Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/malware/popups..


  • This topic is locked This topic is locked
4 replies to this topic

#1 Block215

Block215

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 06 October 2008 - 09:06 PM

I have some type of virus..I hope I cleaned most of it when running all them virus programs..heres the log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:05 PM, on 10/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
d:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\RUNDLL32.EXE
E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\woslntyr.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
E:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\woslntyr.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Winamp Remote\bin\orbtray.exe
D:\HiJackThis.exe

O2 - BHO: (no name) - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - E:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll (file missing)
O2 - BHO: (no name) - {26381BF0-998A-4D47-B068-5B5C5D3FA6AD} - E:\WINDOWS\System32\tuvTlihe.dll (file missing)
O2 - BHO: (no name) - {37F79F37-06A1-5259-843D-51C0705183CB} - E:\WINDOWS\System32\kgxrpzc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: OIN Analytics - {6B221E01-F517-4959-8C41-81948E7F2F17} - D:\Program Files\OINAnalytics\OINAnalytics1.dll (file missing)
O2 - BHO: (no name) - {b81c0460-4eae-4e7b-a8ab-cd2eab22294d} - E:\WINDOWS\System32\bejfrk.dll
O2 - BHO: (no name) - {D88E1558-7C2D-407A-953A-C044F5607CEA} - (no file)
O2 - BHO: (no name) - {D9836194-79AE-462B-A572-642D4CD3EE25} - (no file)
O2 - BHO: innbanner browser enhancer - {dc297ed2-5668-c6ee-91b6-74edb1c8e6c0} - E:\WINDOWS\System32\yqlhftsbnvuaie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [lrknhvqctytgzbicd] E:\WINDOWS\System32\regsvr32.exe /s "E:\WINDOWS\System32\yqlhftsbnvuaie.dll"
O4 - HKLM\..\Run: [BM87c30181] Rundll32.exe "E:\WINDOWS\System32\rtrlneei.dll",s
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpeedRunner] E:\Documents and Settings\Block\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SfKg6wIP] E:\Documents and Settings\Block\Application Data\Microsoft\Windows\jdgtg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] d:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1199] command /c del "E:\Documents and Settings\Block\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223099178202
O16 - DPF: {DD697277-FCE6-4517-8B59-A6A92FDB08D3} - ms-its:mhtml:file://c:\\nores.mht!http://ssa.adxdnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - AppInit_DLLs: bejfrk.dll
O20 - Winlogon Notify: !SASWinLogon - d:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - d:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CSIScanner - Prevx - D:\woslntyr.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6386 bytes


BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:37 PM

Posted 07 October 2008 - 12:24 AM

Hello Block215,

Welcome to Bleeping Computer :)

Still quite a bit to do here. :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Block215

Block215
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 07 October 2008 - 09:43 PM

wow, nice program, the stuff you were saying about it killing your comp had me scared of it..lol heres that log and the HJT



thanks for the help btw.


ComboFix 08-10-07.06 - Block 2008-10-07 22:37:30.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.776 [GMT -4:00]
Running from: D:\ComboFix.exe
 * Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\Block\Application Data\YSTEM~1
E:\WINDOWS\system32\danfephw.ini
E:\WINDOWS\system32\ehilTvut.ini
E:\WINDOWS\system32\ehilTvut.ini2
E:\WINDOWS\system32\MSINET.oca
E:\WINDOWS\system32\opurtxyq.ini
E:\WINDOWS\system32\rbheytch.dll
E:\WINDOWS\system32\tmxxgreu.ini
E:\WINDOWS\ystem3~1
E:\WINDOWS\ystem3~1\?ystem32\
E:\WINDOWS\ystem3~1\winspool.exe
G:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-09-08 to 2008-10-08  )))))))))))))))))))))))))))))))
.

2008-10-07 00:30 . 2005-12-10 04:16	180,224	--a------	E:\WINDOWS\system32\NVUNINST.EXE
2008-10-07 00:09 . 2008-10-07 00:10	<DIR>	d--------	E:\WINDOWS\NV9401208.TMP
2008-10-07 00:08 . 2008-10-07 00:08	<DIR>	d--------	E:\WINDOWS\LastGood
2008-10-07 00:08 . 2007-09-16 13:07	6,853,088	-ra------	E:\WINDOWS\system32\drivers\nv4_mini.sys
2008-10-07 00:08 . 2007-09-16 13:07	6,853,088	--a--c---	E:\WINDOWS\system32\dllcache\nv4_mini.sys
2008-10-07 00:08 . 2007-09-16 13:07	6,746,112	-ra------	E:\WINDOWS\system32\nvoglnt.dll
2008-10-07 00:08 . 2007-09-16 13:07	5,783,040	-ra------	E:\WINDOWS\system32\nv4_disp.dll
2008-10-07 00:08 . 2007-09-16 13:07	5,783,040	--a--c---	E:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-10-07 00:08 . 2007-09-16 13:07	364,544	-ra------	E:\WINDOWS\system32\nvapi.dll
2008-10-07 00:08 . 2007-09-16 13:07	155,716	-ra------	E:\WINDOWS\system32\nvsvc32.exe
2008-10-07 00:04 . 2008-10-07 00:04	<DIR>	d--------	d:\Program Files\common files\InstallShield
2008-10-06 23:37 . 2008-10-06 23:37	<DIR>	d--------	E:\WINDOWS\system32\AGEIA
2008-10-06 23:37 . 2008-10-06 23:37	<DIR>	d--------	D:\Program Files\AGEIA Technologies
2008-10-06 23:33 . 2008-10-06 23:33	<DIR>	d--------	E:\Documents and Settings\Block\Application Data\SystemRequirementsLab
2008-10-06 23:33 . 2008-10-06 23:33	<DIR>	d--------	D:\Program Files\SystemRequirementsLab
2008-10-06 23:33 . 2008-10-06 23:33	984	--a------	E:\WINDOWS\system32\d3d8caps.dat
2008-10-06 23:24 . 2008-10-06 23:24	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-10-06 22:18 . 2008-10-06 22:17	102,664	--a------	E:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-06 16:47 . 2008-10-06 16:48	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-10-06 16:47 . 2008-10-06 16:48	<DIR>	d--------	D:\Program Files\Winamp Remote
2008-10-06 16:47 . 2008-10-06 16:47	316,640	--a------	E:\WINDOWS\WMSysPr9.prx
2008-10-06 16:45 . 2008-10-06 16:48	<DIR>	d--------	E:\Documents and Settings\Block\Application Data\Winamp
2008-10-06 12:44 . 2008-10-06 12:44	<DIR>	d--------	D:\Program Files\Microsoft ActiveSync
2008-10-06 12:41 . 2008-10-06 12:41	<DIR>	d--------	D:\Program Files\IM+ 5.35 for PocketPC
2008-10-06 12:34 . 2008-10-06 12:34	<DIR>	d--------	D:\Program Files\Alarm
2008-10-06 12:34 . 2000-05-21 23:00	647,872	--a------	E:\WINDOWS\system32\mscomct2.ocx
2008-10-06 12:34 . 2000-05-21 23:00	140,488	--a------	E:\WINDOWS\system32\comdlg32.ocx
2008-10-06 12:34 . 2007-04-29 23:24	61,440	--a------	E:\WINDOWS\system32\digitbox.ocx
2008-10-06 12:26 . 2008-10-06 12:27	<DIR>	d--------	D:\Program Files\Nero
2008-10-06 12:26 . 2008-10-06 12:27	<DIR>	d--------	d:\Program Files\common files\Ahead
2008-10-05 19:27 . 2008-10-05 19:27	<DIR>	d--------	E:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-05 18:25 . 2008-10-05 18:25	<DIR>	d--------	E:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-05 18:20 . 2008-10-05 18:23	1,400	--a------	E:\WINDOWS\system32\tmp.reg
2008-10-05 18:16 . 2008-10-05 18:16	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-05 18:15 . 2008-10-05 18:15	<DIR>	d--------	E:\Documents and Settings\Block\Application Data\SUPERAntiSpyware.com
2008-10-05 18:15 . 2008-10-05 18:15	<DIR>	d--------	E:\Documents and Settings\Block\Application Data\Malwarebytes
2008-10-05 18:15 . 2008-10-05 18:15	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-05 18:15 . 2008-10-05 18:15	<DIR>	d--------	D:\Program Files\SUPERAntiSpyware
2008-10-05 18:15 . 2008-10-05 18:15	<DIR>	d--------	D:\Program Files\Malwarebytes' Anti-Malware
2008-10-05 18:15 . 2008-09-08 00:11	38,528	--a------	E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 18:15 . 2008-09-08 00:11	17,200	--a------	E:\WINDOWS\system32\drivers\mbam.sys
2008-10-05 17:08 . 2008-10-07 09:29	<DIR>	d--------	E:\Documents and Settings\Block\.housecall6.6
2008-10-05 17:07 . 2008-10-05 17:07	<DIR>	d--------	E:\WINDOWS\Sun
2008-10-05 17:06 . 2008-10-05 17:06	<DIR>	d--------	D:\Program Files\Panda Security
2008-10-05 17:05 . 2008-06-10 02:32	73,728	--a------	E:\WINDOWS\system32\javacpl.cpl
2008-10-05 17:02 . 2008-10-05 17:04	<DIR>	d--------	D:\Program Files\Java
2008-10-05 17:02 . 2008-10-05 17:02	<DIR>	d--------	d:\Program Files\common files\Java
2008-10-05 16:29 . 2008-10-05 16:29	<DIR>	d--------	D:\Program Files\Lavasoft
2008-10-05 16:29 . 2008-10-06 23:36	<DIR>	d--------	d:\Program Files\common files\Wise Installation Wizard
2008-10-05 15:44 . 2008-10-07 00:00	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-05 15:44 . 2008-10-07 00:02	<DIR>	d--------	D:\Program Files\Spybot - Search & Destroy
2008-10-05 15:38 . 2008-10-05 15:38	13,282	--a------	E:\WINDOWS\Ascd_tmp.ini
2008-10-05 15:30 . 2008-10-05 15:30	<DIR>	d--------	E:\WINDOWS\qwof
2008-10-05 02:00 . 2008-10-05 10:52	<DIR>	d--------	E:\Documents and Settings\Block\DoctorWeb
2008-10-05 01:49 . 2008-10-05 01:49	<DIR>	d--------	D:\Program Files\microsoft frontpage
2008-10-04 22:21 . 2008-10-07 00:03	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-10-04 16:52 . 2008-10-04 16:52	<DIR>	d--h-----	E:\WINDOWS\PIF
2008-10-04 16:52 . 2008-10-04 16:52	16	--a------	E:\WINDOWS\system32\coh.cache
2008-10-04 16:37 . 2008-10-05 14:46	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\Symantec
2008-10-04 16:27 . 2008-10-04 16:27	<DIR>	d--h-----	E:\WINDOWS\system32\GroupPolicy
2008-10-04 16:00 . 2008-10-04 16:00	<DIR>	d--------	E:\Documents and Settings\Block\Application Data\Ahead
2008-10-04 15:55 . 2008-10-04 15:55	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\Nero
2008-10-04 14:46 . 2008-10-04 14:46	<DIR>	d--------	E:\Documents and Settings\Administrator\Application Data\vlc
2008-10-04 14:40 . 2008-10-05 01:40	<DIR>	d--------	E:\Documents and Settings\Administrator
2008-10-04 14:30 . 2004-07-26 16:16	1,568,768	--a------	E:\WINDOWS\system32\imagX7.dll
2008-10-04 14:30 . 2003-03-19 06:20	1,060,864	--a------	E:\WINDOWS\system32\mfc71.dll
2008-10-04 14:30 . 2003-03-18 20:12	1,047,552	--a------	E:\WINDOWS\system32\mfc71u.dll
2008-10-04 14:30 . 2003-03-18 22:14	499,712	--a------	E:\WINDOWS\system32\msvcp71.dll
2008-10-04 14:30 . 2004-07-26 16:16	476,320	--a------	E:\WINDOWS\system32\imagXpr7.dll
2008-10-04 14:30 . 2004-07-26 16:16	471,040	--a------	E:\WINDOWS\system32\imagXRA7.dll
2008-10-04 14:30 . 2004-07-09 08:43	364,544	--a------	E:\WINDOWS\system32\TwnLib4.dll
2008-10-04 14:30 . 2004-07-26 16:16	262,144	--a------	E:\WINDOWS\system32\imagXR7.dll
2008-10-04 14:02 . 2008-10-04 14:02	9,662	--a------	E:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-10-04 14:02 . 2008-10-04 14:02	4,286	--a------	E:\WINDOWS\system32\Jamster.ico
2008-10-04 13:35 . 2004-07-09 04:27	363,520	--a------	E:\WINDOWS\system32\SET8D9.tmp
2008-10-04 13:35 . 2002-12-12 00:14	4,096	--a------	E:\WINDOWS\system32\SET978.tmp
2008-10-04 13:34 . 2008-10-04 13:34	<DIR>	d--------	E:\WINDOWS\Logs
2008-10-04 12:52 . 2008-10-04 12:52	0	--a------	E:\WINDOWS\nsreg.dat
2008-10-04 05:14 . 2008-10-05 16:27	714	--a------	E:\WINDOWS\wininit.ini
2008-10-04 03:17 . 2008-10-06 13:04	<DIR>	d--------	E:\Documents and Settings\Block\Application Data\vlc
2008-10-04 03:09 . 2008-10-04 03:10	<DIR>	d--------	E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-04 03:08 . 2008-10-04 03:08	<DIR>	d--------	E:\Documents and Settings\Block\Application Data\IUpd721
2008-10-04 03:04 . 2006-10-10 23:33	10,288	--a------	E:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-10-04 03:04 . 2004-08-12 04:00	5,810	-ra------	E:\WINDOWS\system32\drivers\ASACPI.sys
2008-10-04 03:02 . 2008-10-04 03:16	<DIR>	d--------	E:\WINDOWS\system32\pet
2008-10-04 03:02 . 2008-10-05 00:16	<DIR>	d--------	E:\WINDOWS\system32\PAD6
2008-10-04 03:02 . 2008-10-04 03:16	<DIR>	d--------	E:\WINDOWS\system32\icon2
2008-10-04 03:02 . 2008-10-04 03:02	<DIR>	d--------	E:\WINDOWS\system32\EV19
2008-10-04 03:02 . 2008-10-04 03:02	<DIR>	d--------	E:\WINDOWS\system32\bak
2008-10-04 03:02 . 2008-10-05 16:50	<DIR>	d--hs----	E:\WINDOWS\QmxvY2s
2008-10-04 02:52 . 2008-10-04 02:52	<DIR>	d--------	E:\WINDOWS\system32\Lang
2008-10-04 02:52 . 2008-10-04 02:52	940,794	--a------	E:\WINDOWS\system32\LoopyMusic.wav
2008-10-04 02:52 . 2008-10-04 02:52	146,650	--a------	E:\WINDOWS\system32\BuzzingBee.wav
2008-10-04 02:49 . 2008-10-04 02:49	<DIR>	d---s----	E:\WINDOWS\system32\Microsoft
2008-10-04 02:37 . 2008-10-04 02:37	<DIR>	d--------	E:\WINDOWS\Downloaded Installations
2008-10-04 02:37 . 2008-10-04 02:37	<DIR>	d--h-----	E:\WINDOWS\$hf_mig$
2008-10-04 02:37 . 2005-10-20 20:25	29,696	---------	E:\WINDOWS\system32\drivers\rndismpx.sys
2008-10-04 02:37 . 2005-10-20 20:25	29,696	-----c---	E:\WINDOWS\system32\dllcache\rndismpx.sys
2008-10-04 02:37 . 2005-10-20 20:25	12,032	---------	E:\WINDOWS\system32\drivers\usb8023x.sys
2008-10-04 02:37 . 2005-10-20 20:25	12,032	-----c---	E:\WINDOWS\system32\dllcache\usb8023x.sys
2008-10-04 02:20 . 2008-10-05 02:37	<DIR>	d--------	E:\WINDOWS\system32\RTCOM
2008-10-04 02:20 . 2001-08-17 22:37	22,016	--a------	E:\WINDOWS\system32\wdmaud.drv
2008-10-04 02:20 . 2001-08-17 22:36	4,096	--a------	E:\WINDOWS\system32\OLD99E.tmp
2008-10-04 02:19 . 2007-09-27 14:20	16,844,800	--a------	E:\WINDOWS\RTHDCPL.exe
2008-10-04 02:19 . 2007-07-26 17:09	520,192	--a------	E:\WINDOWS\RtlExUpd.dll
2008-10-04 02:19 . 2006-08-18 06:58	282,624	--a------	E:\WINDOWS\system32\RTSndMgr.cpl
2008-10-04 02:19 . 2004-11-18 10:42	22,752	--a------	E:\WINDOWS\system32\spupdsvc.exe
2008-10-04 02:14 . 2008-10-04 02:14	<DIR>	d--------	E:\WINDOWS\ServicePackFiles
2008-10-04 02:14 . 2008-10-04 02:14	<DIR>	d--------	E:\WINDOWS\ehome
2008-10-04 02:06 . 2002-08-29 06:41	1,677,312	--a------	E:\WINDOWS\system32\wmvcore2.dll
2008-10-04 02:05 . 2005-05-04 14:45	2,890,240	--a------	E:\WINDOWS\system32\msi.dll
2008-10-04 02:04 . 2002-04-22 21:18	766,934	--a------	E:\WINDOWS\system32\instcat.sql
2008-10-04 02:03 . 2002-08-29 06:40	1,172,992	--a------	E:\WINDOWS\system32\comsvcs.dll
2008-10-04 01:56 . 2008-10-04 01:56	315,392	--a------	E:\WINDOWS\HideWin.exe
2008-10-04 01:50 . 2008-10-06 23:58	<DIR>	d--------	E:\WINDOWS\nview
2008-10-04 01:50 . 2007-09-17 01:07	290,816	--a------	E:\WINDOWS\system32\nvwrsth.dll
2008-10-04 01:47 . 2008-10-04 01:47	<DIR>	d--------	E:\WINDOWS\system32\bits
2008-10-04 01:45 . 2008-10-04 01:45	<DIR>	d---s----	E:\Documents and Settings\Block\UserData
2008-10-04 01:41 . 2008-10-06 23:56	<DIR>	d--hs----	E:\WINDOWS\Installer
2008-10-04 01:40 . 2008-10-05 17:08	<DIR>	d--------	E:\Documents and Settings\Block
2008-10-04 01:39 . 2008-10-04 03:09	<DIR>	d--hs----	E:\Documents and Settings\NetworkService
2008-10-04 01:39 . 2008-10-05 15:41	<DIR>	d--hs----	E:\Documents and Settings\LocalService
2008-10-04 01:39 . 2008-10-04 01:39	8,192	--a------	E:\WINDOWS\REGLOCS.OLD
2008-10-04 01:36 . 2001-08-23 08:00	10,129,408	--a--c---	E:\WINDOWS\system32\dllcache\hwxkor.dll
2008-10-04 01:35 . 2001-08-23 08:00	13,463,552	--a--c---	E:\WINDOWS\system32\dllcache\hwxjpn.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 20:48	---------	d-----w	D:\Program Files\Winamp
2008-10-05 18:37	---------	d-----w	D:\Program Files\Real
2008-10-05 18:35	---------	d-----r	D:\Program Files\BDE
2008-10-01 19:51	87,552	----a-w	E:\WINDOWS\system32\VACFix.exe
2008-09-19 16:26	82,944	----a-w	E:\WINDOWS\system32\o4Patch.exe
2008-09-19 16:26	82,944	----a-w	E:\WINDOWS\system32\IEDFix.C.exe
2008-09-09 03:38	88,576	----a-w	E:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-04 13:31	288,024	----a-w	E:\WINDOWS\system32\PhysXCplUI.exe
2008-09-04 01:51	---------	d-----w	D:\Program Files\VideoLAN
2008-08-29 12:57	70,936	----a-w	E:\WINDOWS\system32\PhysXLoader.dll
2008-08-18 16:19	82,432	----a-w	E:\WINDOWS\system32\404Fix.exe
2008-07-19 02:10	94,920	----a-w	E:\WINDOWS\system32\cdm.dll
2008-07-19 02:10	53,448	----a-w	E:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10	45,768	----a-w	E:\WINDOWS\system32\wups2.dll
2008-07-19 02:10	36,552	----a-w	E:\WINDOWS\system32\wups.dll
2008-07-19 02:09	563,912	----a-w	E:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09	325,832	----a-w	E:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09	1,811,656	----a-w	E:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:08	205,000	----a-w	E:\WINDOWS\system32\wuweb.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NvCplDaemon"="E:\WINDOWS\System32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="E:\WINDOWS\System32\NvMcTray.dll" [2007-09-16 81920]
"nwiz"="nwiz.exe" [2007-09-16 E:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 d:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 D:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2002-08-29 06:41 1511453 E:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2007-09-16 13:07 1626112 E:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-09-27 14:20 16844800 E:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2007-08-03 13:22 1826816 E:\WINDOWS\SkyTel.exe

S1 fastfatt;fastfatt;E:\WINDOWS\System32\drivers\fastfatt.sys [ ]

*Newly Created Service* - CATCHME
*Newly Created Service* - NVSVC
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
"E:\WINDOWS\System32\rundll32.exe" "E:\Program Files\Messenger\msgsc.dll",ShowIconsUser
.
- - - - ORPHANS REMOVED - - - -

BHO-{26381BF0-998A-4D47-B068-5B5C5D3FA6AD} - E:\WINDOWS\System32\tuvTlihe.dll
BHO-{D9836194-79AE-462B-A572-642D4CD3EE25} - (no file)
HKLM-Run-lrknhvqctytgzbicd - E:\WINDOWS\System32\yqlhftsbnvuaie.dll
HKLM-Run-BM87c30181 - E:\WINDOWS\System32\rtrlneei.dll
MSConfigStartUp-02251998681967412596030547708200 - E:\Program Files\Antivirus 2009\av2009.exe
MSConfigStartUp-VnrBlock21 - E:\Program Files\VnrBlock\VnrBlock21.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Block\Application Data\Mozilla\Firefox\Profiles\nydwmzir.default\
FF -: plugin - E:\Program Files\Windows Media Player\npdrmv2.dll
FF -: plugin - E:\Program Files\Windows Media Player\npdsplay.dll
FF -: plugin - E:\Program Files\Windows Media Player\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 22:39:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-07 22:40:44
ComboFix-quarantined-files.txt  2008-10-08 02:40:42

Pre-Run: 676,806,656 bytes free
Post-Run: 775,450,624 bytes free

234


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:54 PM, on 10/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
d:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
E:\WINDOWS\System32\taskmgr.exe
E:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Alarm\Alarm.exe
E:\WINDOWS\system32\notepad.exe
E:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - E:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223099178202
O16 - DPF: {DD697277-FCE6-4517-8B59-A6A92FDB08D3} - ms-its:mhtml:file://c:\\nores.mht!http://ssa.adxdnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: !SASWinLogon - d:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - d:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4654 bytes


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:37 PM

Posted 08 October 2008 - 03:47 AM

Hello,

Yes, it is. But it's very powerful and there's much more to it than meets the eye.

How is it running now please? Do you still have MBAM? If so, could you run a quick scan with it and post the report please? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:37 PM

Posted 02 November 2008 - 09:54 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users