Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
11 replies to this topic

#1 dragginfool

dragginfool

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 04 September 2008 - 02:53 PM

My Ad-watch is being hit every couple of seconds by this thing. None of the malware programs seem to help.

Thank you for any help!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:45 PM, on 9/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\system32\dsnthser.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.download.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\system32\dsnthser.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 5190 bytes

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:53 AM

Posted 21 September 2008 - 08:47 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

#3 dragginfool

dragginfool
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 24 September 2008 - 11:32 AM

Thanks for the response. I understand backlogs! lol

The problem seems to have solved itself. It has stopped and I dont think it was something I did.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:53 AM

Posted 24 September 2008 - 12:12 PM

I would suggest that we look into this further.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


#5 dragginfool

dragginfool
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 25 September 2008 - 11:10 AM

Here is the SDFix log-

***********************************************************************

SDFix: Version 1.229
Run by bryanb on Thu 09/25/2008 at 10:45a

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\BRYANB\COOKIES\RITOWA~1.EXE - Deleted
C:\Documents and Settings\bryanb\Cookies\ritowapolu.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 10:50:52
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\bryanb\Application Data\U3\temp\Launchpad Removal.exe"

Finished!


***************************************************************************************



And here is the new HJT log-


********************************************************************************



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:47 AM, on 9/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\system32\dsnthser.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.download.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\system32\dsnthser.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 5217 bytes



**********************************************************************************************


Thank You

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:53 AM

Posted 25 September 2008 - 11:37 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#7 dragginfool

dragginfool
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 25 September 2008 - 02:37 PM

Here is the ComboFix log-


*************************************************************************************


ComboFix 08-09-25.03 - bryanb 09/25/2008 13:21:55.1 - NTFSx86
Running from: C:\Documents and Settings\bryanb\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bryanb\Cookies\jutiw.ban
C:\Documents and Settings\bryanb\Cookies\kukezulos.sys
C:\Documents and Settings\bryanb\Cookies\lusuwolym.db
C:\Documents and Settings\bryanb\Cookies\oqaxebymy.dl
C:\Documents and Settings\bryanb\Cookies\yjocos.sys
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.

2008-09-25 10:43 . 08-09-25 10:43 <DIR> d-------- C:\WINNT\ERUNT
2008-09-25 10:40 . 08-09-25 10:53 <DIR> d-------- C:\SDFix
2008-09-04 13:24 . 08-09-04 13:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-04 08:41 . 08-09-04 08:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-04 08:41 . 08-09-04 11:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 07:02 . 08-09-04 07:02 27,136 --a------ C:\WINNT\system32\drivers\beep.sys.vir
2008-09-04 07:00 . 08-09-04 07:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-04 06:59 . 08-09-04 06:59 <DIR> d-------- C:\Program Files\Trojan Remover
2008-09-04 06:57 . 08-09-04 06:59 <DIR> d-------- C:\Documents and Settings\bryanb\Application Data\Simply Super Software
2008-09-04 06:57 . 08-09-04 06:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-09-04 06:57 . 06-05-25 15:52 162,304 --a------ C:\WINNT\system32\ztvunrar36.dll
2008-09-04 06:57 . 03-02-02 20:06 153,088 --a------ C:\WINNT\system32\unrar3.dll
2008-09-04 06:57 . 05-08-26 01:50 77,312 --a------ C:\WINNT\system32\ztvunace26.dll
2008-09-04 06:57 . 02-03-06 01:00 75,264 --a------ C:\WINNT\system32\unacev2.dll
2008-09-04 06:57 . 06-06-19 13:01 69,632 --a------ C:\WINNT\system32\ztvcabinet.dll
2008-09-03 17:27 . 08-09-04 06:29 3,034 --a------ C:\WINNT\system32\winivstr.exe.vir
2008-09-03 15:51 . 08-09-03 15:51 19,737 --a------ C:\Documents and Settings\bryanb\Application Data\ikubuxij.sys
2008-09-03 15:51 . 08-09-03 15:51 18,968 --a------ C:\Documents and Settings\bryanb\Application Data\gihosecucy.pif
2008-09-03 15:51 . 08-09-03 15:51 18,914 --a------ C:\WINNT\system32\exuhuv.pif
2008-09-03 15:51 . 08-09-03 15:51 18,153 --a------ C:\WINNT\system32\fiwyketi.exe
2008-09-03 15:51 . 08-09-03 15:51 17,461 --a------ C:\WINNT\nerixun.reg
2008-09-03 15:51 . 08-09-03 15:51 17,287 --a------ C:\Documents and Settings\All Users\Application Data\tizasekag.pif
2008-09-03 15:51 . 08-09-03 15:51 15,301 --a------ C:\WINNT\system32\esosigowo.reg
2008-09-03 15:51 . 08-09-03 15:51 14,052 --a------ C:\WINNT\system32\yqutybo.pif
2008-09-03 15:51 . 08-09-03 15:51 13,976 --a------ C:\Documents and Settings\bryanb\Application Data\fodaja.dat
2008-09-03 15:51 . 08-09-03 15:51 12,744 --a------ C:\Program Files\Common Files\synelec.dll
2008-09-03 15:51 . 08-09-03 15:51 12,560 --a------ C:\WINNT\system32\hacy.dat
2008-09-03 15:51 . 08-09-03 15:51 10,536 --a------ C:\WINNT\system32\unehelyqy.dat
2008-09-03 15:51 . 08-09-03 15:51 10,300 --a------ C:\WINNT\xaxoru.exe
2008-09-03 15:14 . 08-09-04 06:28 9,216 --a------ C:\WINNT\system32\buritos.exe.vir
2008-09-03 15:14 . 08-09-04 06:28 9,216 --a------ C:\WINNT\buritos.exe.vir
2008-09-03 15:12 . 08-09-03 15:12 40,448 --a------ C:\GtD0.exe
2008-09-03 15:12 . 08-09-03 15:12 9,216 --a------ C:\WINNT\system32\braviax.exe.vir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-03 20:51 15,628 ----a-w C:\Program Files\Common Files\orupof.db
2008-08-21 19:27 --------- d-----w C:\Program Files\BitZipper
2008-08-21 19:27 --------- d-----w C:\Documents and Settings\bryanb\Application Data\BitZipper
2008-08-12 20:43 --------- d-----w C:\Documents and Settings\bryanb\Application Data\AdobeUM
2008-08-11 22:15 --------- d-----w C:\Program Files\Java
2008-07-24 15:10 60,744 ----a-w C:\Documents and Settings\bryanb\g2mdlhlpx.exe
2008-02-11 15:15 2,733,928 ----a-w C:\Program Files\ccsetup204.exe
2007-09-17 19:56 13,352 ----a-w C:\Documents and Settings\bryanb\Application Data\GDIPFONTCACHEV1.DAT
2005-01-13 20:50 271 ---h--w C:\Program Files\desktop.ini
2005-01-13 20:50 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [04-02-19 14:07 147514]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [04-10-12 11:14 538112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 07:00 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

R1 sglfb;sglfb;C:\WINNT\system32\DRIVERS\sglfb.syS []
R1 tga;tga;C:\WINNT\system32\DRIVERS\tga.syS []
R4 aic116x;aic116x;C:\WINNT\system32\DRIVERS\aic116x.syS []
R4 ami0nt;ami0nt;C:\WINNT\system32\DRIVERS\ami0nt.syS []
R4 cpqarry2;cpqarry2;C:\WINNT\system32\DRIVERS\cpqarry2.syS []
R4 cpqfcalm;cpqfcalm;C:\WINNT\system32\DRIVERS\cpqfcalm.syS []
R4 cpqfws2e;cpqfws2e;C:\WINNT\system32\DRIVERS\cpqfws2e.syS []
R4 deckzpsx;deckzpsx;C:\WINNT\system32\DRIVERS\deckzpsx.syS []
R4 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\Fd16_700.syS []
R4 fireport;fireport;C:\WINNT\system32\DRIVERS\fireport.syS []
R4 flashpnt;flashpnt;C:\WINNT\system32\DRIVERS\flashpnt.syS []
R4 ipsraidn;ipsraidn;C:\WINNT\system32\DRIVERS\ipsraidn.syS []
R4 lp6nds35;lp6nds35;C:\WINNT\system32\DRIVERS\lp6nds35.syS []
R4 Ncrc710;Ncrc710;C:\WINNT\system32\DRIVERS\Ncrc710.syS []
R4 ql2100;ql2100;C:\WINNT\system32\DRIVERS\ql2100.syS []
R4 ultra66;ultra66;C:\WINNT\system32\DRIVERS\ultra66.syS []
S0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys [03-05-15 08:03 ]
S2 AvSynMgr;AVSync Manager;C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe [03-05-23 08:03 ]
S2 DoubleScreenService;DoubleScreenService;C:\WINNT\system32\dsnthser.exe [05-01-29 14:05 ]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-01 17:10 ]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 07:22 ]
S3 FireGL1;FireGL1;C:\WINNT\system32\DRIVERS\firegl1m.sys [05-01-29 14:05 ]


*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 -: Trusted Zone: *.download.com
O15 -: Trusted Zone: *.yahoo.com

O16 -: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwlb.ops.placeware.com/etc/place/LIMA/SCLpws-b2/5.1.8.511/lib/quicksilver.cab
C:\WINNT\Downloaded Program Files\Quicksilver.inf
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 13:31:26
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


.
Completion time: 2008-09-25 13:33:31
ComboFix-quarantined-files.txt 2008-09-25 18:33:15

Pre-Run: 31,428,984,832 bytes free
Post-Run: 31,421,448,192 bytes free

131


**********************************************************************************

And here is the new HJT log-




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:58 PM, on 9/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\system32\dsnthser.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\McAfeeFire.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.download.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\system32\dsnthser.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 5328 bytes

*********************************************************************************


Thanks again!

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:53 AM

Posted 25 September 2008 - 03:09 PM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
File::
C:\WINNT\system32\drivers\beep.sys.vir
C:\WINNT\system32\winivstr.exe.vir
C:\Documents and Settings\bryanb\Application Data\ikubuxij.sys
C:\Documents and Settings\bryanb\Application Data\gihosecucy.pif
C:\WINNT\system32\exuhuv.pif
C:\WINNT\system32\fiwyketi.exe
C:\WINNT\nerixun.reg
C:\Documents and Settings\All Users\Application Data\tizasekag.pif
C:\WINNT\system32\esosigowo.reg
C:\WINNT\system32\yqutybo.pif
C:\Documents and Settings\bryanb\Application Data\fodaja.dat
C:\Program Files\Common Files\synelec.dll
C:\WINNT\system32\hacy.dat
C:\WINNT\system32\unehelyqy.dat
C:\WINNT\xaxoru.exe
C:\WINNT\system32\buritos.exe.vir
C:\WINNT\buritos.exe.vir
C:\GtD0.exe
C:\WINNT\system32\braviax.exe.vir
C:\Program Files\Common Files\orupof.db
C:\Documents and Settings\bryanb\g2mdlhlpx.exe
C:\Program Files\ccsetup204.exe
C:\WINNT\inf\wbfirdma.sys


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#9 dragginfool

dragginfool
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 25 September 2008 - 04:28 PM

Man, I wish I knew what I was doing. lol

Here is the latest Combofix log-

**********************************************************************

ComboFix 08-09-25.03 - bryanb 09/25/2008 16:00:50.2 - NTFSx86
Running from: C:\Documents and Settings\bryanb\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bryanb\Desktop\CFScript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\tizasekag.pif
C:\Documents and Settings\bryanb\Application Data\fodaja.dat
C:\Documents and Settings\bryanb\Application Data\gihosecucy.pif
C:\Documents and Settings\bryanb\Application Data\ikubuxij.sys
C:\Documents and Settings\bryanb\g2mdlhlpx.exe
C:\GtD0.exe
C:\Program Files\ccsetup204.exe
C:\Program Files\Common Files\orupof.db
C:\Program Files\Common Files\synelec.dll
C:\WINNT\buritos.exe.vir
C:\WINNT\inf\wbfirdma.sys
C:\WINNT\nerixun.reg
C:\WINNT\system32\braviax.exe.vir
C:\WINNT\system32\buritos.exe.vir
C:\WINNT\system32\drivers\beep.sys.vir
C:\WINNT\system32\esosigowo.reg
C:\WINNT\system32\exuhuv.pif
C:\WINNT\system32\fiwyketi.exe
C:\WINNT\system32\hacy.dat
C:\WINNT\system32\unehelyqy.dat
C:\WINNT\system32\winivstr.exe.vir
C:\WINNT\system32\yqutybo.pif
C:\WINNT\xaxoru.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\tizasekag.pif
C:\Documents and Settings\bryanb\Application Data\fodaja.dat
C:\Documents and Settings\bryanb\Application Data\gihosecucy.pif
C:\Documents and Settings\bryanb\Application Data\ikubuxij.sys
C:\Documents and Settings\bryanb\g2mdlhlpx.exe
C:\GtD0.exe
C:\Program Files\ccsetup204.exe
C:\Program Files\Common Files\orupof.db
C:\Program Files\Common Files\synelec.dll
C:\WINNT\buritos.exe.vir
C:\WINNT\inf\wbfirdma.sys
C:\WINNT\nerixun.reg
C:\WINNT\system32\braviax.exe.vir
C:\WINNT\system32\buritos.exe.vir
C:\WINNT\system32\drivers\beep.sys.vir
C:\WINNT\system32\esosigowo.reg
C:\WINNT\system32\exuhuv.pif
C:\WINNT\system32\fiwyketi.exe
C:\WINNT\system32\hacy.dat
C:\WINNT\system32\unehelyqy.dat
C:\WINNT\system32\winivstr.exe.vir
C:\WINNT\system32\yqutybo.pif
C:\WINNT\xaxoru.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.

2008-09-25 10:43 . 08-09-25 10:43 <DIR> d-------- C:\WINNT\ERUNT
2008-09-25 10:40 . 08-09-25 10:53 <DIR> d-------- C:\SDFix
2008-09-04 13:24 . 08-09-04 13:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-04 08:41 . 08-09-04 08:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-04 08:41 . 08-09-04 11:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 07:00 . 08-09-04 07:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-04 06:59 . 08-09-04 06:59 <DIR> d-------- C:\Program Files\Trojan Remover
2008-09-04 06:57 . 08-09-04 06:59 <DIR> d-------- C:\Documents and Settings\bryanb\Application Data\Simply Super Software
2008-09-04 06:57 . 08-09-04 06:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-09-04 06:57 . 06-05-25 15:52 162,304 --a------ C:\WINNT\system32\ztvunrar36.dll
2008-09-04 06:57 . 03-02-02 20:06 153,088 --a------ C:\WINNT\system32\unrar3.dll
2008-09-04 06:57 . 05-08-26 01:50 77,312 --a------ C:\WINNT\system32\ztvunace26.dll
2008-09-04 06:57 . 02-03-06 01:00 75,264 --a------ C:\WINNT\system32\unacev2.dll
2008-09-04 06:57 . 06-06-19 13:01 69,632 --a------ C:\WINNT\system32\ztvcabinet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-21 19:27 --------- d-----w C:\Program Files\BitZipper
2008-08-21 19:27 --------- d-----w C:\Documents and Settings\bryanb\Application Data\BitZipper
2008-08-12 20:43 --------- d-----w C:\Documents and Settings\bryanb\Application Data\AdobeUM
2008-08-11 22:15 --------- d-----w C:\Program Files\Java
2007-09-17 19:56 13,352 ----a-w C:\Documents and Settings\bryanb\Application Data\GDIPFONTCACHEV1.DAT
2005-01-13 20:50 271 ---h--w C:\Program Files\desktop.ini
2005-01-13 20:50 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@Thu 2008-09-25_13.32.03.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 1999-09-25 00:18:06 32,528 -c--a-w C:\WINNT\system32\dllcache\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [04-02-19 14:07 147514]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [04-10-12 11:14 538112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 07:00 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

R1 sglfb;sglfb;C:\WINNT\system32\DRIVERS\sglfb.syS []
R1 tga;tga;C:\WINNT\system32\DRIVERS\tga.syS []
R4 aic116x;aic116x;C:\WINNT\system32\DRIVERS\aic116x.syS []
R4 ami0nt;ami0nt;C:\WINNT\system32\DRIVERS\ami0nt.syS []
R4 cpqarry2;cpqarry2;C:\WINNT\system32\DRIVERS\cpqarry2.syS []
R4 cpqfcalm;cpqfcalm;C:\WINNT\system32\DRIVERS\cpqfcalm.syS []
R4 cpqfws2e;cpqfws2e;C:\WINNT\system32\DRIVERS\cpqfws2e.syS []
R4 deckzpsx;deckzpsx;C:\WINNT\system32\DRIVERS\deckzpsx.syS []
R4 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\Fd16_700.syS []
R4 fireport;fireport;C:\WINNT\system32\DRIVERS\fireport.syS []
R4 flashpnt;flashpnt;C:\WINNT\system32\DRIVERS\flashpnt.syS []
R4 ipsraidn;ipsraidn;C:\WINNT\system32\DRIVERS\ipsraidn.syS []
R4 lp6nds35;lp6nds35;C:\WINNT\system32\DRIVERS\lp6nds35.syS []
R4 Ncrc710;Ncrc710;C:\WINNT\system32\DRIVERS\Ncrc710.syS []
R4 ql2100;ql2100;C:\WINNT\system32\DRIVERS\ql2100.syS []
R4 ultra66;ultra66;C:\WINNT\system32\DRIVERS\ultra66.syS []
S0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys [03-05-15 08:03 ]
S2 AvSynMgr;AVSync Manager;C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe [03-05-23 08:03 ]
S2 DoubleScreenService;DoubleScreenService;C:\WINNT\system32\dsnthser.exe [05-01-29 14:05 ]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\system32\drivers\cwbwdm.sys [99-11-01 17:10 ]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 07:22 ]
S3 FireGL1;FireGL1;C:\WINNT\system32\DRIVERS\firegl1m.sys [05-01-29 14:05 ]

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 16:12:47
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-25 16:23:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 21:23:13
ComboFix2.txt 2008-09-25 18:33:42

Pre-Run: 31,481,544,704 bytes free
Post-Run: 31,474,565,120 bytes free

143

*********************************************************************************


And here is the latest HJT log-

******************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:31 PM, on 9/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\system32\dsnthser.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.download.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\system32\dsnthser.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 5491 bytes


************************************************************************


Thank you.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:53 AM

Posted 25 September 2008 - 09:56 PM

Looking good. How does the computer feel to you?

#11 dragginfool

dragginfool
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 AM

Posted 26 September 2008 - 07:46 AM

Seems to be a bit faster and not so glitchy. Its not a new box by far, but the performance is noticably better.
I really appreciate your help.

Post up that paypal donation link. I need to reciprocate.

Thanks so much!

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:53 AM

Posted 26 September 2008 - 08:07 AM

Thanks for the offer, but we do not accept donations anymore. If you want to pass it forward, please donate to a local charity :thumbsup:

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users