-02-24 20:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-24 18:07 --------- d-----w C:\Documents and Settings\Megan Gallagher\Application Data\AVG7
2008-02-24 17:07 --------- d-----w C:\Documents and Settings\Tyler Weston\Application Data\AVG7
2008-02-15 16:20 1,565,696 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-02-07 18:53 --------- d-----w C:\Program Files\iTunes
2008-02-07 18:53 --------- d-----w C:\Program Files\iPod
2008-02-07 13:18 1,576,558 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-28 20:07 1,462,784 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-25 19:12 --------- d-----w C:\Documents and Settings\Tyler Weston\Application Data\Grisoft
2008-01-24 17:17 1,452,544 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-23 21:03 1,890,304 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-01-17 19:15 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-10 10:52 717,824 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-03 20:38 2,460,672 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-03 20:38 1,413,632 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-12-29 12:08 1,400,832 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-19 20:30 1,329,152 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2007-12-19 20:29 4,592 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-13 19:40 77,824 ----a-w C:\WINDOWS\system32\IEDFix.exe
2007-12-07 15:30 103,776 ----a-w C:\WINDOWS\system32\AOLDial.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2005-07-29 16:24 472 --sha-r C:\WINDOWS\S2VpdGggV2VzdG9u\mZpDx300pZpWx36R.vbs
2007-11-12 20:29 446,011 --sh--w C:\WINDOWS\system32\mlkkj.bak1
2007-11-13 20:29 660,523 --sh--w C:\WINDOWS\system32\mlkkj.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11C72D10-D9EA-4B5A-91D3-9C64BF9928F6}]
C:\Program Files\MSN Gaming Zone\mezoheke4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CF2ADA5-9910-4649-31AC-E7F87F568FC3}]
C:\Program Files\MSN\qula.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F1128B2-3811-4B08-BF3B-5EBC61F48BE0}]
C:\Program Files\MSN Gaming Zone\mezoheke555077.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C234147E-AC64-46C6-94C2-E0D758F3D728}]
C:\Program Files\MSN Gaming Zone\mezoheke83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-19 19:45 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{8B68564D-53FD-4293-B80C-993A9F3988EE}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-19 19:45 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 18:52 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-12-15 07:20 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-12-17 10:40 1241138]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 14:18 135168]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 16:10 1658965]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 13:47 16384]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [2003-05-06 08:28 72192]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 13:54 241664]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 15:52 3770024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 15:30 71008]
"HostManager"="C:\Program Files\Common Files\AOL\1184223758\ee\AOLSoftware.exe" [2006-11-17 13:21 50736]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 18:19 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"ATIModeChange"="Ati2mdxx.exe" [2006-02-21 20:40 26112 C:\WINDOWS\system32\Ati2mdxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-21 20:56 219136]

C:\Documents and Settings\Sue Gallagher\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-06-20 11:21:32 24651]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
AOL Broadband Assistant.lnk - C:\Program Files\AOL\Broadband Assistant\bin\matcli.exe [2006-08-16 17:27:50 217088]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-06-15 07:59:24 1742384]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2006-09-06 19:33:31 626688]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywur]
gebywur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32]
winmfu32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 15:52]
S3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 13:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-14 18:33:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 23:15:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-27 23:17:09
ComboFix-quarantined-files.txt 2008-02-27 23:16:38
ComboFix2.txt 2008-02-27 22:59:04
ComboFix3.txt 2007-12-19 21:34:37
.
2008-02-16 09:03:52 --- E O F ---

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 17 March 2008 - 07:26 AM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users