Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.win32.monderc.gen; Trojan.adhammer + More


  • This topic is locked This topic is locked
2 replies to this topic

#1 darksoujah

darksoujah

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 11 July 2008 - 04:26 PM

Hello guys,

I'm going to post 2 problems, 1 with my friend's and one on mine. I've been trying to follow instructions I've seen on other posts but something disables me from doing those steps.

Case 1:
My friend installed a program which had a Trojan.Win32.Monderc.Gen virus on it and after that everything went to hell. It had limited internet [disabled mozilla firefox but internet explorer worked] connectivity - if we looked up Combofix or Hijack This programs it would redirect us elsewhere, bringing only search results of those words but not letting us access the weblink. Antivirus ads popped up; however, he foolishly downloaded it which was like Anti-ocean virus or something.. it had a picture of a wave on it. It kept saying there was a virus called Trojan.AdHammer and spyware called CoolWebSearch - however, he couldn't do anything unless he paid [fraud I believe]. The USB port used to work - in which I transferred HJT and Combofix.exe, but neither would run. Task manager was 'disabled by administrator' kicked it so i couldn't look at the processes that were running. I know it's not wise, but I just started Combofix.exe because it fixed my computer many times - but it failed for the first time on my friends computer I don't know why, but watching the process... I saw the files that Combofix.exe started deleteing were getting reduplicated as the Combofix was running, so it would continually have to re-delete the same files over and over. Since his parents got him a laptop after the virus incident, i was able to take his harddrive and put it as a secondary drive on my computer so i could scan it; however, Zone Alarm found nothing which disturbs me.... (my computer is also infected)... I was able to run HJT, but i had to rename Combofix.exe to work it... Wierd... so i let it wipe the computer of whatever it seemed bad - which it did uninstall the anti-ocean virus protection program. i returned the harddrive because it wouldn't start up as a primary cause of my motherboard so i had to go back to his place and... poof. still infected.

Case 2:
The computer I am on right now has internet connectivity issues and minor bugs and kinks... right now it just tried to shutdown on me but i did "shutdown -a" in the "run...." process. Every time I turn on my computer for the first time of the day, I'm unable to connect to the internet. mozilla firefox does not start up, combofix and HJT does not work. I have to restart like 2-3 more times before everything is functional, but it's random and spurr of the moment thing. I would use lspfix but.. i don't know what i'm doing so i decided not to. Next day. it doesn't work again until i restart 2-3 more times. I end the processes that I don't know under my username and leave all the processes under 'System' or 'local network' alone. In addition, I've found "RoxWatch" and other programs from Roxio got on my computer I don't know how, but i ended their processes as well. I've never installed a Roxio product so yeah.

Here is a copy of my recent HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:35 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DotA Gaming Network\DotAClient.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0D1BDCAF-2330-0A99-810B-4B4091E3D8AB} - C:\WINDOWS\system32\xzuaedre.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {F57480BD-B706-32BC-3BC1-CDA07A904B37} - C:\WINDOWS\system32\fcenbhnd.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Wfrmsrv] C:\WINDOWS\Wfrmsrv.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\74kzzyy3.Default User\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\74kzzyy3.Default User\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.youtube.com
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus.net/download/ax/257/installer.exe
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093734108471
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148275796082
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab
O16 - DPF: {A4124121-2F0E-4132-A1DB-192F45CE7287} (BxLuncher Control) - http://boxgame.pdbox.co.kr/common/cab/BxLuncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 13815 bytes

and here is a recent file of my Combofix.exe log
ComboFix 08-07-02.5 - David 2008-07-10 16:08:37.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.133 [GMT -7:00]
Running from: C:\Documents and Settings\David\Desktop\work.exe
* Resident AV is active


.

((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-02 15:52 . 2008-07-02 15:52 <DIR> d-------- C:\Documents and Settings\David\Application Data\DivX
2008-06-28 19:33 . 2008-06-28 19:33 <DIR> d-------- C:\Program Files\Outsim
2008-06-28 10:05 . 2008-06-28 10:05 540 --a------ C:\WINDOWS\system32\PDBootState
2008-06-20 10:41 . 2008-06-20 10:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 03:44 . 2008-06-20 03:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-10 13:23 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 23:14 10,730,528 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-10 16:25 149,696 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-10 00:57 154,624 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-07-09 14:52 122,880 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-07-09 01:30 --------- d-----w C:\Program Files\Azureus
2008-07-09 01:30 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2008-07-08 16:18 117,760 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-07-03 05:59 93,678 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_00_16_04_small.dmp.zip
2008-07-03 05:59 92,944 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_22_53_46_small.dmp.zip
2008-07-03 05:59 91,259 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_22_53_38_small.dmp.zip
2008-07-03 05:59 90,350 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_00_15_49_small.dmp.zip
2008-07-03 05:59 90,249 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_22_54_00_small.dmp.zip
2008-07-03 05:59 86,369 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_00_00_25_small.dmp.zip
2008-07-03 05:59 85,281 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_00_08_39_small.dmp.zip
2008-07-03 05:59 78,303 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_00_16_43_small.dmp.zip
2008-07-03 05:59 76,534 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_00_15_34_small.dmp.zip
2008-07-03 05:59 17,646,054 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_07_02_14_48_17_full.dmp.zip
2008-07-03 05:53 5,850,112 ----a-w C:\WINDOWS\Internet Logs\xDB6C8.tmp
2008-07-03 05:53 5,850,112 ----a-w C:\WINDOWS\Internet Logs\xDB6C7.tmp
2008-07-03 05:53 134,144 ----a-w C:\WINDOWS\Internet Logs\xDB6C9.tmp
2008-07-02 07:15 5,850,112 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-07-02 07:08 3,227,418 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-30 00:12 396,800 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-06-29 02:35 --------- d-----w C:\Program Files\Image-Line
2008-06-28 07:56 --------- d-----w C:\Program Files\Warcraft III
2008-06-24 23:36 54,784 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-06-24 17:18 75,776 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-06-23 14:35 2,645,504 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:44 --------- d-----w C:\Documents and Settings\David\Application Data\AdobeUM
2008-06-10 01:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-05 20:30 --------- d-----w C:\Program Files\WinZix
2008-06-05 20:30 --------- d-----w C:\Program Files\DAEMON Tools SearchBar
2008-06-05 11:01 --------- d-----w C:\Documents and Settings\David\Application Data\MailFrontier
2008-05-26 02:54 3,823,104 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-26 02:54 2,821,120 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-11 21:52 --------- d-----w C:\Documents and Settings\David\Application Data\Apple Computer
2008-03-03 01:46 197 --sha-w C:\Program Files\Common Files\maxtreme.dat
2008-01-15 07:08 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2004-11-08 01:23 133,040 ----a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2002-10-04 22:09 204,800 ----a-w C:\WINDOWS\inf\FXPlugin.dll
2002-07-27 00:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2006-02-23 15:16 34,048 ----a-w C:\Program Files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 45,056 ----a-w C:\Program Files\mozilla firefox\plugins\upd62int.dll
2004-08-04 07:56 73,728 --sha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2004-09-07 08:37 56 --sh--r C:\WINDOWS\system32\5335E3FF98.sys
.

((((((((((((((((((((((((((((( snapshot_2008-07-09_17.55.00.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-10 00:35:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 22:51:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-10 00:39:57 152,512 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-10 22:56:18 152,744 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-10 00:39:57 641,268 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-10 22:56:18 641,884 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-07-10 00:37:26 614,192 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-07-10 22:52:40 614,192 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D1BDCAF-2330-0A99-810B-4B4091E3D8AB}]
2001-08-23 09:00 45056 --a------ C:\WINDOWS\system32\xzuaedre.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F57480BD-B706-32BC-3BC1-CDA07A904B37}]
2005-03-10 03:15 0 --a------ C:\WINDOWS\system32\fcenbhnd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 09:18 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2003-10-06 14:16 49152]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"Wfrmsrv"="C:\WINDOWS\Wfrmsrv.exe" [2003-09-30 17:09 329728]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-12-04 12:34 406016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 14:26 185896]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18 270648]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 16:54 65024 C:\WINDOWS\SOUNDMAN.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

C:\Documents and Settings\David\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-04 01:07:28 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-04 01:07:28 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-09 21:37:04 784912]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2003-05-25 11:36:48 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mxmc"= MimicICM.DLL
"vidc.DIV3"= divxc32.dll
"vidc.DIV4"= divxc32f.dll
"vidc.davc"= davcvfw.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"MSVideo"= ucdvfw.dll
"VIDC.XJPG"= camfc.dll
"VIDC.YV12"= xl_yv12.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=C:\WINDOWS\pss\BlackBerry Desktop Redirector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 15:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-04-23 11:43 228088 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-12-05 16:06 1885464 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"D:\\sysreset\\mirc.exe"=
"C:\\Program Files\\VirtualDJ\\virtualdj.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys [2005-11-22 11:33]
R0 Hpt3xx;Hpt3xx;C:\WINDOWS\system32\drivers\Hpt3xx.sys [2001-10-18 02:37]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11]
R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-21 23:14]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CAMTHWDM.sys [2008-03-11 06:14]
R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys [2005-11-22 11:33]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 00:53]
R2 PDSched;PDScheduler;"C:\Program Files\Raxco\PerfectDisk\PDSched.exe" [2005-11-29 11:16]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
S1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys []
S2 NetDDEdsma;Network DDE DSMA;"C:\WINDOWS\svchost.exe" []
S3 FilterService2;Canon BJ Hid Usb Filter Service2;C:\WINDOWS\system32\DRIVERS\bjhid2.sys [2003-06-17 02:43]
S3 FSCSPYCC;FSCSPYCC;C:\WINDOWS\system32\FSCSPY.SYS []
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\fide.sys [2006-02-08 13:55]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys [2001-08-17 05:12]
S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 14:10]
S3 OEMSTOR;USB Mass Storage;C:\WINDOWS\system32\DRIVERS\USBMSDk.SYS [2002-07-03 09:05]
S3 RapFile;RapFile;C:\WINDOWS\System32\drivers\RapFile.sys [2003-02-25 19:26]
S3 RapNet;RapNet;C:\WINDOWS\System32\drivers\RapNet.sys [2003-02-25 19:26]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2004-01-26 21:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b302fcf0-7ded-11d9-bfca-000d87a3b020}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b302fcf1-7ded-11d9-bfca-000d87a3b020}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure20.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 16:13:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-10 16:19:30
ComboFix-quarantined-files.txt 2008-07-10 23:18:31
ComboFix2.txt 2008-07-02 07:28:39
ComboFix3.txt 2008-03-18 10:02:10
ComboFix4.txt 2008-03-12 04:04:15

Pre-Run: 13,721,759,744 bytes free
Post-Run: 13,690,748,928 bytes free

221 --- E O F --- 2008-07-09 14:52:35



Feel free to scream at me for using Combofix for every single computer problem I have.
Thanks alot ^_^:

BC AdBot (Login to Remove)

 


m

#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 03 August 2008 - 05:11 AM

Hello darksoujah,

I apologise for the delay, the forum is too busy.

"Scream @ you, for running Combofix" You know you shouldn't use this tool as it should only be used under supervision :thumbsup: .

If you still need help, post a new HijackThis log, and describe any symptoms your pc has now.

Keep your friends pc information for later. It needs another thread.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 08 August 2008 - 11:08 AM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users