Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Winantiviruspro + Other Spyware


  • This topic is locked This topic is locked
8 replies to this topic

#1 WrathxP

WrathxP

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 28 May 2008 - 10:21 PM

Deckard's System Scanner v20071014.68
Run by user on 2008-05-28 19:58:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
89: 2008-05-28 23:34:24 UTC - RP1182 - Deckard's System Scanner Restore Point
88: 2008-05-27 23:22:12 UTC - RP1181 - Last known good configuration
87: 2008-05-23 18:06:14 UTC - RP1180 - System Checkpoint
86: 2008-05-22 17:02:40 UTC - RP1179 - System Checkpoint
85: 2008-05-21 16:28:54 UTC - RP1178 - System Checkpoint


-- First Restore Point --
1: 2008-02-25 02:32:57 UTC - RP1094 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as user.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-28 20:02:50
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\MiniMavis.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mrtmngr.exe
C:\Documents and Settings\user\Desktop\DSS.exe
C:\WINDOWS\system32\conime.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\wvUnOFXq.dll
O2 - BHO: {b851bbbb-0f91-be68-baa4-ff39ceb077c6} - {6c770bec-93ff-4aab-86eb-19f0bbbb158b} - C:\WINDOWS\system32\yykppath.dll
O2 - BHO: (no name) - {8801A534-01DB-49E7-8520-46311C4D8A86} - C:\WINDOWS\system32\byXPFXop.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\user\cftmon.exe
O4 - HKCU\..\Run: [a85c9d2d] rundll32.exe "C:\WINDOWS\system32\gkjxfmqi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} (NHNComicViewer Class) - http://cdn.naver.com/naver/comic/viewer/20...ComicViewer.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} (Launcher Class) - http://app.gomtv.com/gomtv/gomtvx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: wvUnOFXq - C:\WINDOWS\system32\wvUnOFXq.dll
O20 - Winlogon Notify: __c00C9C12 - C:\WINDOWS\system32\__c00C9C12.dat
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe


--
End of file - 7827 bytes

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - C:\WINDOWS\system32\drivers\spools.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SiSkp - c:\windows\system32\drivers\srvkp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS ® WindowsXP Display Manager>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 IntelS51 (Intel® 536EP Modem) - c:\windows\system32\drivers\intels51.sys <Not Verified; Intel Corporation; Intel® 536EP Modem>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 SiS315 - c:\windows\system32\drivers\sisgrp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS ® Compatible Super VGA Miniport Driver for Windows XP>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 21:56:11 342 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2500 series#1108014577.job


-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 16:24:56 116224 --a------ C:\WINDOWS\system32\gkjxfmqi.dll
2008-05-28 16:24:52 133632 --a------ C:\WINDOWS\system32\yykppath.dll
2008-05-27 16:21:51 1655 --ahs---- C:\WINDOWS\system32\poXFPXyb.ini2
2008-05-27 16:21:43 370688 --a------ C:\WINDOWS\system32\byXPFXop.dll
2008-05-27 16:16:33 59904 --a------ C:\WINDOWS\system32\wvUnOFXq.dll
2008-05-27 16:16:27 45056 --a------ C:\WINDOWS\system32\__c00C1CC2.exe
2008-05-26 19:09:28 0 d-------- C:\Program Files\WinAntivirusPro3.8
2008-05-25 14:14:04 45056 --a------ C:\WINDOWS\system32\__c00712A.exe
2008-05-23 20:16:45 5120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-23 20:16:45 28160 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-05-23 20:12:32 28160 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-05-23 20:12:32 21504 --a------ C:\Documents and Settings\user\cftmon.exe
2008-05-23 20:11:28 0 d-------- C:\Program Files\LiveAntispy
2008-05-23 20:11:20 5120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-23 20:11:19 5120 --a------ C:\Documents and Settings\user\ftp34.dll
2008-05-23 20:11:19 1219436 --a------ C:\Documents and Settings\user\Application Data\Install.dat
2008-05-23 20:11:18 16155 --a------ C:\WINDOWS\xpupdate.exe
2008-05-23 20:11:15 45056 --a------ C:\WINDOWS\system32\__c00A458A.exe
2008-05-22 18:00:59 184 --a------ C:\xcrashdump.dat
2008-05-22 17:59:57 27648 --a------ C:\WINDOWS\system32\__c00C9C12.dat
2008-05-22 17:59:48 44032 --a------ C:\WINDOWS\system32\~.exe
2008-05-04 10:40:37 141612 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys


-- Find3M Report ---------------------------------------------------------------

2008-05-23 15:56:32 0 d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2008-03-29 11:25:44 0 d-------- C:\Program Files\Softnyx
2008-02-28 19:36:54 212992 --a------ C:\WINDOWS\system32\GG_CRC.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32341E7E-C319-46DE-91D0-E30BB1A3CABA}]
05/27/2008 04:16 PM 59904 --a------ C:\WINDOWS\system32\wvUnOFXq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c770bec-93ff-4aab-86eb-19f0bbbb158b}]
05/28/2008 04:24 PM 133632 --a------ C:\WINDOWS\system32\yykppath.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8801A534-01DB-49E7-8520-46311C4D8A86}]
05/27/2008 04:21 PM 370688 --a------ C:\WINDOWS\system32\byXPFXop.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [05/28/2008 01:04 PM]
"autoload"="C:\Documents and Settings\user\cftmon.exe" [05/27/2008 04:16 PM]
"a85c9d2d"="C:\WINDOWS\system32\gkjxfmqi.dll,b" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 06:07 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinAntivirusPro"=C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

C:\Documents and Settings\user\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [3/17/2003 7:50:26 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [4/20/2004 1:27:00 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [7/7/2003 2:20:40 AM]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [4/20/2004 1:24:36 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 9:05:56 PM]
Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [5/15/2005 2:03:07 PM]
QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe [1/30/2006 5:56:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=,梢

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{32341E7E-C319-46DE-91D0-E30BB1A3CABA}"= C:\WINDOWS\system32\wvUnOFXq.dll [05/27/2008 04:16 PM 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnOFXq]
wvUnOFXq.dll 05/27/2008 04:16 PM 59904 C:\WINDOWS\system32\wvUnOFXq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C9C12]
C:\WINDOWS\system32\__c00C9C12.dat 05/27/2008 09:13 PM 27648 C:\WINDOWS\system32\__c00C9C12.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\byXPFXop




-- End of Deckard's System Scanner: finished at 2008-05-28 20:05:01 ------------


(I didn't know how to attach files.)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.00GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 503.48 MiB / 259.89 MiB
Pagefile Memory (total/avail): 1229.44 MiB / 1044.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.68 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 57.26 GiB total, 37.41 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)

\\.\PHYSICALDRIVE0 - - 57.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 57.26 GiB - C:

\\.\PHYSICALDRIVE1 - EPSON USB Mass Storage USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"="C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC 응용 프로그램"
"C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe"="C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC 응용 프로그램"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\e-Games\\Survival Project\\survivalproject.exe"="C:\\Program Files\\e-Games\\Survival Project\\survivalproject.exe:*:Enabled:survivalproject"
"C:\\Program Files\\e-Games\\Survival Project\\sp.exe"="C:\\Program Files\\e-Games\\Survival Project\\sp.exe:*:Enabled:sp"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Steam\\SteamApps\\berserkfuryx\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\berserkfuryx\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Nexon\\MapleStory\\Patcher.exe"="C:\\Nexon\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC 응용 프로그램"
"C:\\Nexon\\MapleStory\\NewPatcher.exe"="C:\\Nexon\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC 응용 프로그램"
"C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"="C:\\Program Files\\MostFun\\Bin\\MostFun.exe:*:Disabled:MostFun Agent"
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Enabled:GunBound"
"C:\\ijji\\ENGLISH\\u_gbound.exe"="C:\\ijji\\ENGLISH\\u_gbound.exe:*:Enabled:<ijji Downloader>"
"C:\\Program Files\\TurboPlayer\\TurboAgent.exe"="C:\\Program Files\\TurboPlayer\\TurboAgent.exe:*:Enabled:TURBO AGENT"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-TY081J8ROP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\USER-TY081J8ROP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Roxio Shared\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
PS5ROOT=C:\Program Files\Roxio\Easy CD Creator 6\PhotoSuite\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=USER-TY081J8ROP
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\AOL\AOL Toolbar 5.0\uninstall.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AOL Toolbar 5.0 --> "C:\Program Files\AOL\AOL Toolbar 5.0\uninstall.exe"
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
Cake Mania 2 --> "C:\Program Files\Best Buy Games\Cake Mania 2\unins000.exe"
CineParkME --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CineParkME\Uninst.isu"
DaumGameAutoInstaller --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA3ACFCA-B265-42D0-9685-78D09116DDC8}\Setup.exe"
Daum맞고2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E338EAA-68F1-4802-98A0-BC5EE4BBC636}\Setup.exe"
DefilerPak 1.20 (Remove Only) --> "C:\Program Files\DefilerPak\UnDefile.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ebgcInfra --> MsiExec.exe /X{39B1BD87-561E-4762-AED9-7C5213B06C24}
ebgcRes --> MsiExec.exe /X{91746221-0B6A-4572-BEE3-A4D587FF98EA}
ebgcSDK --> MsiExec.exe /X{13AD768A-9E04-499D-AE80-967A65DCCBA5}
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Stylus CX7000F Scanner Driver Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1CA2E5E4-F4FE-44B4-95E9-77523FB95838}\Setup.exe" -l0x9
EPSON Stylus CX7000F User's Guide --> C:\Program Files\epson\guide\cx7000f_e\uninstall.exe
Far Out Field Trips --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\JSFarOutUn.exe
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Gunbound Revolution --> "c:\ijji\ENGLISH\Gunbound Revolution\unins000.exe"
HijackThis 1.99.1 --> C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe /uninstall
I Love Spelling! --> C:\WINDOWS\Uninst.exe -r"DK Multimedia\I Love Spelling!\1.0.0.0" -n"I Love Spelling!" -fC:\PROGRA~1\DKMULT~1\ILOVES~1\DeIsL1.isu -cC:\PROGRA~1\DKMULT~1\ILOVES~1\uninst.dll
ijji --> C:\ijji\ENGLISH\ijjiUninstall.exe
ijji Auto Installer --> "C:\Program Files\InstallShield Installation Information\{1DCC7418-2089-4BDD-B321-3771956160FC}\setup.exe" -runfromtemp -l0x0009 -removeonly
Intel® 536EP Modem --> rundll32 IntelSdi.dll,iSMUninstallation "Intel® 536EP Modem"
Intel® Extreme Graphics Driver Software --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
JumpStart 3rd Grade v1.0 --> C:\WINDOWS\uninst.exe -fC:\KA\3G\DeIsL1.isu
JumpStart Advanced 3rd Grade --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\JSA3GUn.exe
JumpStart Advanced 4th Grade --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\JSA4GUn.exe
KSignAccessToolkit v1.0 --> C:\WINDOWS\system32\UnInstall_KAccess.exe
Linksys Wireless-G USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
MapleStory --> MsiExec.exe /I{F99C5427-4D78-43E2-B97E-F4C4E622D612}
MapleStory --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEC511B1-59CB-4F15-AD75-0543034572A5}\Setup.exe"
Mavis Beacon Teaches Typing 15 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1F2EF0E-1EE5-4F0B-8A31-EE875EBD3F01}\SETUP.EXE" -l0x9
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Mystery Club Gadget Games --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\GadgetUn.exe
Mystery Club Making of a Mastermind --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\MastermindUn.exe
Nancy Drew: Treasure in the Royal Tower --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Nancy Drew\Treasure in the Royal Tower\setup.exe"
Naver Player --> "C:\Program Files\Naver\NaverPlayer\uninstall.exe"
Palm Desktop --> MsiExec.exe /X{72765AF7-BEA5-4C62-9EC9-A9E386305D04}
QuickBooks 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intuit\QuickBooks\DeIsL1.isu" -c"C:\Program Files\Intuit\QuickBooks\removeqb.dll"
Quickstudy 6th Grade Math --> "C:\Program Files\Quickstudy\Quickstudy 6th Grade Math\uninstall.exe"
Rakion International --> "C:\Program Files\Softnyx\Rakion\unins000.exe"
Reading Blaster Ages 9-12 --> D:\setup.exe -funiRBM.ins
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Trickster Online --> C:\Program Files\Ntreev\TricksterEng\uninst.exe
TricksterEng --> C:\Program Files\Ntreev\TricksterEng\uninstall.exe
TurboPlayer Uninstall --> C:\WINDOWS\TurboUninstall.exe
Ultimate Field Trips --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\UltFieldTripsUn.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Where in the USA is Carmen Sandiego? --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Where in the USA is Carmen Sandiego\Uninst.isu"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type6863 / Error
Event Submitted/Written: 05/28/2008 07:58:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spools.exe, version 0.0.0.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00001010.
Processing media-specific event for [spools.exe!ws!]

Event Record #/Type6862 / Error
Event Submitted/Written: 05/28/2008 04:44:53 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spools.exe, version 0.0.0.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00001010.
Processing media-specific event for [spools.exe!ws!]

Event Record #/Type6859 / Error
Event Submitted/Written: 05/28/2008 04:39:07 PM
Event ID/Source: 14 / Symantec AntiVirus
Event Description:
Symantec AntiVirus services failed to start. Virus definition file is invalid. (CC001000)

Event Record #/Type6856 / Error
Event Submitted/Written: 05/28/2008 01:05:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application NT8973C32.exe, version 0.0.0.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00001010.
Processing media-specific event for [NT8973C32.exe!ws!]

Event Record #/Type6855 / Error
Event Submitted/Written: 05/27/2008 04:17:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spools.exe, version 0.0.0.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00001010.
Processing media-specific event for [spools.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12049 / Error
Event Submitted/Written: 05/28/2008 04:43:29 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The IMAPI CD-Burning COM Service service failed to start due to the following error:
%%1053

Event Record #/Type12048 / Error
Event Submitted/Written: 05/28/2008 04:43:28 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

Event Record #/Type12033 / Error
Event Submitted/Written: 05/28/2008 04:41:18 PM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Windows Image Acquisition (WIA) service hung on starting.

Event Record #/Type12032 / Error
Event Submitted/Written: 05/28/2008 04:40:11 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Symantec Event Manager service to connect.

Event Record #/Type12031 / Error
Event Submitted/Written: 05/28/2008 04:40:10 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Symantec AntiVirus service terminated with the following error:
%%10



-- End of Deckard's System Scanner: finished at 2008-05-28 20:05:01 ------------


Thank you so much. I don't know what I would do without you guys..

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:38 AM

Posted 29 May 2008 - 04:14 AM

Hello WrathxP and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 WrathxP

WrathxP
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 29 May 2008 - 03:36 PM

Thank you for such a fast reply, Thunder.

I have a problem though. I followed every step up to the ComboFix tutorial. I downloaded the Boot Disk File for XP Professional Service Pack 2 (which my computer has) and did the icon drop thing in the step, but it did not lead to the Recovery Installation. Instead it ran ComboFix, which I didn't want to exit out of in case that might've done something. It got to the "Scanning for Infected Files. This will not take more than 10 minutes" window, which I left alone for over 2 hours.. but nothing else popped up. My time settings and desktop are changed now after I exitted out of the ComboFix because I figured 2 hours was a ridiculous amount of time past the 10 minutes. And I retryed the icon drop to install the Recovery Thing but it just leads to "Are you sure you want to run this program?"

Help please =(.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:38 AM

Posted 29 May 2008 - 04:49 PM

Hello WrathxP,

Please reboot your system, and you'll probably find you have an additional boot option on startup,
indicating a proper Recovery Console install. :thumbsup:

Then look for the ComboFix log (typically found as C:\ComboFix.txt) and if present, please post it in your next reply.
If not present, run ComboFix once more.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 WrathxP

WrathxP
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 29 May 2008 - 08:11 PM

Malwarebyte's Log:

Malwarebytes' Anti-Malware 1.12
Database version: 799

Scan type: Quick Scan
Objects scanned: 38252
Time elapsed: 13 minute(s), 23 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 17
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 25

Memory Processes Infected:
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe (Rogue.WinAntivirus) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\byXPFXop.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\gkjxfmqi.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00C9C12.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\basecddp32.dll (Trojan.Downloader) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUnOFXq.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8801a534-01db-49e7-8520-46311c4d8a86} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8801a534-01db-49e7-8520-46311c4d8a86} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00c9c12 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvunofxq (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinAntivirusPro (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a85c9d2d (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinAntivirusPro (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinAntivirusPro (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxpfxop -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxpfxop -> Delete on reboot.

Folders Infected:
C:\Program Files\WinAntivirusPro3.8 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\LiveAntispy (Rogue.LiveAntispy) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\byXPFXop.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\poXFPXyb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\poXFPXyb.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gkjxfmqi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iqmfxjkg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\LiveAntispy\LiveAntispy.exe (Rogue.LiveAntispy) -> Quarantined and deleted successfully.
C:\Program Files\LiveAntispy\LiveAntispy.lic (Rogue.LiveAntispy) -> Quarantined and deleted successfully.
C:\Program Files\LiveAntispy\Uninstall.exe (Rogue.LiveAntispy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00C9C12.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\spools.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\basecddp32.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\wvUnOFXq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\xpupdate.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0058BDC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00712A.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00A458A.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00C1CC2.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Start Menu\Programs\WinAntivirusPro.lnk (Rogue.SpyRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Install.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\WinAntivirusPro.lnk (Rogue.Link) -> Quarantined and deleted successfully.


ComboFix Log:

ComboFix 08-05-29.1 - user 2008-05-29 17:45:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.259 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\WINDOWS\system32\__c00C9C12.dat
C:\WINDOWS\system32\byXPFXop.dll
C:\WINDOWS\system32\gkjxfmqi.dll
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\poXFPXyb.ini
C:\WINDOWS\system32\yykppath.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-29 11:21 . 2008-05-29 11:21 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-05-29 11:20 . 2008-05-29 11:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 11:20 . 2008-05-29 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 11:20 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 11:20 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 20:25 . 2008-05-28 20:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 20:25 . 2008-05-28 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-28 16:33 . 2008-05-28 16:33 <DIR> d-------- C:\Deckard
2008-05-27 16:23 . 2008-05-28 16:24 33,745 ---hs---- C:\WINDOWS\system32\glsbbrxn.ini
2008-05-27 16:16 . 2008-05-29 11:36 59,904 --------- C:\WINDOWS\system32\wvUnOFXq.dll
2008-05-26 02:42 . 2008-05-28 13:05 5,120 --a------ C:\WINDOWS\system32\config\systemprofile\ftp34.dll
2008-05-23 20:16 . 2008-05-28 16:44 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-23 20:11 . 2008-05-28 20:06 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-23 20:11 . 2008-05-29 11:18 5,120 --a------ C:\Documents and Settings\user\ftp34.dll
2008-05-04 10:40 . 2008-05-17 14:40 141,612 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 22:56 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-03-29 18:25 --------- d-----w C:\Program Files\Softnyx
2007-09-01 18:29 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-08-04 01:07 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32341E7E-C319-46DE-91D0-E30BB1A3CABA}]
2008-05-29 11:36 59904 --------- C:\WINDOWS\system32\wvUnOFXq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:07 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-03 10:41 68856]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-03-17 19:50:26 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-20 13:27:00 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 02:20:40 233472]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-04-20 13:24:36 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2005-05-15 14:03:07 2392064]
QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe [2006-01-30 17:56:08 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{32341E7E-C319-46DE-91D0-E30BB1A3CABA}"= C:\WINDOWS\system32\wvUnOFXq.dll [2008-05-29 11:36 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnOFXq]
wvUnOFXq.dll 2008-05-29 11:36 59904 C:\WINDOWS\system32\wvUnOFXq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C9C12]
C:\WINDOWS\system32\__c00C9C12.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\Program Files\\TurboPlayer\\TurboAgent.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 04:56:11 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2500 series#1108014577.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 2500 series#1108014577
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 17:54:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\mrtmngr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-29 18:02:06 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-05-30 01:01:48

Pre-Run: 40,025,997,312 bytes free
Post-Run: 39,935,815,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

126 --- E O F --- 2008-05-17 10:03:59


Thank you so much for your time.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:38 AM

Posted 30 May 2008 - 04:11 AM

Hello WrathxP,

Could you upload some files please ?
Can you zip the folder C:\Qoobox using WinZip (or a similar program) to Qoobox.zip and upload the zipped file to :

http://www.bleepingcomputer.com/submit-malware.php?channel=9

How ? : 1. In the first window (Link to topic where this file was requested:) copy and past this link :http://www.bleepingcomputer.com/forums/t/149438/infected-with-winantiviruspro-other-spyware/
2. In the second window (Browse to the file you want to submit: ) browse to the Qoobox.zip file

3. Click the Send file button :thumbsup:
[/list]
Then, clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/149438/infected-with-winantiviruspro-other-spyware/
Collect::[9]
C:\WINDOWS\system32\wvUnOFXq.dll
C:\Documents and Settings\user\ftp34.dll
File::
C:\WINDOWS\system32\glsbbrxn.ini
C:\WINDOWS\system32\config\systemprofile\ftp34.dll
C:\Documents and Settings\LocalService\ftp34.dll
C:\WINDOWS\system32\ftp34.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32341E7E-C319-46DE-91D0-E30BB1A3CABA}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{32341E7E-C319-46DE-91D0-E30BB1A3CABA}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnOFXq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C9C12]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder

Edited by Thunder, 30 May 2008 - 04:12 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 WrathxP

WrathxP
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 01 June 2008 - 12:51 PM

I have uploaded both the files correctly (I think.)

ComboFix Log:

ComboFix 08-05-29.1 - user 2008-06-01 10:31:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.244 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\LocalService\ftp34.dll
C:\WINDOWS\system32\config\systemprofile\ftp34.dll
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\glsbbrxn.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\ftp34.dll
C:\Documents and Settings\user\ftp34.dll
C:\WINDOWS\system32\config\systemprofile\ftp34.dll
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\glsbbrxn.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 23:07 . 2008-05-31 23:07 871,602 --a------ C:\QooBox.zip
2008-05-29 11:21 . 2008-05-29 11:21 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-05-29 11:20 . 2008-05-29 11:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 11:20 . 2008-05-29 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 11:20 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 11:20 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 20:25 . 2008-05-28 20:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 20:25 . 2008-05-28 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-28 16:33 . 2008-05-28 16:33 <DIR> d-------- C:\Deckard
2008-05-04 10:40 . 2008-05-17 14:40 141,612 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 22:56 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys
2007-09-01 18:29 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-08-04 01:07 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_18.01.16.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 00:51:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 06:25:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:07 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-03 10:41 68856]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-03-17 19:50:26 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-20 13:27:00 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 02:20:40 233472]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-04-20 13:24:36 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2005-05-15 14:03:07 2392064]
QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe [2006-01-30 17:56:08 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\Program Files\\TurboPlayer\\TurboAgent.exe"=


*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 04:56:11 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2500 series#1108014577.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 2500 series#1108014577
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 10:35:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 10:39:37
ComboFix-quarantined-files.txt 2008-06-01 17:38:30
ComboFix2.txt 2008-05-30 01:02:10

Pre-Run: 39,923,793,920 bytes free
Post-Run: 39,912,783,872 bytes free

102 --- E O F --- 2008-05-17 10:03:59


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:54 AM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} (NHNComicViewer Class) - http://cdn.naver.com/naver/comic/viewer/20...ComicViewer.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BBFD2D10-EC6E-4259-91D1-1E38C826E5E2} (Launcher Class) - http://app.gomtv.com/gomtv/gomtvx.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 5754 bytes

I have not had other problems. Thank you so much.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:38 AM

Posted 01 June 2008 - 01:10 PM

Hello WrathxP,

Got the uploads fien, thank you :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if still present :O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:38 AM

Posted 30 June 2008 - 05:02 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users