Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Balloon Saying "your Computer Is Infected With Spyware" Most Likely Malware


  • Please log in to reply
35 replies to this topic

#1 emopants92

emopants92

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 01 March 2008 - 10:58 PM

ok i have been haveing some kinda of malware lately or spyware or something ok well after 3 days of not able to get a hijackthis log i finally got my cure! first i have a balloon popping up saying your computer is infected with spyware blah blah blah. Then it wants me to download a program to get rid of it obvioulsy fake. Also i have 2 fake icons on my desktop that are windows update and support center that take me to some website. I also get poppups all the time of errors while im working on the computer and starting up i get about 20. When i try to run hijackthis or Avg or spybot i click them to run and nothing happens and have tried to reinstall them a couple of times. here is the log

Log created by WinPatrol version 14.0.2007.1:14.0.2007.1
Scan saved at 7:49:52 PM, on 3/01/2008
Platform: Windows XP SP2 Home Edition Service Pack 2 (Build 2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\PROGRAM FILES\Bonjour\MDNSRESPONDER.EXE
C:\WINDOWS\explorer.exe
C:\PROGRAM FILES\ANALOG DEVICES\Core\smax4pnp.exe
C:\PROGRAM FILES\2Wire\2PORTALMON.EXE
C:\PROGRAM FILES\MICROSOFT XBOX 360 ACCESSORIES\XBoxStat.exe
C:\PROGRAM FILES\Java\JRE1.6.0_03\bin\jusched.exe
C:\PROGRAM FILES\QUICKTIME\qttask.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\CTFMON.EXE
C:\PROGRAM FILES\AIM6\aim6.exe
C:\PROGRAM FILES\MSN MESSENGER\msnmsgr.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpobnz08.exe
C:\PROGRAM FILES\Yahoo!\browser\ybrowser.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpotdd01.exe
C:\PROGRAM FILES\COMMON FILES\AOL\Loader\aolload.exe
C:\PROGRAM FILES\THOOSJE SIDEBAR V2.3\THOOSJE VISTA SIDEBAR.EXE
C:\PROGRAM FILES\OPENOFFICE.ORG 2.3\program\soffice.exe
C:\PROGRAM FILES\OPENOFFICE.ORG 2.3\program\soffice.bin
C:\PROGRAM FILES\AIM6\AOLSOFTWARE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpoevm08.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hposts08.exe
C:\PROGRAM FILES\Yahoo!\browser\ybrwicon.exe
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\WINDOWS\SYSTEM32\bubbles.scr
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O1 - Hosts: 127.0.0.
O2 - BHO: yjngchdt - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\yjngchdt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP]C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [2wSysTray]C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [XboxStat]c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task]C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [30ff593c]C:\WINDOWS\system32\uuaxundd.dll,b
O4 - HKLM\..\Run: [BM33cc6aa0]C:\WINDOWS\system32\rdtimseq.dll,s
O4 - HKLM\..\Run: [WinReanimator]C:\Program Files\WinReanimator\WinReanimator.exe /hide
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe]C:\WINDOWS\SYSTEM32\CTFMON.EXE
O4 - HKCU\..\Run: [msnmsgr]C:\Program Files\MSN Messenger\msnmsgr.exe /background
O4 - Global Startup: hp psc 2000 Series.lnk=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: OpenOffice.org 2.3.lnk=C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Thoosje Vista Sidebar.lnk=C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.6.0_03\bin
O11 - Options group: [] -
O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/9/b...heckControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O20 - AppInit_DLLs: cru629.dat

O21 - WPDShServiceObj - WPDShServiceObj Class - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\SYSTEM32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - - C:\Program Files\WinPcap\rpcapd.exe -d -f C:\Program Files\WinPcap\rpcapd.ini
O23 - Service: VET Message Service - - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPcservice.exe

--- Additional WinPatrol Info ---
Browser: Unable to find default browser.
MSIE: Internet Explorer (7.00.6000.16608)
134 IE Cookies in Folder: C:\Documents and Settings\Mitchell\Cookies\

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS2: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://

WP31 - Scheduled Tasks: [McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job]c:\program files\mcafee.com\vso\mcmnhdlr.exe Never
WP31 - Scheduled Tasks: [McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job]c:\program files\mcafee.com\vso\mcmnhdlr.exe Never
WP31 - Scheduled Tasks: [FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job]C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqfrucl.exe Never

WP32 - Hidden File: C:\BOOT.BAK
WP32 - Hidden File: C:\boot.ini
WP32 - Hidden File: C:\cmldr
WP32 - Hidden File: C:\DELL.SDR
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\IPH.PH
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\sqmdata00.sqm
WP32 - Hidden File: C:\sqmdata01.sqm
WP32 - Hidden File: C:\sqmdata02.sqm
WP32 - Hidden File: C:\sqmdata03.sqm
WP32 - Hidden File: C:\sqmdata04.sqm
WP32 - Hidden File: C:\sqmdata05.sqm
WP32 - Hidden File: C:\sqmdata06.sqm
WP32 - Hidden File: C:\sqmdata07.sqm
WP32 - Hidden File: C:\sqmdata08.sqm
WP32 - Hidden File: C:\sqmdata09.sqm
WP32 - Hidden File: C:\sqmdata10.sqm
WP32 - Hidden File: C:\sqmdata11.sqm
WP32 - Hidden File: C:\sqmdata12.sqm
WP32 - Hidden File: C:\sqmdata13.sqm
WP32 - Hidden File: C:\sqmdata14.sqm
WP32 - Hidden File: C:\sqmdata15.sqm
WP32 - Hidden File: C:\sqmdata16.sqm
WP32 - Hidden File: C:\sqmdata17.sqm
WP32 - Hidden File: C:\sqmdata18.sqm
WP32 - Hidden File: C:\sqmdata19.sqm
WP32 - Hidden File: C:\sqmnoopt00.sqm
WP32 - Hidden File: C:\sqmnoopt01.sqm
WP32 - Hidden File: C:\sqmnoopt02.sqm
WP32 - Hidden File: C:\sqmnoopt03.sqm
WP32 - Hidden File: C:\sqmnoopt04.sqm
WP32 - Hidden File: C:\sqmnoopt05.sqm
WP32 - Hidden File: C:\sqmnoopt06.sqm
WP32 - Hidden File: C:\sqmnoopt07.sqm
WP32 - Hidden File: C:\sqmnoopt08.sqm
WP32 - Hidden File: C:\sqmnoopt09.sqm
WP32 - Hidden File: C:\sqmnoopt10.sqm
WP32 - Hidden File: C:\sqmnoopt11.sqm

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [WinRAR archive]C:\Program Files\WinRAR\WinRAR.exe %1
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .DOC: [WordPad Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [Microsoft ® Windows Script Host]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [AT&T Yahoo! Music Jukebox File]C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe -play %1
WP33 - File Type .MP3: [MediaMonkey file]C:\Program Files\MediaMonkey\MediaMonkey.exe %1
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealPlayer Presentation]C:\Program Files\Real\RealPlayer\RealPlay.exe %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]rundll32.exe ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*

Memory currently in use: 35%
Physical Memory Free: 506,008 KB
Paging File Free: 766,068 KB
Virtual Memory Free: 2,052,904 KB


--
End of file

BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 07 March 2008 - 01:57 PM

What you've posted is a log from Winpatrol. WinPatrol is a great application, but I'd like to work with HijackThis itself.

Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


#3 emopants92

emopants92
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 16 March 2008 - 05:31 PM

see thats wat the problem is. I cant get hijack this to run i even tried with your instructions and i still haven been able to get it to run . Winpatrol is the only thing that will run . I will save it to the desktop and click it and all i get is this. A small window pops up and i click install it installs and never get any message asking me to start and then nothing. So i figure its installed and i click to run the program and nothing i click again nothing.

Edited by emopants92, 16 March 2008 - 05:36 PM.


#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 17 March 2008 - 02:03 PM

OK, we'll see what we can do with the Winpatrol log
  • Please download VundoFix.exe by Atribune from Atribune and save it to your desktop.
  • Double click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new Winpatrol log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

If you receive this error - "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid" , please download this file and save it to your desktop.
  • Right click on Comdlg32.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • On the text box above the Browse button, copy and paste in C:\Windows\system32.
  • Click OK.
  • Uncheck (untick) the Show extracted files box and click Finish.
  • Click on Start > Run and copy and paste in the following into the Run box:

    REGSVR32 C:\Windows\system32\comdlg32.ocx
  • Press Enter.
  • You should receive this message - "DllRegisterServer in C:\Windows\system32\comdlg32.ocx succeeded."
  • Click OK and restart your computer. Then try running VundoFix again.


#5 emopants92

emopants92
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 17 March 2008 - 10:21 PM

ya im downloaded it and tried to run it and same thing as hijackthis no response when i click on it i tried it a couple of times, then in safe mode too . And still nothing. I didnt download the 2 nd part because i never got an error message, all i got was no response so should i try that file part and then run it again?

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 18 March 2008 - 02:01 PM

No, let's try something else
  • Download Autoruns from here
  • Unzip/extract it to a folder on your desktop
  • Double click on autoruns.exe to start Autoruns
  • Wait for it to finish scanning
  • Under Options make sure the following options are slected
    • Verify Code Signatures
    • Hide Signed Microsoft Entries
  • Click File > Refresh
  • Click File > Save As
  • Save it to the desktop as autoruns.txt
  • Post the contents of autoruns.txt as a reply to this topic


#7 emopants92

emopants92
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 18 March 2008 - 08:42 PM

yep sorry this is such a pain but same thing no response when i click the autoruns.exe

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 19 March 2008 - 02:10 PM

rename autoruns.exe to random.exe and try running it again

#9 emopants92

emopants92
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 19 March 2008 - 07:25 PM

yeah it worked ok here is the fileVVVVVVVVVVVVVVVVVVVVV


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 2wSysTray HomePortal Monitor Application by 2Wire Engineering (Not verified) 2Wire, Inc. c:\program files\2wire\2portalmon.exe
+ BM33cc6aa0 c:\windows\system32\iafgkuct.dll
+ SoundMAXPnP SMax4PNP MFC Application (Not verified) Analog Devices, Inc. c:\program files\analog devices\core\smax4pnp.exe
+ WinPatrol WinPatrol System Monitor (Verified) BillP Studios c:\program files\billp studios\winpatrol\winpatrol.exe
+ XboxStat XBoxStat.exe (Not verified) Microsoft Corporation c:\program files\microsoft xbox 360 accessories\xboxstat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ hp psc 2000 Series.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
+ hpoddt01.exe.lnk hpotdd01 (Not verified) Hewlett-Packard c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
C:\Documents and Settings\Mitchell\Start Menu\Programs\Startup
+ OpenOffice.org 2.3.lnk c:\program files\openoffice.org 2.3\program\quickstart.exe
+ Thoosje Vista Sidebar.lnk c:\program files\thoosje sidebar v2.3\thoosje vista sidebar.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ Aim6 AIM (Not verified) AOL LLC c:\program files\aim6\aim6.exe
+ Jnskdfmf9eldfd c:\documents and settings\mitchell\local settings\temp\csrssc.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\windows\system32\mscories.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
+ jhsf8d984jief8dsfus98jkefn c:\windows\system32\jfiehayd.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ hggfgdb.dll c:\windows\system32\hggfgdb.dll
+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
+ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ iTunes iTunes Mini Player DLL (Verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll
+ OpenOffice.org Column Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Infotip Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Property Sheet Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Thumbnail Viewer (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll
+ Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ C:\WINDOWS\system32\jfiehayd.dll c:\windows\system32\jfiehayd.dll
+ {70AB0A8B-8A8A-496F-A339-4CD2F3352991} c:\windows\system32\hggfgdb.dll
+ {D4C1697C-6EBA-47B6-ADC9-328A4C997EB1} c:\windows\system32\awtqn.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll
Task Scheduler
+ FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job FRU-Client MFC Application c:\program files\hewlett-packard\digital imaging\bin\hpqfrucl.exe
+ McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe
+ McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe
HKLM\System\CurrentControlSet\Services
+ Bonjour Service ##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762## (Not verified) Apple Computer, Inc. c:\program files\bonjour\mdnsresponder.exe
+ CAISafe File not found: C:\Program Files\Yahoo!\Antivirus\ISafe.exe
+ VETMSGNT File not found: C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
HKLM\System\CurrentControlSet\Services
+ Beep c:\windows\system32\drivers\beep.sys
+ BsStor B.H.A Storage Helper Driver (WindowsNT5.x) (Not verified) B.H.A Co.,Ltd. c:\windows\system32\drivers\bsstor.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ d347bus PnP BIOS Extension (Not verified) c:\windows\system32\drivers\d347bus.sys
+ d347prt SCSI miniport (Not verified) c:\windows\system32\drivers\d347prt.sys
+ DiagnosticScan File not found: C:\Program Files\Adware Away\DiagnosticScan.SYS
+ GEARAspiWDM CD/DVD Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys
+ IFP300 iriver Internet Audio Player IFP-300 File not found: system32\DRIVERS\ifp300.sys
+ InCDPass File not found: system32\drivers\InCDPass.sys
+ InCDRm remapper (Not verified) Ahead Software AG c:\windows\system32\drivers\incdrm.sys
+ IPVNMon IPVNMon (Not verified) Visual Networks c:\windows\system32\drivers\ipvnmon.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ MCSTRM RealNetworks Virtual Path Manager« (Not verified) RealNetworks, Inc. c:\windows\system32\drivers\mcstrm.sys
+ NPF npf (Not verified) CACE Technologies c:\windows\system32\drivers\npf.sys
+ npkcrypt File not found: C:\Program Files\NEXON\MapleStory\npkcrypt.sys
+ nuvaud2 File not found: system32\DRIVERS\nuvaud2.sys
+ oreans32 File not found: C:\WINDOWS\system32\drivers\oreans32.sys
+ Partizan Partizan - Rootkit detector (Not verified) Greatis Software c:\windows\system32\drivers\partizan.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ pfc Padus® ASPI Shell (Not verified) Padus, Inc. c:\windows\system32\drivers\pfc.sys
+ psa500 QSound Virtual Engine driver (Not verified) QSound Labs, Inc. c:\windows\system32\drivers\psa500.sys
+ PSSdk23 File not found: C:\WINDOWS\system32\Drivers\PsSdk23.drv
+ PsSdk30 File not found: C:\WINDOWS\system32\Drivers\PsSdk30.drv
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP (Verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ SCDEmu PowerISO Virtual Drive (Not verified) PowerISO Computing, Inc. c:\windows\system32\drivers\scdemu.sys
+ SNPSTD3 PC Camera driver c:\windows\system32\drivers\snpstd3.sys
+ sptd c:\windows\system32\drivers\sptd.sys
+ TPkd InterLok system file (Verified) PACE Anti-Piracy, Inc. c:\windows\system32\drivers\tpkd.sys
+ UacFlt UAC355x Filter/Support Driver (Not verified) Micronas GmbH c:\windows\system32\drivers\uacbflt.sys
+ VET-FILT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-filt.sys
+ VET-REC CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-rec.sys
+ VETEBOOT RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\veteboot.sys
+ VETEFILE RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetefile.sys
+ VETFDDNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetfddnt.sys
+ VETMONNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetmonnt.sys
+ wanatw File not found: system32\DRIVERS\wanatw4.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ Partizan Partizan - First Bootwatch Anti-Rootkit (Not verified) Greatis Software c:\windows\system32\partizan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ cru629.dat c:\windows\system32\cru629.dat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
+ __c00CAA47 c:\windows\system32\__c00caa47.dat
+ hggfgdb c:\windows\system32\hggfgdb.dll
+ vptjopus c:\windows\system32\vptjopus.dll
+ xxyaxxx File not found: xxyaxxx.dll
+ yjngchdt File not found: yjngchdt.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ C:\WINDOWS\system32\bubbles.scr Bubbles Screen Saver (Not verified) Microsoft Corporation c:\windows\system32\bubbles.scr
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ CA ISafe LSP CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [RAW/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [TCP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [UDP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ C:\WINDOWS\system32\awtqn.dll c:\windows\system32\awtqn.dll

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 20 March 2008 - 11:31 AM

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save it to the desktop as fix.reg, making sure save as type is set to all files
  • Download UnDLL by ESET from here
  • Unzip/extact it to a folder on the desktop
  • Double click on UNDLL.EXE to start UnDLL
  • Click on Select infected DLL
  • Locate and select this file:
    c:\windows\system32\vptjopus.dll
  • Click Open
  • UnDLL will now attempt to delete the DLL file
  • If asked to restart your PC, click No
  • Repeat the above steps for the following files:
    c:\windows\system32\__c00caa47.dat
    c:\windows\system32\awtqn.dll
    c:\windows\system32\cru629.dat
    c:\windows\system32\hggfgdb.dll
    c:\windows\system32\iafgkuct.dll
    c:\windows\system32\jfiehayd.dll
  • Once you have used UnDLL on all the files:
  • Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt
  • Restart your PC manually
Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

Run autoruns again and post the log it produces

#11 emopants92

emopants92
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 20 March 2008 - 10:09 PM

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 2wSysTray HomePortal Monitor Application by 2Wire Engineering (Not verified) 2Wire, Inc. c:\program files\2wire\2portalmon.exe
+ 30ff593c File not found: C:\WINDOWS\system32\nfdcecbm.dll
+ BM33cc6aa0 c:\windows\system32\hoapctic.dll
+ RRT-Auto A tool to remove system restrictions and defend against removable media malware! (Not verified) iSergiwa Software - www.sergiwa.com c:\documents and settings\mitchell\local settings\temp\rar$ex00.219\rrt.exe
+ SoundMAXPnP SMax4PNP MFC Application (Not verified) Analog Devices, Inc. c:\program files\analog devices\core\smax4pnp.exe
+ TkBellExe RealNetworks Scheduler (Verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe
+ WinPatrol WinPatrol System Monitor (Verified) BillP Studios c:\program files\billp studios\winpatrol\winpatrol.exe
+ XboxStat XBoxStat.exe (Not verified) Microsoft Corporation c:\program files\microsoft xbox 360 accessories\xboxstat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ hp psc 2000 Series.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
+ hpoddt01.exe.lnk hpotdd01 (Not verified) Hewlett-Packard c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
C:\Documents and Settings\Mitchell\Start Menu\Programs\Startup
+ OpenOffice.org 2.3.lnk c:\program files\openoffice.org 2.3\program\quickstart.exe
+ Thoosje Vista Sidebar.lnk c:\program files\thoosje sidebar v2.3\thoosje vista sidebar.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ Aim6 AIM (Not verified) AOL LLC c:\program files\aim6\aim6.exe
+ Jnskdfmf9eldfd c:\documents and settings\mitchell\local settings\temp\csrssc.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\windows\system32\mscories.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
+ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ iTunes iTunes Mini Player DLL (Verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll
+ OpenOffice.org Column Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Infotip Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Property Sheet Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Thumbnail Viewer (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll
+ Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll
Task Scheduler
+ FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job FRU-Client MFC Application c:\program files\hewlett-packard\digital imaging\bin\hpqfrucl.exe
+ McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe
+ McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe
HKLM\System\CurrentControlSet\Services
+ Bonjour Service ##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762## (Not verified) Apple Computer, Inc. c:\program files\bonjour\mdnsresponder.exe
+ CAISafe File not found: C:\Program Files\Yahoo!\Antivirus\ISafe.exe
+ VETMSGNT File not found: C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
HKLM\System\CurrentControlSet\Services
+ Beep c:\windows\system32\drivers\beep.sys
+ BsStor B.H.A Storage Helper Driver (WindowsNT5.x) (Not verified) B.H.A Co.,Ltd. c:\windows\system32\drivers\bsstor.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ d347bus PnP BIOS Extension (Not verified) c:\windows\system32\drivers\d347bus.sys
+ d347prt SCSI miniport (Not verified) c:\windows\system32\drivers\d347prt.sys
+ DiagnosticScan File not found: C:\Program Files\Adware Away\DiagnosticScan.SYS
+ GEARAspiWDM CD/DVD Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys
+ IFP300 iriver Internet Audio Player IFP-300 File not found: system32\DRIVERS\ifp300.sys
+ InCDPass File not found: system32\drivers\InCDPass.sys
+ InCDRm remapper (Not verified) Ahead Software AG c:\windows\system32\drivers\incdrm.sys
+ IPVNMon IPVNMon (Not verified) Visual Networks c:\windows\system32\drivers\ipvnmon.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ MCSTRM RealNetworks Virtual Path Manager« (Not verified) RealNetworks, Inc. c:\windows\system32\drivers\mcstrm.sys
+ NPF npf (Not verified) CACE Technologies c:\windows\system32\drivers\npf.sys
+ npkcrypt File not found: C:\Program Files\NEXON\MapleStory\npkcrypt.sys
+ nuvaud2 File not found: system32\DRIVERS\nuvaud2.sys
+ oreans32 File not found: C:\WINDOWS\system32\drivers\oreans32.sys
+ Partizan Partizan - Rootkit detector (Not verified) Greatis Software c:\windows\system32\drivers\partizan.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ pfc Padus® ASPI Shell (Not verified) Padus, Inc. c:\windows\system32\drivers\pfc.sys
+ psa500 QSound Virtual Engine driver (Not verified) QSound Labs, Inc. c:\windows\system32\drivers\psa500.sys
+ PSSdk23 File not found: C:\WINDOWS\system32\Drivers\PsSdk23.drv
+ PsSdk30 File not found: C:\WINDOWS\system32\Drivers\PsSdk30.drv
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP (Verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ SCDEmu PowerISO Virtual Drive (Not verified) PowerISO Computing, Inc. c:\windows\system32\drivers\scdemu.sys
+ SNPSTD3 PC Camera driver c:\windows\system32\drivers\snpstd3.sys
+ sptd c:\windows\system32\drivers\sptd.sys
+ TPkd InterLok system file (Verified) PACE Anti-Piracy, Inc. c:\windows\system32\drivers\tpkd.sys
+ UacFlt UAC355x Filter/Support Driver (Not verified) Micronas GmbH c:\windows\system32\drivers\uacbflt.sys
+ VET-FILT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-filt.sys
+ VET-REC CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-rec.sys
+ VETEBOOT RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\veteboot.sys
+ VETEFILE RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetefile.sys
+ VETFDDNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetfddnt.sys
+ VETMONNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetmonnt.sys
+ wanatw File not found: system32\DRIVERS\wanatw4.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ Partizan Partizan - First Bootwatch Anti-Rootkit (Not verified) Greatis Software c:\windows\system32\partizan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ cru629.dat c:\windows\system32\cru629.dat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
+ xxyaxxx File not found: xxyaxxx.dll
+ yjngchdt File not found: yjngchdt.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ C:\WINDOWS\system32\bubbles.scr Bubbles Screen Saver (Not verified) Microsoft Corporation c:\windows\system32\bubbles.scr
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ CA ISafe LSP CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [RAW/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [TCP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [UDP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll

Edited by emopants92, 20 March 2008 - 11:38 PM.


#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 21 March 2008 - 07:38 AM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


#13 emopants92

emopants92
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 21 March 2008 - 11:55 AM

ok thank you soo much i can finally get hijackthis to run! yeah the only thing next is that i also have winpatrol and get a new start up program ever 10 seconds and it wont stop when i click no even after the 100 times lol. The first log is the report then second is the hijackthis log file.




SDFix: Version 1.159

Run by Mitchell on Fri 03/21/2008 at 09:34 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
pcximg
pzqlp

Path:
\??\C:\WINDOWS\system\pcximg.pif
\??\C:\WINDOWS\Help\pzqlp.chm

pcximg - Deleted
pzqlp - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys" 31232 02/25/2008 08:07 PM
"C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS" 31232 02/25/2008 08:07 PM

Infected File Listed Below:

C:\WINDOWS\system32\DLLCACHE\beep.sys
C:\WINDOWS\system32\DRIVERS\BEEP.SYS

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys" 4224 03/21/2008 12:23 AM
"C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS" 4224 03/21/2008 12:23 AM



Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\Uninstall.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk - Deleted
C:\Documents and Settings\All Users\Desktop\WinReanimator.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk - Deleted
C:\Program Files\Helper\1205557079.dll - Deleted
C:\Program Files\Helper\1205557147.dll - Deleted
C:\Program Files\WinReanimator\htmlayout.dll - Deleted
C:\Program Files\WinReanimator\install.exe - Deleted
C:\Program Files\WinReanimator\pthreadVC2.dll - Deleted
C:\Program Files\WinReanimator\un.ico - Deleted
C:\Program Files\WinReanimator\unzip32.dll - Deleted
C:\Program Files\WinReanimator\WinReanimator.cfg - Deleted
C:\Program Files\WinReanimator\WinReanimator.dll - Deleted
C:\Program Files\WinReanimator\WinReanimator.exe - Deleted
C:\Program Files\WinReanimator\data\daily.cvd - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll - Deleted
C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\WINDOWS\braviax.exe - Deleted
C:\WINDOWS\cru629.dat - Deleted
C:\WINDOWS\system32\braviax.exe - Deleted
C:\WINDOWS\system32\cru629.dat - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\winistr.exe - Deleted
C:\WINDOWS\help\pzqlp.chm - Deleted
C:\WINDOWS\system\pcximg.pif - Deleted



Folder C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator - Removed
Folder C:\Program Files\Helper - Removed
Folder C:\Program Files\WinReanimator - Removed


The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:

C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\2Wire\2PortalMon.exe
c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\AIM6\aim6.exe


Removing Temp Files

ADS Check :


C:\WINDOWS\system32
:svchost 686
Total size: 686 bytes.
system32: deleted 686 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.


Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 09:42:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,21,74,73,d9,a1,6c,d5,76,f0,0d,c7,13,53,ab,5f,cd,ca,..
"hj34z0"=hex:99,a5,1b,9a,8c,aa,68,e3,6a,ca,5a,72,0b,42,ea,a7,99,2c,bd,aa,58,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,57,3d,59,d2,a3,14,49,bd,9a,d8,75,b9,65,f6,8d,e5,64,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]
"khjeh"=hex:20,02,00,00,bf,39,59,d2,6b,1d,52,c0,22,b7,61,80,ed,63,cc,39,4c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43]
"khjeh"=hex:20,02,00,00,ca,27,59,d2,bc,55,b2,fd,af,5f,ac,64,d6,31,15,77,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:14c02a52
"s1"=dword:aa5a74b3
"s2"=dword:b35e9d52

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"="C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe:*:Enabled:RealNetworks Rhapsody"
"C:\\Program Files\\Atari-Infogrames\\Roller Coaster Tycoon 2\\rct2.exe"="C:\\Program Files\\Atari-Infogrames\\Roller Coaster Tycoon 2\\rct2.exe:*:Enabled:rct2"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"="C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe:*:Enabled:Yahoo! Browser"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\SYSTEM32\\DPNSVR.EXE"="C:\\WINDOWS\\SYSTEM32\\DPNSVR.EXE:*:Enabled:Microsoft DirectPlay8 Server"
"G:\\GAME\\FS9.EXE"="G:\\GAME\\FS9.EXE:*:Enabled:Microsoft Flight Simulator"
"C:\\Program Files\\BitComet\\Downloads\\Flight Simulator 2004\\No CD Crack\\fs9.exe"="C:\\Program Files\\BitComet\\Downloads\\Flight Simulator 2004\\No CD Crack\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TimHillOne\\H264WebCamPro\\H264WebCamPro.exe"="C:\\Program Files\\TimHillOne\\H264WebCamPro\\H264WebCamPro.exe:*:Enabled:H264WebCam Microsoft MFC Class Application"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:ŠTorrent"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX04.000\\mem86control.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX04.000\\mem86control.exe:*:Enabled:mem86control"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX08.484\\opserver.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX08.484\\opserver.exe:*:Enabled:opserver"
"C:\\Program Files\\JetCast Server\\JCSERVER.exe"="C:\\Program Files\\JetCast Server\\JCSERVER.exe:*:Enabled:jetCast Server"
"C:\\Program Files\\JetAudio\\JcServer.exe"="C:\\Program Files\\JetAudio\\JcServer.exe:*:Enabled:jcServer"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Icecast2 Win32\\Icecast2.exe"="C:\\Program Files\\Icecast2 Win32\\Icecast2.exe:*:Enabled:Icecast2win"
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"="C:\\Program Files\\Counter-Strike 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX03.125\\opserver.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX03.125\\opserver.exe:*:Enabled:opserver"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\EA games\\Battlefield 2\\Bf2_w32ded.exe"="C:\\Program Files\\EA games\\Battlefield 2\\Bf2_w32ded.exe:*:Enabled:Bf2_w32ded"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\XBC\\XBC_NS.exe"="C:\\Program Files\\XBC\\XBC_NS.exe:*:Enabled:XBConnect"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE:*:Enabled:Yahoo! Messenger"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX07.437\\PiMPStreamer\\PimpStreamer.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX07.437\\PiMPStreamer\\PimpStreamer.exe:*:Enabled:PimpStreamer, Streams video from PC to PSP Realtime!"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\.ttA.tmp"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\.ttA.tmp:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 25 Jan 2008 211 A.SHR --- "C:\BOOT.BAK"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Fri 14 Mar 2008 16,384 ..SH. --- "C:\Program Files\Internet Explorer\setupapi.dll"
Mon 12 Feb 2007 848 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Fri 30 Dec 2005 338,891 A.SH. --- "C:\WINDOWS\SYSTEM32\nmllm.tmp"
Sun 25 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 7 Sep 2007 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Sun 19 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Sun 25 Dec 2005 4,348 A..H. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv1key.bak"
Sat 25 Mar 2006 20 A..H. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 25 Dec 2005 400 A.SH. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv2key.bak"
Wed 27 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 27 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 12 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 12 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Thu 13 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:10 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\bunny\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.193.196.81:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [30ff593c] rundll32.exe "C:\WINDOWS\system32\nfdcecbm.dll",b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Rar$EX00.219\RRT.exe auto
O4 - HKLM\..\Run: [BM33cc6aa0] Rundll32.exe "C:\WINDOWS\system32\hoapctic.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xxyaxxx - xxyaxxx.dll (file missing)
O20 - Winlogon Notify: yjngchdt - yjngchdt.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7526 bytes

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 21 March 2008 - 12:32 PM

These files are legit, but they've been infected, so you'll need to reinstall the programs after this fix:


C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\2Wire\2PortalMon.exe
c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\AIM6\aim6.exe

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitComet\\Downloads\\Flight Simulator 2004\\No CD Crack\\fs9.exe"=-
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX04.000\\mem86control.exe"=-
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX08.484\\opserver.exe"=-
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX03.125\\opserver.exe"=-
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX07.437\\PiMPStreamer\\PimpStreamer.exe"=-
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\.ttA.tmp"=-

Save it to the desktop as fix.reg, making sure save as type is set to all files

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\nfdcecbm.dll
    C:\WINDOWS\system32\hoapctic.dll
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\2Wire\2PortalMon.exe
    c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
    C:\Program Files\AIM6\aim6.exe
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [30ff593c] rundll32.exe "C:\WINDOWS\system32\nfdcecbm.dll",b
O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Rar$EX00.219\RRT.exe auto
O4 - HKLM\..\Run: [BM33cc6aa0] Rundll32.exe "C:\WINDOWS\system32\hoapctic.dll",s
O20 - Winlogon Notify: xxyaxxx - xxyaxxx.dll (file missing)
O20 - Winlogon Notify: yjngchdt - yjngchdt.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O24 - Desktop Component 0: (no name) - (no file)

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems


#15 emopants92

emopants92
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:04 AM

Posted 21 March 2008 - 04:20 PM

this is my ot log and the second is the log from the online scanner

File/Folder C:\WINDOWS\system32\nfdcecbm.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hoapctic.dll
C:\WINDOWS\system32\hoapctic.dll NOT unregistered.
C:\WINDOWS\system32\hoapctic.dll moved successfully.
C:\Program Files\Analog Devices\Core\smax4pnp.exe moved successfully.
C:\Program Files\2Wire\2PortalMon.exe moved successfully.
c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe moved successfully.
C:\Program Files\AIM6\aim6.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_114518












# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2966 (20080321)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=094e458ae4794642906fcdc59fa3aeab
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-03-21 08:15:36
# local_time=2008-03-21 01:15:36 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=475373
# found=29
# scan_time=4913
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBEOGWWV\sdferw[1].htm Win32/BHO.NCI trojan B88D8A8AE94EE4986D6FA57ADE5989EE
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\UQ0ZR7RN\Installer[1].exe Win32/Adware.WinReanimator application 05D2E2D567DFE2B2F00C2DF7A57F1443
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip Win32/Adware.WinReanimator application 828A14150262A6A18A31B046AA350CA0
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip ╗ZIP ╗WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-817955303-2890540678-2661541813-1006\Dc7.exe Win32/Adware.WinFixer application 2D1580425AF8FB4318D6304A14F46012
C:\SDFix\backups\backups.zip multiple infiltrations 8762AD9788FC12518C97509DA1EB75E9
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/1205557079.dll Win32/BHO.NCV trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/1205557147.dll Win32/BHO.NCI trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/BEEP.SYS a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/braviax.exe a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/cru629.dat Win32/TrojanProxy.Agent.NDN trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/csrssc.exe probably a variant of Win32/TrojanDownloader.Small.CYF trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/install.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/winistr.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\SDFix\backups\backups.zip ╗ZIP ╗backups/WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\SDFix\backups\catchme.zip multiple infiltrations 04EFB26704921C27A4B3FDFB97876E89
C:\SDFix\backups\catchme.zip ╗ZIP ╗beep.sys a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups\catchme.zip ╗ZIP ╗beep.sys.1 a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups\catchme.zip ╗ZIP ╗pcximg.pif Win32/TrojanDownloader.Agent.JMZ trojan 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\ayaeqwxi.dll Win32/BHO.NCC trojan 4DBD8803064CE7BB50B3F020301256B5
C:\WINDOWS\SYSTEM32\BRAVIAX.EXE.del a variant of Win32/Adware.UltimateDefender application 254C82FBC79956B7D1B492E16AFE82C7
C:\WINDOWS\SYSTEM32\cwqbnjwf.dll Win32/Adware.AdMedia application FFD39115CA3A41A8D8D7D330CC83591F
C:\WINDOWS\SYSTEM32\dwkvnnbj.dll Win32/Adware.Virtumonde application BD36712C0944EB8BD3CF0A3086C12960
C:\WINDOWS\SYSTEM32\ecoklfbk.dll Win32/Adware.SecToolbar application 0B3F2E02AC5C2EE57D677D63362B56F7
C:\WINDOWS\SYSTEM32\kokbthgc.dll Win32/Adware.AdMedia application FFD39115CA3A41A8D8D7D330CC83591F
C:\WINDOWS\SYSTEM32\rvnhenvj.dll Win32/BHO.NCC trojan 4DBD8803064CE7BB50B3F020301256B5
C:\WINDOWS\SYSTEM32\UIFKMUKH.DLL.del Win32/Adware.AdMedia application 032EE9E686094FCB812C8BE4C7E3F4CA
C:\WINDOWS\SYSTEM32\windows Win32/Adware.SecToolbar application AD249B316368039C91BC2B6B3DDFFF64
C:\WINDOWS\SYSTEM32\yjyqgici.dll Win32/Adware.Virtumonde application 0202C561364D2E57E2D277B7F70B14E4




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users