Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Spyware, I Am Unknown Of Type. Possibly Viruses.


  • This topic is locked This topic is locked
16 replies to this topic

#1 ALL1ZE

ALL1ZE

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 05 August 2008 - 10:48 PM

Hello there, i need help with my computer. im running in safe mode right now as running in normal mode i have no access to use google or search engines. Although some sites work, a majority do not work.
For instance, i search something up in google and it doesn't direct me related sites, it just fails to search and load.
This just happened recently and i don't know what to do. I've had scans with Spyware Doctor and removed cookies, and adware but not sure if they are more hidden files lurking in my computer.
could you guys tell me some suggestions on what to do?


I think my computer is infected with several viruses, and I need help in order to remove them.
When i start up my computer, and i check in task manager processes. a program called 17PHolmes.exe or on the lines of that keeps running. sometimes there are two rundll32.exe running or files called system32:fontload.exe

heres the DSS scan log.


_________________________________



Deckard's System Scanner v20071014.68
Run by MATTT on 2008-08-06 14:22:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as MATTT.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:30 PM, on 6/08/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\Program Files\GRETECH\GomPlayer\GOM.exe
C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MATTT.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: {b703e135-b7d0-c329-fd54-3dd592f8a6e2} - {2e6a8f29-5dd3-45df-923c-0d7b531e307b} - C:\WINDOWS\System32\gawghe.dll
O2 - BHO: (no name) - {8EA2049E-2FA7-496B-8BEC-42D7110E2123} - C:\WINDOWS\System32\khfEVLDv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 3.0\TosGbWatcher.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\System32\firewall.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Update32] C:\WINDOWS\System32:fontload.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [d4bdd165] rundll32.exe "C:\WINDOWS\System32\efbchcep.dll",b
O4 - HKLM\..\Run: [BMd78ee2f9] Rundll32.exe "C:\WINDOWS\System32\lrjtwlmy.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Orb] C:\Program Files\Winamp Remote\bin\OrbTray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LXCCCustomerConnect (iyijvu8i4yuaa6g1) - Unknown owner - C:\WINDOWS\System32\mrxnqardt.exe (file missing)
O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\NetMeeting\Netsh.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6067 bytes

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 13:33:58 0 d-------- C:\Program Files\Trend Micro
2008-08-06 11:57:06 46592 --a------ C:\WINDOWS\System32\iaiamqxj.exe
2008-08-06 11:56:59 81408 --a------ C:\WINDOWS\System32\efbchcep.dll
2008-08-06 11:54:06 96768 --a------ C:\WINDOWS\System32\gawghe.dll
2008-08-06 11:54:00 96768 --a------ C:\WINDOWS\System32\xhyrpgap.dll
2008-08-06 11:51:18 51200 --a------ C:\WINDOWS\System32\__c00BBFAB.dat
2008-08-06 11:51:15 51200 --a------ C:\WINDOWS\System32\wmeeedrv.dll
2008-08-06 11:51:00 90112 --a------ C:\WINDOWS\System32\lrjtwlmy.dll
2008-08-06 00:26:09 0 d-------- C:\Program Files\Alwil Software
2008-08-06 00:00:48 0 d--hs---- C:\WINDOWS\CSC
2008-08-05 11:47:49 12800 --a------ C:\WINDOWS\System32\yduyepnc.exe
2008-08-05 11:41:47 80384 --a------ C:\WINDOWS\System32\bogdyjeh.dll
2008-08-05 11:39:11 95744 --a------ C:\WINDOWS\System32\zqnzqy.dll
2008-08-05 08:31:24 51200 --a------ C:\WINDOWS\System32\efmwfnte.dll
2008-08-05 08:28:24 91648 --a------ C:\WINDOWS\System32\hsmagwad.dll
2008-08-05 07:21:57 478628 --ahs---- C:\WINDOWS\System32\vDLVEfhk.ini2
2008-08-05 07:21:36 0 d-------- C:\WINDOWS\resources
2008-08-05 01:01:33 246784 --a------ C:\WINDOWS\System32\khfEVLDv.dll
2008-07-24 21:02:08 0 --a------ C:\CDSETUP
2008-07-24 20:51:27 164352 --a------ C:\WINDOWS\System32\unrar.dll
2008-07-24 20:51:26 755027 --a------ C:\WINDOWS\System32\xvidcore.dll
2008-07-24 20:51:25 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-07-24 20:40:06 0 d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\vlc
2008-07-24 20:26:10 0 d-------- C:\Program Files\VideoLAN
2008-07-24 05:54:18 58368 --a------ C:\WINDOWS\mrofinu1001186.exe
2008-07-17 09:12:19 0 d-------- C:\Converted Music
2008-07-07 00:10:17 0 d-------- C:\Program Files\Warcraft III


-- Find3M Report ---------------------------------------------------------------

2008-08-06 14:17:22 0 d-------- C:\Program Files\Spyware Doctor
2008-08-06 02:45:43 0 d-------- C:\Program Files\Windows NT
2008-08-06 02:45:16 0 d-------- C:\Program Files\Winamp
2008-08-06 02:42:44 0 d-------- C:\Program Files\VentriloMIX
2008-08-06 02:42:34 0 d-------- C:\Program Files\Ventrilo
2008-08-06 02:42:12 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-08-06 02:38:47 0 d-------- C:\Program Files\Paltalk Messenger Interop
2008-08-06 02:31:08 0 d-------- C:\Program Files\Movie Maker
2008-08-06 02:31:08 0 d-------- C:\Program Files\mIRC
2008-08-06 02:28:58 0 d-------- C:\Program Files\Messenger
2008-08-06 02:28:21 0 d-------- C:\Program Files\htwrycyy
2008-08-06 02:28:20 0 d---s---- C:\Program Files\HLSW
2008-08-06 02:27:17 0 d-------- C:\Program Files\E404 Helper
2008-08-06 02:26:54 0 d-------- C:\Program Files\D-Tools
2008-08-06 02:25:20 0 d--h----- C:\Program Files\Common Files\Carlson
2008-08-06 02:21:29 0 d-------- C:\Program Files\7-Zip
2008-08-05 21:09:08 0 d-------- C:\Program Files\My Music
2008-08-05 18:54:10 0 d-------- C:\Program Files\Steam
2008-08-05 18:53:05 0 d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\mIRC
2008-08-05 18:03:31 0 d-------- C:\Program Files\Messenger Plus! Live
2008-07-26 19:04:26 0 d-------- C:\Program Files\people
2008-07-26 16:11:25 0 d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Winamp
2008-06-17 17:29:59 0 d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Mozilla
2008-06-16 16:29:52 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 16:23:02 0 d-------- C:\Program Files\Veoh Networks
2008-06-11 23:23:25 28160 --ahs---- C:\Program Files\Thumbs.db


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e6a8f29-5dd3-45df-923c-0d7b531e307b}]
06/08/2008 11:54 AM 96768 --a------ C:\WINDOWS\System32\gawghe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA2049E-2FA7-496B-8BEC-42D7110E2123}]
05/08/2008 01:01 AM 246784 --a------ C:\WINDOWS\System32\khfEVLDv.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [14/12/2007 02:49 AM 1185120]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [09/03/2006 03:29 PM]
"nwiz"="nwiz.exe" [09/03/2006 03:29 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [09/03/2006 03:29 PM]
"TosGbWatcher"="C:\Program Files\TOSHIBA\gigabeat room 3.0\TosGbWatcher.exe" []
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" []
"Windows Network Firewall"="C:\WINDOWS\System32\firewall.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 08:06 AM C:\WINDOWS\AGRSMMSG.exe]
"Cmaudio"="cmicnfg.cpl" []
"Update32"="C:\WINDOWS\System32:fontload.exe" [06/08/2008 02:21 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/04/2008 03:14 PM]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [20/07/2008 12:38 AM]
"d4bdd165"="C:\WINDOWS\System32\efbchcep.dll" [06/08/2008 11:57 AM]
"BMd78ee2f9"="C:\WINDOWS\System32\lrjtwlmy.dll" [06/08/2008 11:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [23/08/2001 10:00 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" []
"@"="" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\khfEVLDv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DED7BEAD-FDF7-D38A-AF85-CA7812B51652}]
C:\WINDOWS\System32:fontload.exe



-- End of Deckard's System Scanner: finished at 2008-08-06 14:23:39 ------------

Edited by ALL1ZE, 05 August 2008 - 11:45 PM.


BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:05 AM

Posted 07 August 2008 - 11:35 AM

Hello ALL1ZE and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 ALL1ZE

ALL1ZE
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 07 August 2008 - 11:54 PM

where do i do this? is it when ive installed the program, afterwards in the folder? or during installation.

*Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.



#4 ALL1ZE

ALL1ZE
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 08 August 2008 - 01:14 AM

dw, i figured it out :)

anyway while i was using the Malware scanner thing. it finished and by the time the i was about to save the logfile, my computer restarted.
although i still have the combofix logfile and the hijackthis log.

thankyou very much for your help, my computer seems back to normal now, my internet is working fine too :)

if theres anything more that i have to do to ensure i dont get infected, please tell.
THANKS THUNDER, LOVE YA :thumbsup:


____________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:26 PM, on 8/08/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LXCCCustomerConnect (iyijvu8i4yuaa6g1) - Unknown owner - C:\WINDOWS\System32\mrxnqardt.exe (file missing)
O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\NetMeeting\Netsh.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4898 bytes

__________


ComboFix 08-08-07.05 - MATTT 2008-08-08 15:49:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.285 [GMT 10:00]
Running from: C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Desktop\WinXP_EN_PRO_BF.EXE
* Created a new restore point
.
ADS - system32: deleted 6258 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\macromedia\Flash Player\#SharedObjects\VB25B357\interclick.com
C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\macromedia\Flash Player\#SharedObjects\VB25B357\interclick.com\ud.sol
C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\matttt\Desktop\Live Safety Center.lnk
C:\Documents and Settings\matttt\Favorites\Online Security Guide.lnk
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\WINDOWS\mrofinu1001186.exe.tmp
C:\WINDOWS\system32\efmwfnte.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\sjndysoq.dll
C:\WINDOWS\system32\system\
C:\WINDOWS\system32\wmeeedrv.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-08 15:56 . 2008-08-08 15:56 24,573 --a------ C:\WINDOWS\mrofinu.exe.bin
2008-08-08 15:44 . 2008-08-08 15:44 58,368 --a------ C:\WINDOWS\mrofinu1001186.exe
2008-08-08 14:59 . 2008-08-08 14:59 <DIR> d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Malwarebytes
2008-08-08 14:58 . 2008-08-08 14:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 14:58 . 2008-08-08 14:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-08 14:58 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-08 14:58 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-08 12:00 . 2008-08-08 12:00 1,972 --a------ C:\WINDOWS\system32\jijumylx.dll
2008-08-07 11:58 . 2008-08-07 11:58 1,972 --a------ C:\WINDOWS\system32\bugihgvx.dll
2008-08-07 00:59 . 2008-08-07 21:51 16,384 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-08-06 13:33 . 2008-08-06 13:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-06 13:30 . 2008-08-06 13:30 <DIR> d-------- C:\Deckard
2008-08-06 00:26 . 2008-08-06 00:26 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-05 07:21 . 2008-08-05 07:21 <DIR> d-------- C:\WINDOWS\resources
2008-07-24 21:02 . 2008-07-24 21:02 0 --a------ C:\CDSETUP
2008-07-24 20:51 . 2008-07-24 20:51 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-07-24 20:51 . 2008-01-10 13:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-07-24 20:51 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-07-24 20:40 . 2008-07-24 20:40 <DIR> d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\vlc
2008-07-24 20:26 . 2008-07-24 20:26 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-17 09:12 . 2008-07-17 09:12 <DIR> d-------- C:\Converted Music
2008-07-11 22:26 . 2008-07-11 22:26 244 --ah----- C:\sqmnoopt04.sqm
2008-07-11 22:26 . 2008-07-11 22:26 232 --ah----- C:\sqmdata04.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 05:58 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-08 05:44 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-08 04:14 --------- d-----w C:\Program Files\Steam
2008-08-07 14:40 --------- d-----w C:\Program Files\Winamp
2008-08-07 14:38 --------- d-----w C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Winamp
2008-08-05 16:44 --------- d-----w C:\Program Files\Warcraft III
2008-08-05 16:42 --------- d-----w C:\Program Files\VentriloMIX
2008-08-05 16:42 --------- d-----w C:\Program Files\Ventrilo
2008-08-05 16:42 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-08-05 16:38 --------- d-----w C:\Program Files\Real Alternative
2008-08-05 16:38 --------- d-----w C:\Program Files\Paltalk Messenger Interop
2008-08-05 16:31 --------- d-----w C:\Program Files\mIRC
2008-08-05 16:28 --------- d-s---w C:\Program Files\HLSW
2008-08-05 16:28 --------- d-----w C:\Program Files\htwrycyy
2008-08-05 16:26 --------- d-----w C:\Program Files\D-Tools
2008-08-05 16:21 --------- d-----w C:\Program Files\7-Zip
2008-08-05 11:09 --------- d-----w C:\Program Files\My Music
2008-08-05 10:26 65,536 ----a-w C:\WINDOWS\DUMPb958.tmp
2008-08-05 08:53 --------- d-----w C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\mIRC
2008-08-05 08:03 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-07-26 09:04 --------- d-----w C:\Program Files\people
2008-07-12 17:09 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-06-16 06:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-16 06:23 --------- d-----w C:\Program Files\Veoh Networks
2008-06-11 13:23 28,160 --sha-w C:\Program Files\Thumbs.db
2007-10-30 09:51 784 ----a-w C:\Documents and Settings\matttt\Application Data\mpauth.dat
2001-11-23 01:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2001-08-23 22:00 57344 a8b10cffccfbaeba07a965f0834589cf C:\WINDOWS\system32\svchost.exe
2001-08-23 22:00 56832 e8721b4e032aba8438826dab07d1f62c C:\WINDOWS\system32\dllcache\svchost.exe

2001-08-23 22:00 1011712 aa54bbd298e6a55d3acc8cbb9e6dafd0 C:\WINDOWS\explorer.exe
2001-08-23 22:00 1012224 a36ed38fbf6e7e6d4647bf5f2c23b724 C:\WINDOWS\system32\dllcache\explorer.exe

2001-08-23 22:00 24064 bd5008fcee9fd908778f5b6b40478eac C:\WINDOWS\system32\ctfmon.exe
2001-08-23 22:00 90624 e831da8b586d30123017bfd1dad572c9 C:\WINDOWS\system32\dllcache\ctfmon.exe

2001-08-23 22:00 127488 937f393a314c73ff4386243b0ac0d791 C:\WINDOWS\system32\spoolsv.exe
2001-08-23 22:00 95232 fe7818ebe61ea3740fae383200aa5268 C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 22:00 24064]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 15:29 7561216]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 15:29 86016]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-20 00:38 78008]
"nwiz"="nwiz.exe" [2006-03-09 15:29 1564672 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 08:06 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-23 22:00 24064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 Spssys;Toshiba SPS Service;C:\WINDOWS\System32\drivers\spssys.sys [2004-05-07 20:56]
R0 UNPR;UNPR;C:\WINDOWS\System32\unpr.sys [2007-11-16 15:19]
R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-07-20 00:35]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
S2 iyijvu8i4yuaa6g1;LXCCCustomerConnect;C:\WINDOWS\System32\mrxnqardt.exe []
S2 NetCM;Network Connection Manager;C:\Program Files\NetMeeting\Netsh.exe []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DED7BEAD-FDF7-D38A-AF85-CA7812B51652}]
C:\WINDOWS\System32:fontload.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Orb - C:\Program Files\Winamp Remote\bin\OrbTray.exe
HKLM-Run-TosGbWatcher - C:\Program Files\TOSHIBA\gigabeat room 3.0\TosGbWatcher.exe
HKLM-Run-AdaptecDirectCD - C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
HKLM-Run-Windows Network Firewall - C:\WINDOWS\System32\firewall.exe
HKLM-Run-DAEMON Tools-1033 - C:\Program Files\D-Tools\daemon.exe
HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Mozilla\Firefox\Profiles\28m9t2aa.default\
FF -: plugin - C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Mozilla\Firefox\Profiles\28m9t2aa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\VideoEgg\Loader\4665\npvideoegg-loader.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 15:59:01
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-08 16:04:06
ComboFix-quarantined-files.txt 2008-08-08 06:02:53

Pre-Run: 5,849,903,104 bytes free
Post-Run: 6,594,338,816 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

162 --- E O F --- 2008-01-17 00:32:11

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:05 AM

Posted 08 August 2008 - 04:26 PM

Hello ALL1ZE,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/161749/help-with-spyware-i-am-unknown-of-type-possibly-viruses/
Collect::[9]
C:\WINDOWS\system32\jijumylx.dll
C:\WINDOWS\system32\bugihgvx.dll
C:\WINDOWS\System32\fontload.exe
Rootkit::
C:\WINDOWS\System32\unpr.sys
C:\WINDOWS\system32\drivers\pctfw2.sys
File::
C:\WINDOWS\mrofinu.exe.bin
C:\WINDOWS\mrofinu1001186.exe
Driver::
UNPR
pctfw2
iyijvu8i4yuaa6g1
NetCM
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DED7BEAD-FDF7-D38A-AF85-CA7812B51652}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 ALL1ZE

ALL1ZE
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 10 August 2008 - 04:41 PM

what do i do, if a file called pv.cfexe tries to open? i dont have a program that opens that format

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:05 AM

Posted 11 August 2008 - 04:16 AM

Hello ALL1ZE,

Please make sure avast! isn't trying to block ComboFix !

pv.cfexe is part of ComboFix, so you have to allow it to open,
so ComboFix can run properly. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 ALL1ZE

ALL1ZE
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 12 August 2008 - 03:44 AM

seems like im having more problems.
all these files with format tmp are in the C:/ wandering if its legit files? and also multiple processes of the same program are on at the same time.
such as 6 "services.exe" are running, 7 "svchosts.exe", my computer lagged and didnt retrieve a log.
i only got hold of a HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:43, on 2008-08-12
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\neos.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\neos.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {C30EC979-E8FA-4F43-97F6-F1EEF452DEB0} - C:\WINDOWS\System32\adsn.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{335F13DB-7EBB-4FE0-AA3F-2D655C08191F}: NameServer = 4.2.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9F301BF-803F-4B75-B187-C8F16849ABD4}: NameServer = 4.2.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{B874F444-F8AF-44F5-AE57-598F418B76FC}: NameServer = 4.2.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7744BA7-B1D9-44F8-88AC-91544C3A88C5}: NameServer = 4.2.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{F38C73CC-6415-4BBF-8B85-00D9D32FA511}: NameServer = 4.2.2.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{335F13DB-7EBB-4FE0-AA3F-2D655C08191F}: NameServer = 4.2.2.5
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5181 bytes

Edited by ALL1ZE, 12 August 2008 - 03:45 AM.


#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:05 AM

Posted 12 August 2008 - 11:03 AM

Hello ALL1ZE,

Seems like you already caught some additional malware.
That may have something to do with the fact that you never installed the Windows Security Packs 1 & 2 :thumbsup:
Let's do it another way :

Save this as a text file on your desktop, or print it, because upon rebooting in safe mode, you won't be able to take a look here !!

Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Then drag this CFScript on ComboFix :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/161749/help-with-spyware-i-am-unknown-of-type-possibly-viruses/
Collect::[9]
C:\WINDOWS\System32\adsn.dll
C:\WINDOWS\system32\jijumylx.dll
C:\WINDOWS\system32\bugihgvx.dll
C:\WINDOWS\System32\fontload.exe
File::
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
Rootkit::
C:\WINDOWS\System32\unpr.sys
C:\WINDOWS\system32\drivers\pctfw2.sys
File::
C:\WINDOWS\mrofinu.exe.bin
C:\WINDOWS\mrofinu1001186.exe
Driver::
UNPR
pctfw2
iyijvu8i4yuaa6g1
NetCM
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DED7BEAD-FDF7-D38A-AF85-CA7812B51652}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 ALL1ZE

ALL1ZE
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 12 August 2008 - 09:55 PM

hey, ive done it, still having bit of problems. i couldnt send the submit_time_.rar to the site, possibly of lag issues? im not sure if it reached you.

Here i attached the file . Submit_time_.rar thing. for you for analysis/investigation. mind the trouble.

----------------------------------------------------------------------------------------------------------------------------------------------------------

Heres the ComboFix log.


ComboFix 08-08-10.06 - MATTT 2008-08-13 3:17:16.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.320 [GMT 10:00]
Running from: C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\mrofinu.exe.bin
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
.
ADS - svchost.exe: deleted 39936 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6.tmp
C:\7.tmp
C:\B.tmp
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\System32\adsn.dll
C:\WINDOWS\system32\back.exe.exe
C:\WINDOWS\system32\drivers\pctfw2.sys
c:\windows\system32\Drivers\Winej72.sys
C:\WINDOWS\system32\drivers\Xinu50.sys
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\system\
C:\WINDOWS\System32\unpr.sys
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wsnpoem
.
---- Previous Run -------
.
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\comsna.dll
C:\WINDOWS\system32\drivers\Tymj58.sys
C:\WINDOWS\system32\drivers\Winch50.sys
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\system\
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\temp\1.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_TYMJ58
-------\Legacy_WINCH50
-------\Service_FCI
-------\Service_Tymj58
-------\Service_Winch50
-------\Legacy_PCTFW2
-------\Legacy_WINEJ72
-------\Legacy_XINU50
-------\Service_pctfw2
-------\Service_Winej72
-------\Service_Xinu50


((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-13 03:25 . 2008-08-13 03:24 46,592 --a------ C:\WINDOWS\services.exe
2008-08-13 03:25 . 40 C:\WINDOWS\file.bat
2008-08-13 03:24 . 2008-08-13 03:24 172,032 --a------ C:\A.tmp
2008-08-13 03:24 . 2008-08-13 03:24 70,144 --a------ C:\9.tmp
2008-08-13 03:24 . 2008-08-13 03:24 49,664 --a------ C:\7.tmp
2008-08-13 03:24 . 2008-08-13 03:24 44,544 --a------ C:\WINDOWS\mrofinu1001186.exe
2008-08-13 03:24 . 2008-08-13 03:25 44,032 --a------ C:\E.tmp
2008-08-13 03:24 . 2008-08-13 03:24 30,720 --a------ C:\6.tmp
2008-08-13 03:24 . 2008-08-13 03:24 8,192 --a------ C:\B.tmp
2008-08-13 03:24 . 2008-08-13 03:25 18 --a------ C:\F.tmp
2008-08-12 20:02 . 2008-08-12 20:02 43,520 --a------ C:\WINDOWS\system32\drivers\39lmf.exe
2008-08-12 19:30 . 2008-08-12 19:30 43,520 --a------ C:\WINDOWS\system32\drivers\706lmf.exe
2008-08-12 18:51 . 2008-08-12 18:51 76,800 --a------ C:\WINDOWS\system32\drivers\513lmf.exe
2008-08-12 18:32 . 2008-08-12 18:32 43,520 --a------ C:\WINDOWS\system32\drivers\461lmf.exe
2008-08-12 18:29 . 2008-08-12 18:29 87,552 --a------ C:\10.tmp
2008-08-12 18:29 . 2008-08-13 03:25 84,480 --a------ C:\WINDOWS\neos.exe
2008-08-12 18:29 . 2008-08-13 03:27 49,839 --a------ C:\WINDOWS\crock+mock.config
2008-08-12 18:29 . 2008-08-12 18:29 0 --a------ C:\11.tmp
2008-08-12 18:28 . 2008-08-12 18:28 66,560 --a------ C:\8.tmp
2008-08-12 18:28 . 2008-08-12 18:29 44,032 --a------ C:\C.tmp
2008-08-12 18:28 . 2008-08-12 18:29 18 --a------ C:\D.tmp
2008-08-12 16:37 . 2008-08-12 16:37 43,520 --a------ C:\WINDOWS\system32\drivers\993lmf.exe
2008-08-12 16:15 . 2008-08-12 16:15 29 --a------ C:\WINDOWS\system32\yyydhhhu.tmp
2008-08-12 16:14 . 2008-08-12 16:14 87,552 --a------ C:\22.tmp
2008-08-12 16:14 . 2008-08-12 16:14 66,560 --a------ C:\1A.tmp
2008-08-12 16:14 . 2008-08-12 16:14 49,664 --a------ C:\19.tmp
2008-08-12 16:14 . 2008-08-12 16:14 44,032 --a------ C:\1E.tmp
2008-08-12 16:14 . 2008-08-12 16:14 15,360 --a------ C:\18.tmp
2008-08-12 16:14 . 2008-08-12 16:14 8,192 --a------ C:\1D.tmp
2008-08-12 16:14 . 2008-08-12 16:14 18 --a------ C:\1F.tmp
2008-08-12 16:14 . 2008-08-12 16:14 0 --a------ C:\23.tmp
2008-08-12 16:14 . 2008-08-12 16:14 0 --a------ C:\20.tmp
2008-08-08 14:59 . 2008-08-08 14:59 <DIR> d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Malwarebytes
2008-08-08 14:58 . 2008-08-08 14:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 14:58 . 2008-08-08 14:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-08 14:58 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-08 14:58 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 00:59 . 2008-08-07 21:51 16,384 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-08-06 13:33 . 2008-08-06 13:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-06 13:30 . 2008-08-06 13:30 <DIR> d-------- C:\Deckard
2008-08-06 00:26 . 2008-08-06 00:26 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-05 07:21 . 2008-08-05 07:21 <DIR> d-------- C:\WINDOWS\resources
2008-07-24 21:02 . 2008-07-24 21:02 0 --a------ C:\CDSETUP
2008-07-24 20:51 . 2008-07-24 20:51 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-07-24 20:51 . 2008-01-10 13:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-07-24 20:51 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-07-24 20:40 . 2008-07-24 20:40 <DIR> d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\vlc
2008-07-24 20:26 . 2008-07-24 20:26 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-17 09:12 . 2008-07-17 09:12 <DIR> d-------- C:\Converted Music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 17:26 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-12 17:25 87,552 ----a-w C:\WINDOWS\system32\CcEvtSvc.exe
2008-08-12 17:25 84,480 ----a-w C:\WINDOWS\system32\back.exe.exe
2008-08-12 17:25 57,344 ----a-w C:\WINDOWS\system32\svchost.exe
2008-08-12 17:25 308,736 ----a-w C:\WINDOWS\system32\alt.exe.exe
2008-08-12 17:25 123,904 ----a-w C:\WINDOWS\system32\drivers\docker19.sys
2008-08-12 17:24 30,848 ----a-w C:\WINDOWS\system32\drivers\Rwc26.sys
2008-08-12 15:43 --------- d-----w C:\Program Files\Steam
2008-08-12 09:57 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-10 07:43 --------- d-----w C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\mIRC
2008-08-07 14:40 --------- d-----w C:\Program Files\Winamp
2008-08-07 14:38 --------- d-----w C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Winamp
2008-08-05 16:44 --------- d-----w C:\Program Files\Warcraft III
2008-08-05 16:42 --------- d-----w C:\Program Files\VentriloMIX
2008-08-05 16:42 --------- d-----w C:\Program Files\Ventrilo
2008-08-05 16:42 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-08-05 16:38 --------- d-----w C:\Program Files\Real Alternative
2008-08-05 16:38 --------- d-----w C:\Program Files\Paltalk Messenger Interop
2008-08-05 16:31 --------- d-----w C:\Program Files\mIRC
2008-08-05 16:28 --------- d-s---w C:\Program Files\HLSW
2008-08-05 16:28 --------- d-----w C:\Program Files\htwrycyy
2008-08-05 16:26 --------- d-----w C:\Program Files\D-Tools
2008-08-05 16:21 --------- d-----w C:\Program Files\7-Zip
2008-08-05 11:09 --------- d-----w C:\Program Files\My Music
2008-08-05 10:26 65,536 ----a-w C:\WINDOWS\DUMPb958.tmp
2008-08-05 08:03 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-07-26 09:04 --------- d-----w C:\Program Files\people
2008-07-12 17:09 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-06-16 06:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-16 06:23 --------- d-----w C:\Program Files\Veoh Networks
2008-06-11 13:23 28,160 --sha-w C:\Program Files\Thumbs.db
2007-10-30 09:51 784 ----a-w C:\Documents and Settings\matttt\Application Data\mpauth.dat
2001-11-23 01:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2008-08-13 03:25 57344 a8b10cffccfbaeba07a965f0834589cf C:\WINDOWS\system32\svchost.exe
2001-08-23 22:00 56832 e8721b4e032aba8438826dab07d1f62c C:\WINDOWS\system32\dllcache\svchost.exe

2001-08-23 22:00 1011712 aa54bbd298e6a55d3acc8cbb9e6dafd0 C:\WINDOWS\explorer.exe
2001-08-23 22:00 1012224 a36ed38fbf6e7e6d4647bf5f2c23b724 C:\WINDOWS\system32\dllcache\explorer.exe

2001-08-23 22:00 24064 bd5008fcee9fd908778f5b6b40478eac C:\WINDOWS\system32\ctfmon.exe
2001-08-23 22:00 90624 e831da8b586d30123017bfd1dad572c9 C:\WINDOWS\system32\dllcache\ctfmon.exe

2001-08-23 22:00 127488 937f393a314c73ff4386243b0ac0d791 C:\WINDOWS\system32\spoolsv.exe
2001-08-23 22:00 95232 fe7818ebe61ea3740fae383200aa5268 C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{536FAE7E-ECDE-4A74-AC07-17E7B9E5455E}]
2001-08-23 22:00 91648 --a------ C:\WINDOWS\System32\avicap3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sample Shell Icon Overlay Identifier]
@="{EA3775F2-28BE-11D3-9C8D-00105A24ED29}"
[HKEY_CLASSES_ROOT\CLSID\{EA3775F2-28BE-11D3-9C8D-00105A24ED29}]
2008-08-13 03:24 27648 --a------ C:\WINDOWS\temp\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 22:00 24064]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 15:29 7561216]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 15:29 86016]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"runner1"="C:\WINDOWS\mrofinu1001186.exe" [2008-08-13 03:24 44544]
"services"="C:\WINDOWS\services.exe" [2008-08-13 03:24 46592]
"PromoReg"="C:\WINDOWS\system32\alt.exe.exe" [2008-08-13 03:25 308736]
"nwiz"="nwiz.exe" [2006-03-09 15:29 1564672 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 08:06 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-23 22:00 24064]
"neos"="C:\WINDOWS\neos.exe" [2008-08-13 03:25 84480]
"Skra"="C:\Program Files\Skra\Skra.exe" [2008-08-13 03:36 46076]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rwc26.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winej72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\notepad.exe"=
"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"= C:\\Program Files\\MSN Messenger\\msnmsgr.exe
"C:\\Program Files\\WinRAR\\WinRAR.exe"=
"C:\\WINDOWS\\explorer.exe"=

R0 Rwc26;Rwc26;C:\WINDOWS\System32\Drivers\Rwc26.sys [2008-08-13 03:24]
R0 Spssys;Toshiba SPS Service;C:\WINDOWS\System32\drivers\spssys.sys [2004-05-07 20:56]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
S2 FCI;FCI;C:\WINDOWS\System32\svchost.exe:exe.exe [2008-08-13 03:25]

*Newly Created Service* - CCEVTSVC
*Newly Created Service* - PCTFW2
*Newly Created Service* - RWC26
*Newly Created Service* - VKW43
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-MSMSGS - C:\Program Files\Messenger\msmsgs.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 03:23:52
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\alt.exe.exe 308736 bytes executable
C:\WINDOWS\system32\avicap3.dll 91648 bytes executable
C:\WINDOWS\system32\back.exe.exe 84480 bytes executable
C:\WINDOWS\system32\ntos.exe 368640 bytes executable
C:\WINDOWS\system32\svchost.exe:exe.exe 25088 bytes executable
C:\WINDOWS\system32\svcp.csv 0 bytes
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\CcEvtSvc.exe 87552 bytes executable

scan completed successfully
hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FCI]
"ImagePath"="C:\WINDOWS\System32\svchost.exe:exe.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Vkw43]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\temp\IcnOvrly.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\B.tmp
C:\WINDOWS\mrofinu1001186.exexe
C:\12.tmp
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\mrofinu1001186.exexe
C:\WINDOWS\system32\CcEvtSvc.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-13 3:39:06 - machine was rebooted [MATTT]
ComboFix-quarantined-files.txt 2008-08-12 17:38:27
ComboFix2.txt 2008-08-08 06:04:10

Pre-Run: 5,656,104,960 bytes free
Post-Run: 5,077,508,096 bytes free

266 --- E O F --- 2008-01-17 00:32:11



-----------------------------------------------------------------------------------------------------------------



Heres the HijackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:07 PM, on 13/08/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {536FAE7E-ECDE-4A74-AC07-17E7B9E5455E} - C:\WINDOWS\System32\avicap3.dll
O2 - BHO: (no name) - {A065A416-63FB-48C5-91EF-BFA7D6E16B53} - C:\WINDOWS\System32\avicap3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{335F13DB-7EBB-4FE0-AA3F-2D655C08191F}: NameServer = 4.2.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7744BA7-B1D9-44F8-88AC-91544C3A88C5}: NameServer = 4.2.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{F38C73CC-6415-4BBF-8B85-00D9D32FA511}: NameServer = 4.2.2.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{335F13DB-7EBB-4FE0-AA3F-2D655C08191F}: NameServer = 4.2.2.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{335F13DB-7EBB-4FE0-AA3F-2D655C08191F}: NameServer = 4.2.2.5
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Performance Logs and Alerts SysmonLogEventlog (SysmonLogEventlog) - Unknown owner - C:\WINDOWS\System32\1025b.exe

--
End of file - 5587 bytes


_________________________________________________________________________________





Attached Files



#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:05 AM

Posted 13 August 2008 - 01:42 PM

Hello ALL1ZE,

Every time you connect to the internet, you just gather more malware !!
Please update MBAM, if still possible, and download an antivirus program.
In this case I'd recommend the free version of Antivir or AVG. (See this Prevention page with lots of info)
Don't install it yet, just download the installer to your desktop.
Then save the CFScript below to your desktop. Don't run it either yet.
Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:KILLALL::
File::
C:\WINDOWS\services.exe
C:\WINDOWS\file.bat
C:\A.tmp
C:\9.tmp
C:\7.tmp
C:\WINDOWS\mrofinu1001186.exe
C:\E.tmp
C:\6.tmp
C:\B.tmp
C:\F.tmp
C:\WINDOWS\system32\drivers\39lmf.exe
C:\WINDOWS\system32\drivers\706lmf.exe
C:\WINDOWS\system32\drivers\513lmf.exe
C:\WINDOWS\system32\drivers\461lmf.exe
C:\10.tmp
C:\WINDOWS\neos.exe
C:\WINDOWS\crock+mock.config
C:\11.tmp
C:\8.tmp
C:\C.tmp
C:\D.tmp
C:\WINDOWS\system32\drivers\993lmf.exe
C:\WINDOWS\system32\yyydhhhu.tmp
C:\22.tmp
C:\1A.tmp
C:\19.tmp
C:\1E.tmp
C:\18.tmp
C:\1D.tmp
C:\1F.tmp
C:\23.tmp
C:\20.tmp
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\back.exe.exe
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\drivers\docker19.sys
C:\WINDOWS\system32\drivers\Rwc26.sys
C:\WINDOWS\System32\avicap3.dll
C:\WINDOWS\temp\IcnOvrly.dll
C:\WINDOWS\system32\svcp.csv
Folder::
C:\Program Files\Skra
C:\WINDOWS\system32\wsnpoem
Driver::
Rwc26
FCI
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{536FAE7E-ECDE-4A74-AC07-17E7B9E5455E}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sample Shell Icon Overlay Identifier]
[-HKEY_CLASSES_ROOT\CLSID\{EA3775F2-28BE-11D3-9C8D-00105A24ED29}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"runner1"=-
"services"=-
"PromoReg"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"neos"=-
"Skra"-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rwc26.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winej72.sys]

Save this as txtfile CFScript

Then disconnect from the internet (if necessary disconnect the cable) and stay off until your system is clean.

If possible communicate using another PC.

Now reboot into safe mode (WITHOUT network support !!)

Run MBAM and save the log for posting.

Drag CFScript into ComboFix. This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as the MBAM log.

DO NOT reconnect with the internet !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#12 ALL1ZE

ALL1ZE
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 14 August 2008 - 09:16 AM

didnt get the combofix log cause when it was about to get it, a cmd error came up, and i couldnt get it :/
although i have the mbam log, and did a Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13, on 2008-08-15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {6F17DC59-CC03-480D-87C5-076B29A15AFA} - C:\WINDOWS\System32\comsvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: bannerstyle browser optimizer - {c293b9b7-e187-4434-bd06-70c4dd7c3ba0} - C:\WINDOWS\System32\srdcdozmfco.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Norton AntiVirus] C:\WINDOWS\ov519dib.exe
O4 - HKLM\..\Run: [htwrycyy] C:\WINDOWS\ov519dib.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{335F13DB-7EBB-4FE0-AA3F-2D655C08191F}: NameServer = 4.2.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7744BA7-B1D9-44F8-88AC-91544C3A88C5}: NameServer = 4.2.2.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{F38C73CC-6415-4BBF-8B85-00D9D32FA511}: NameServer = 4.2.2.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{335F13DB-7EBB-4FE0-AA3F-2D655C08191F}: NameServer = 4.2.2.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{335F13DB-7EBB-4FE0-AA3F-2D655C08191F}: NameServer = 4.2.2.5
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LPTRDC server (LPTRDCsrv) - Unknown owner - C:\WINDOWS\ctfmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5689 bytes


===================================



Malwarebytes' Anti-Malware 1.24
Database version: 1047
Windows 5.1.2600

8:42:59 AM 14/08/2008
mbam-log-8-14-2008 (08-42-55).txt

Scan type: Quick Scan
Objects scanned: 54604
Time elapsed: 15 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\accessj.dll (Trojan.Downloader) -> No action taken.

#13 ALL1ZE

ALL1ZE
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 14 August 2008 - 09:17 AM

Duplicate post removed by Thunder

Edited by Thunder, 14 August 2008 - 11:29 AM.


#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:05 AM

Posted 14 August 2008 - 11:34 AM

Hello ALL1ZE,

The ComboFix logs can be found, using Windows Explorer, as C:\ComboFix[x].txt,
where [x] is 2, 3, ... when ComboFix was run repeatedly.
Even with the error, a new log should have been made.
Please check is you find a log dated 8-14-2008 or 8-15-2008, and post it in your next reply please.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#15 ALL1ZE

ALL1ZE
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 15 August 2008 - 12:52 AM

THIS IS THE LOG OF THE AUGUST 13TH, 2008.
also as a result of these problems im having, it infected my sound drivers and i have no idea what sound driver to get anymore :/



ComboFix 08-08-10.06 - MATTT 2008-08-13 3:17:16.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.320 [GMT 10:00]
Running from: C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\mrofinu.exe.bin
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
.
ADS - svchost.exe: deleted 39936 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6.tmp
C:\7.tmp
C:\B.tmp
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\System32\adsn.dll
C:\WINDOWS\system32\back.exe.exe
C:\WINDOWS\system32\drivers\pctfw2.sys
c:\windows\system32\Drivers\Winej72.sys
C:\WINDOWS\system32\drivers\Xinu50.sys
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\system\
C:\WINDOWS\System32\unpr.sys
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\SYSTEM32\WinCtrl32.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wsnpoem
.
---- Previous Run -------
.
C:\WINDOWS\17PHolmes1001186.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\comsna.dll
C:\WINDOWS\system32\drivers\Tymj58.sys
C:\WINDOWS\system32\drivers\Winch50.sys
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\system\
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\temp\1.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_TYMJ58
-------\Legacy_WINCH50
-------\Service_FCI
-------\Service_Tymj58
-------\Service_Winch50
-------\Legacy_PCTFW2
-------\Legacy_WINEJ72
-------\Legacy_XINU50
-------\Service_pctfw2
-------\Service_Winej72
-------\Service_Xinu50


((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-13 03:25 . 2008-08-13 03:24 46,592 --a------ C:\WINDOWS\services.exe
2008-08-13 03:25 . 40 C:\WINDOWS\file.bat
2008-08-13 03:24 . 2008-08-13 03:24 172,032 --a------ C:\A.tmp
2008-08-13 03:24 . 2008-08-13 03:24 70,144 --a------ C:\9.tmp
2008-08-13 03:24 . 2008-08-13 03:24 49,664 --a------ C:\7.tmp
2008-08-13 03:24 . 2008-08-13 03:24 44,544 --a------ C:\WINDOWS\mrofinu1001186.exe
2008-08-13 03:24 . 2008-08-13 03:25 44,032 --a------ C:\E.tmp
2008-08-13 03:24 . 2008-08-13 03:24 30,720 --a------ C:\6.tmp
2008-08-13 03:24 . 2008-08-13 03:24 8,192 --a------ C:\B.tmp
2008-08-13 03:24 . 2008-08-13 03:25 18 --a------ C:\F.tmp
2008-08-12 20:02 . 2008-08-12 20:02 43,520 --a------ C:\WINDOWS\system32\drivers\39lmf.exe
2008-08-12 19:30 . 2008-08-12 19:30 43,520 --a------ C:\WINDOWS\system32\drivers\706lmf.exe
2008-08-12 18:51 . 2008-08-12 18:51 76,800 --a------ C:\WINDOWS\system32\drivers\513lmf.exe
2008-08-12 18:32 . 2008-08-12 18:32 43,520 --a------ C:\WINDOWS\system32\drivers\461lmf.exe
2008-08-12 18:29 . 2008-08-12 18:29 87,552 --a------ C:\10.tmp
2008-08-12 18:29 . 2008-08-13 03:25 84,480 --a------ C:\WINDOWS\neos.exe
2008-08-12 18:29 . 2008-08-13 03:27 49,839 --a------ C:\WINDOWS\crock+mock.config
2008-08-12 18:29 . 2008-08-12 18:29 0 --a------ C:\11.tmp
2008-08-12 18:28 . 2008-08-12 18:28 66,560 --a------ C:\8.tmp
2008-08-12 18:28 . 2008-08-12 18:29 44,032 --a------ C:\C.tmp
2008-08-12 18:28 . 2008-08-12 18:29 18 --a------ C:\D.tmp
2008-08-12 16:37 . 2008-08-12 16:37 43,520 --a------ C:\WINDOWS\system32\drivers\993lmf.exe
2008-08-12 16:15 . 2008-08-12 16:15 29 --a------ C:\WINDOWS\system32\yyydhhhu.tmp
2008-08-12 16:14 . 2008-08-12 16:14 87,552 --a------ C:\22.tmp
2008-08-12 16:14 . 2008-08-12 16:14 66,560 --a------ C:\1A.tmp
2008-08-12 16:14 . 2008-08-12 16:14 49,664 --a------ C:\19.tmp
2008-08-12 16:14 . 2008-08-12 16:14 44,032 --a------ C:\1E.tmp
2008-08-12 16:14 . 2008-08-12 16:14 15,360 --a------ C:\18.tmp
2008-08-12 16:14 . 2008-08-12 16:14 8,192 --a------ C:\1D.tmp
2008-08-12 16:14 . 2008-08-12 16:14 18 --a------ C:\1F.tmp
2008-08-12 16:14 . 2008-08-12 16:14 0 --a------ C:\23.tmp
2008-08-12 16:14 . 2008-08-12 16:14 0 --a------ C:\20.tmp
2008-08-08 14:59 . 2008-08-08 14:59 <DIR> d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Malwarebytes
2008-08-08 14:58 . 2008-08-08 14:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 14:58 . 2008-08-08 14:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-08 14:58 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-08 14:58 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 00:59 . 2008-08-07 21:51 16,384 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-08-06 13:33 . 2008-08-06 13:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-06 13:30 . 2008-08-06 13:30 <DIR> d-------- C:\Deckard
2008-08-06 00:26 . 2008-08-06 00:26 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-05 07:21 . 2008-08-05 07:21 <DIR> d-------- C:\WINDOWS\resources
2008-07-24 21:02 . 2008-07-24 21:02 0 --a------ C:\CDSETUP
2008-07-24 20:51 . 2008-07-24 20:51 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-07-24 20:51 . 2008-01-10 13:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-07-24 20:51 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-07-24 20:40 . 2008-07-24 20:40 <DIR> d-------- C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\vlc
2008-07-24 20:26 . 2008-07-24 20:26 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-17 09:12 . 2008-07-17 09:12 <DIR> d-------- C:\Converted Music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 17:26 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-12 17:25 87,552 ----a-w C:\WINDOWS\system32\CcEvtSvc.exe
2008-08-12 17:25 84,480 ----a-w C:\WINDOWS\system32\back.exe.exe
2008-08-12 17:25 57,344 ----a-w C:\WINDOWS\system32\svchost.exe
2008-08-12 17:25 308,736 ----a-w C:\WINDOWS\system32\alt.exe.exe
2008-08-12 17:25 123,904 ----a-w C:\WINDOWS\system32\drivers\docker19.sys
2008-08-12 17:24 30,848 ----a-w C:\WINDOWS\system32\drivers\Rwc26.sys
2008-08-12 15:43 --------- d-----w C:\Program Files\Steam
2008-08-12 09:57 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-10 07:43 --------- d-----w C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\mIRC
2008-08-07 14:40 --------- d-----w C:\Program Files\Winamp
2008-08-07 14:38 --------- d-----w C:\Documents and Settings\MATTT.HOMEUSE-65P1N7L\Application Data\Winamp
2008-08-05 16:44 --------- d-----w C:\Program Files\Warcraft III
2008-08-05 16:42 --------- d-----w C:\Program Files\VentriloMIX
2008-08-05 16:42 --------- d-----w C:\Program Files\Ventrilo
2008-08-05 16:42 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-08-05 16:38 --------- d-----w C:\Program Files\Real Alternative
2008-08-05 16:38 --------- d-----w C:\Program Files\Paltalk Messenger Interop
2008-08-05 16:31 --------- d-----w C:\Program Files\mIRC
2008-08-05 16:28 --------- d-s---w C:\Program Files\HLSW
2008-08-05 16:28 --------- d-----w C:\Program Files\htwrycyy
2008-08-05 16:26 --------- d-----w C:\Program Files\D-Tools
2008-08-05 16:21 --------- d-----w C:\Program Files\7-Zip
2008-08-05 11:09 --------- d-----w C:\Program Files\My Music
2008-08-05 10:26 65,536 ----a-w C:\WINDOWS\DUMPb958.tmp
2008-08-05 08:03 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-07-26 09:04 --------- d-----w C:\Program Files\people
2008-07-12 17:09 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-06-16 06:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-16 06:23 --------- d-----w C:\Program Files\Veoh Networks
2008-06-11 13:23 28,160 --sha-w C:\Program Files\Thumbs.db
2007-10-30 09:51 784 ----a-w C:\Documents and Settings\matttt\Application Data\mpauth.dat
2001-11-23 01:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2008-08-13 03:25 57344 a8b10cffccfbaeba07a965f0834589cf C:\WINDOWS\system32\svchost.exe
2001-08-23 22:00 56832 e8721b4e032aba8438826dab07d1f62c C:\WINDOWS\system32\dllcache\svchost.exe

2001-08-23 22:00 1011712 aa54bbd298e6a55d3acc8cbb9e6dafd0 C:\WINDOWS\explorer.exe
2001-08-23 22:00 1012224 a36ed38fbf6e7e6d4647bf5f2c23b724 C:\WINDOWS\system32\dllcache\explorer.exe

2001-08-23 22:00 24064 bd5008fcee9fd908778f5b6b40478eac C:\WINDOWS\system32\ctfmon.exe
2001-08-23 22:00 90624 e831da8b586d30123017bfd1dad572c9 C:\WINDOWS\system32\dllcache\ctfmon.exe

2001-08-23 22:00 127488 937f393a314c73ff4386243b0ac0d791 C:\WINDOWS\system32\spoolsv.exe
2001-08-23 22:00 95232 fe7818ebe61ea3740fae383200aa5268 C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{536FAE7E-ECDE-4A74-AC07-17E7B9E5455E}]
2001-08-23 22:00 91648 --a------ C:\WINDOWS\System32\avicap3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Sample Shell Icon Overlay Identifier]
@="{EA3775F2-28BE-11D3-9C8D-00105A24ED29}"
[HKEY_CLASSES_ROOT\CLSID\{EA3775F2-28BE-11D3-9C8D-00105A24ED29}]
2008-08-13 03:24 27648 --a------ C:\WINDOWS\temp\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 22:00 24064]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 15:29 7561216]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 15:29 86016]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"runner1"="C:\WINDOWS\mrofinu1001186.exe" [2008-08-13 03:24 44544]
"services"="C:\WINDOWS\services.exe" [2008-08-13 03:24 46592]
"PromoReg"="C:\WINDOWS\system32\alt.exe.exe" [2008-08-13 03:25 308736]
"nwiz"="nwiz.exe" [2006-03-09 15:29 1564672 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 08:06 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-23 22:00 24064]
"neos"="C:\WINDOWS\neos.exe" [2008-08-13 03:25 84480]
"Skra"="C:\Program Files\Skra\Skra.exe" [2008-08-13 03:36 46076]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rwc26.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winej72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\System32\\regsvr32.exe"=
"C:\\WINDOWS\\system32\\notepad.exe"=
"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"= C:\\Program Files\\MSN Messenger\\msnmsgr.exe
"C:\\Program Files\\WinRAR\\WinRAR.exe"=
"C:\\WINDOWS\\explorer.exe"=

R0 Rwc26;Rwc26;C:\WINDOWS\System32\Drivers\Rwc26.sys [2008-08-13 03:24]
R0 Spssys;Toshiba SPS Service;C:\WINDOWS\System32\drivers\spssys.sys [2004-05-07 20:56]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
S2 FCI;FCI;C:\WINDOWS\System32\svchost.exe:exe.exe [2008-08-13 03:25]

*Newly Created Service* - CCEVTSVC
*Newly Created Service* - PCTFW2
*Newly Created Service* - RWC26
*Newly Created Service* - VKW43
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-MSMSGS - C:\Program Files\Messenger\msmsgs.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 03:23:52
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\alt.exe.exe 308736 bytes executable
C:\WINDOWS\system32\avicap3.dll 91648 bytes executable
C:\WINDOWS\system32\back.exe.exe 84480 bytes executable
C:\WINDOWS\system32\ntos.exe 368640 bytes executable
C:\WINDOWS\system32\svchost.exe:exe.exe 25088 bytes executable
C:\WINDOWS\system32\svcp.csv 0 bytes
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\CcEvtSvc.exe 87552 bytes executable

scan completed successfully
hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FCI]
"ImagePath"="C:\WINDOWS\System32\svchost.exe:exe.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Vkw43]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\temp\IcnOvrly.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\B.tmp
C:\WINDOWS\mrofinu1001186.exexe
C:\12.tmp
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\mrofinu1001186.exexe
C:\WINDOWS\system32\CcEvtSvc.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-13 3:39:06 - machine was rebooted [MATTT]
ComboFix-quarantined-files.txt 2008-08-12 17:38:27
ComboFix2.txt 2008-08-08 06:04:10

Pre-Run: 5,656,104,960 bytes free
Post-Run: 5,077,508,096 bytes free

266 --- E O F --- 2008-01-17 00:32:11

Edited by ALL1ZE, 15 August 2008 - 12:54 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users