Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Webhancer


  • This topic is locked This topic is locked
4 replies to this topic

#1 Jena054

Jena054

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 09 September 2008 - 04:25 PM

Pop ups about security, ran spyhunter but it's still being crazy.

EDIT: Also,task manager and right clicking appear to be disabled.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:38 PM, on 09/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: getsn32.msiesn - {2D9F1530-0B38-4DCB-A90A-CECD559F3514} - C:\WINDOWS\system32\getsn32.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103849492849
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://click.mirarsearch.com/CABUPDATES/winwcd.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Application Layer Gateway Service ALGRasMan (ALGRasMan) - Unknown owner - C:\WINDOWS\system32\algx.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DefWatch - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Automatic Updates wuauservProtectedStorage (wuauservProtectedStorage) - Unknown owner - C:\WINDOWS\system32\1054r.exe

--
End of file - 7734 bytes

Edited by Jena054, 09 September 2008 - 04:33 PM.


BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 10 September 2008 - 03:15 PM

Hi

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 Jena054

Jena054
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 11 September 2008 - 04:11 PM

ComboFix 08-09-10.04 - User 2008-09-11 16:57:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.151 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\User\LOCALS~1\Temp\tmp1.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\tmp2.tmp
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Bob\Application Data\ASEMBL~1
C:\Documents and Settings\Bob\Application Data\CROSOF~1
C:\Documents and Settings\Bob\Application Data\Microsoft\dtsc
C:\Documents and Settings\Bob\Application Data\Microsoft\dtsc\27267.exe
C:\Documents and Settings\Bob\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\Bob\Application Data\PPPATC~1
C:\Documents and Settings\Bob\Application Data\SEMBLY~1
C:\Documents and Settings\Bob\Application Data\SMBOLS~1
C:\Documents and Settings\Bob\Application Data\SSTEM~1
C:\Documents and Settings\Bob\Application Data\STEM~1
C:\Documents and Settings\Bob\Cookies\bob@74.53.99[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ad.yieldmanager[2].txt
C:\Documents and Settings\Bob\Cookies\bob@ads.pointroll[2].txt
C:\Documents and Settings\Bob\Cookies\bob@adserver[2].txt
C:\Documents and Settings\Bob\Cookies\bob@advertising[2].txt
C:\Documents and Settings\Bob\Cookies\bob@antispywaremaster[1].txt
C:\Documents and Settings\Bob\Cookies\bob@axxessads.valuead[1].txt
C:\Documents and Settings\Bob\Cookies\bob@ehg-ripedigitalentertainment.hitbox[2].txt
C:\Documents and Settings\Bob\Cookies\bob@fastclick[1].txt
C:\Documents and Settings\Bob\Cookies\bob@insightexpressai[1].txt
C:\Documents and Settings\Bob\Cookies\bob@mygeek[2].txt
C:\Documents and Settings\Bob\Cookies\bob@serving-sys[1].txt
C:\Documents and Settings\Bob\Cookies\bob@spamblockerutility[1].txt
C:\Documents and Settings\Bob\Cookies\bob@trafficmp[1].txt
C:\Documents and Settings\Bob\Cookies\bob@turn[2].txt
C:\Documents and Settings\Bob\Cookies\bob@zedo[2].txt
C:\Documents and Settings\Bob\err.log
C:\Documents and Settings\Bob\gside.exe
C:\Documents and Settings\Bob\My Documents\CROSOF~1
C:\Documents and Settings\Bob\My Documents\MBOLS~1
C:\Documents and Settings\Bob\My Documents\RACLE~1
C:\Documents and Settings\Bob\My Documents\YMANTE~1
C:\Documents and Settings\Bob\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Bob\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Bob\Start Menu\Programs\Internet Speed Monitor\Entire Network.lnk
C:\Documents and Settings\Bob\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Bob\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\User\Application Data\WinAntiSpyware 2006
C:\Documents and Settings\User\Application Data\WinAntiSpyware 2006\Logs\update.log
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\User\Cookies\user@advertising[2].txt
C:\Documents and Settings\User\Cookies\user@atd.agencytradingdesk[1].txt
C:\Documents and Settings\User\Cookies\user@axxessads.valuead[2].txt
C:\Documents and Settings\User\Cookies\user@clicktorrent[1].txt
C:\Documents and Settings\User\Cookies\user@freeze[2].txt
C:\Documents and Settings\User\Cookies\user@insightexpressai[2].txt
C:\Documents and Settings\User\Cookies\user@interclick[2].txt
C:\Documents and Settings\User\Cookies\user@lxk235.lexmark[1].txt
C:\Documents and Settings\User\Cookies\user@mygeek[1].txt
C:\Documents and Settings\User\Cookies\user@server.cpmstar[1].txt
C:\Documents and Settings\User\Cookies\user@t.spike[1].txt
C:\Documents and Settings\User\Cookies\user@turn[1].txt
C:\Documents and Settings\User\Cookies\user@wat.contextweb[2].txt
C:\Documents and Settings\User\err.log
C:\Documents and Settings\User\gside.exe
C:\Program Files\asks~1
C:\Program Files\asks~2
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\Yazzle1395OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Common Files\ymante~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\curity~1
C:\Program Files\dobe~1
C:\Program Files\GetModule
C:\Program Files\GetModule\avatupdate.exe
C:\Program Files\GetModule\craxupdate.exe
C:\Program Files\GetModule\dicik.gz
C:\Program Files\GetModule\GetModule20.exe
C:\Program Files\GetModule\GetModule21.exe
C:\Program Files\GetModule\GetModule23.exe
C:\Program Files\GetModule\ozadik.gz
C:\Program Files\iCheck
C:\Program Files\iCheck\iCheck.exe
C:\Program Files\iCheck\Uninstall.exe
C:\Program Files\inetget2\gimmysmileysB.exe
C:\Program Files\inetget2\psapi.dll
C:\Program Files\inetget2\rem.lock
C:\Program Files\inetget2\webhost2.exe
C:\Program Files\jalmp
C:\Program Files\jalmp\uninstall.exe
C:\Program Files\mbols~1
C:\Program Files\mcroso~1
C:\Program Files\QdrDrive
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\Program Files\sstem3~1
C:\Program Files\stem32~1
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\wnsxs~1
C:\WINDOWS\asembl~1
C:\WINDOWS\asks~1
C:\WINDOWS\asks~2
C:\WINDOWS\default.htm
C:\WINDOWS\eliteunstall.exe
C:\WINDOWS\gimmygames.dat
C:\WINDOWS\gimmygames1.dat
C:\WINDOWS\gimmygames101.dat
C:\WINDOWS\gimmygames91.dat
C:\WINDOWS\invupd.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mantec~1
C:\WINDOWS\racle~1
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\1054r.exe
C:\WINDOWS\system32\bang-006.ico
C:\WINDOWS\system32\behkj.ini
C:\WINDOWS\system32\behkj.ini2
C:\WINDOWS\system32\drivers\wasfsd.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\getsn32.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\lvrerthghywejquw.dll
C:\WINDOWS\system32\mcroso~1.net
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\myss_sb_uninstall.exe
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\rbeafojv.ini
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlvknlg.exe
C:\WINDOWS\system32\sembly~1
C:\WINDOWS\system32\sembly~1\SEMBLY~1\ctxad-478.0000
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\slmabrddxomt.dll
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\Winwcd.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\winsysupd1.dat
C:\WINDOWS\winsysupd101.dat
C:\WINDOWS\winsysupd121.dat
C:\WINDOWS\winsysupd21.dat
C:\WINDOWS\winsysupd31.dat
C:\WINDOWS\winsysupd41.dat
C:\WINDOWS\winsysupd51.dat
C:\WINDOWS\winsysupd61.dat
C:\WINDOWS\winsysupd71.dat
C:\WINDOWS\winsysupd81.dat
C:\WINDOWS\winsysupd91.dat
C:\WINDOWS\ymbols~1
C:\WINDOWS\yoinsi.exe
C:\WINDOWS\ystem3~1
C:\zicorn001.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALGRASMAN
-------\Legacy_FOPN
-------\Legacy_WASFSD
-------\Legacy_WUAUSERVPROTECTEDSTORAGE
-------\Service_ALGRasMan
-------\Service_FOPN
-------\Service_wasfsd
-------\Service_wuauservProtectedStorage


((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-11 16:36 . 2008-09-11 16:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 16:36 . 2008-09-11 16:36 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-09-11 16:36 . 2008-09-11 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 16:36 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 16:36 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 16:21 . 2008-09-11 17:04 <DIR> d-------- C:\Program Files\DNA
2008-09-09 16:21 . 2008-09-09 16:21 <DIR> d-------- C:\Program Files\BitTorrent
2008-09-09 16:21 . 2008-09-11 17:04 <DIR> d-------- C:\Documents and Settings\User\Application Data\DNA
2008-09-09 16:21 . 2008-09-09 16:26 <DIR> d-------- C:\Documents and Settings\User\Application Data\BitTorrent
2008-09-09 16:07 . 2008-09-09 17:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-09-09 15:44 . 2008-09-09 15:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 16:19 . 2008-09-07 16:19 <DIR> d-------- C:\Program Files\uTorrent
2008-09-07 16:18 . 2008-09-07 16:18 85,008 --a------ C:\WINDOWS\system32\uesiuqcr.exe
2008-09-07 16:18 . 2008-09-11 14:17 8,704 --a------ C:\WINDOWS\system32\smwin32.dll
2008-08-31 22:45 . 2008-08-31 22:45 <DIR> d-------- C:\Program Files\VnrBlock
2008-08-31 22:44 . 2008-08-31 22:44 210,097 --a------ C:\WINDOWS\07cd99a5.exe
2008-08-31 22:44 . 2008-08-31 22:44 91,724 --a------ C:\WINDOWS\07cdd02d.exe
2008-08-31 22:43 . 2008-09-03 23:50 43,535 --a------ C:\Documents and Settings\Bob\~.exe
2008-08-30 21:39 . 2008-09-07 16:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-30 21:39 . 2008-08-30 21:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-14 00:00 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 21:03 --------- d-----w C:\Program Files\InetGet2
2008-08-26 16:22 --------- d-----w C:\Program Files\Google
2008-08-12 16:57 23 ----a-w C:\Documents and Settings\User\jagex_runescape_preferences.dat
2008-08-03 22:48 --------- d-----w C:\Program Files\Glove
2008-08-02 16:53 --------- d-----w C:\Documents and Settings\User\Application Data\Yahoo!
2008-07-31 18:36 --------- d-----w C:\Program Files\Yahoo!
2008-07-30 22:07 --------- d-----w C:\Program Files\PartyGaming.Net
2008-07-29 21:47 --------- d-----w C:\Program Files\MySpace
2008-07-28 21:39 --------- d-----w C:\Program Files\PartyGaming
2008-07-23 00:15 --------- d-----w C:\Program Files\Gamevance
2008-07-20 22:30 --------- d-----w C:\Program Files\Yahoo! Games
2008-07-20 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2008-07-20 22:17 --------- d-----w C:\Program Files\GameHouse
2008-07-19 10:30 --------- d-----w C:\Documents and Settings\Bob\Application Data\Viewpoint
2008-07-18 20:56 --------- d-----w C:\Program Files\Mystery Case Files - Prime Suspects
2008-07-14 18:38 --------- d-----w C:\Program Files\Hidden Expedition Titanic
2008-04-25 15:43 399,432 ----a-w C:\Documents and Settings\Bob\g21.exe
2008-04-24 17:18 399,438 ----a-w C:\Documents and Settings\User\g21.exe
2008-01-17 14:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-23 23:46 2,855,080 ----a-w C:\Documents and Settings\User\adaware.exe
2008-04-24 02:41 22,016 --sha-w C:\WINDOWS\system32\acctresr.dll
2008-04-24 02:41 20,480 --sha-w C:\WINDOWS\system32\amovied.dll
2006-08-31 14:38 409,600 --sha-r C:\WINDOWS\system32\l?ass.exe
.

------- Sigcheck -------

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 04:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2004-08-04 02:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-09 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

C:\Documents and Settings\Bob\Start Menu\Programs\Startup\
Glove - Auto Update.lnk - C:\Program Files\Glove\Glove.exe [2008-08-03 179606]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-02-14 155648]

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
--a------ 2008-04-30 14:37 200777 C:\WINDOWS\system32\rwinosdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{63-36-69-93-ZN}]
--a------ 2008-01-25 20:59 45084 C:\WINDOWS\system32\rndsregr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssSpkPhone]
--a------ 2002-05-31 11:34 167936 C:\WINDOWS\essspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:VNC

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 327040]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\system32\DRIVERS\atirtcap.sys [2001-08-17 49920]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-_{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
BHO-{2D9F1530-0B38-4DCB-A90A-CECD559F3514} - C:\WINDOWS\system32\getsn32.dll
HKCU-Run-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-MSMSGS - C:\Program Files\Messenger\msmsgs.exe
HKCU-Run-Aim6 - C:\Program Files\AIM6\aim6.exe
HKLM-Run-vptray - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
Notify-= - (no file)
MSConfigStartUp-52056242770819447273192357165687 - C:\Program Files\AV9\av2009.exe
MSConfigStartUp-AdwareProtector - C:\Program Files\Error Safe\AdwareProtector.exe
MSConfigStartUp-BO1HelperStartUp - C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
MSConfigStartUp-DllRunning - C:\WINDOWS\system32\vjofaebr.dll
MSConfigStartUp-ErrorSafeFree - C:\Program Files\ErrorSafe Free\uers.exe
MSConfigStartUp-fwuo - C:\Program Files\Common Files\fwuo\fwuom.exe
MSConfigStartUp-gimmygames - C:\\gimmygames12.exe
MSConfigStartUp-Load - C:\WINDOWS\system32\jkheb.exe
MSConfigStartUp-MW1HelperStartUp - C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
MSConfigStartUp-Network - C:\Program Files\Network\network.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-was_check - C:\Program Files\ErrorSafe Free\PASmon.exe
MSConfigStartUp-webHancer Agent - C:\Program Files\webHancer\Programs\whagent.exe
MSConfigStartUp-winsysupd - C:\\winsysupd12.exe
MSConfigStartUp-{b8ed26d2-ae0c-b40a-6243-621da84be8e0} - C:\WINDOWS\system32\lvrerthghywejquw.dll
MSConfigStartUp-freexstyle - lockbr.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\hf4mijs5.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 17:04:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-09-11 17:11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-11 21:10:46

Pre-Run: 23,381,966,848 bytes free
Post-Run: 25,542,619,136 bytes free

346 --- E O F --- 2008-09-10 05:15:58

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 11 September 2008 - 05:27 PM

HI

Please post the Malwarebytes' Anti-Malware log & the Kaspersky Online Scan report :thumbsup:

Also a new hijackthis log

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 28 September 2008 - 03:43 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users