Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Super Infected With Win32.Adware.Cinmus


  • This topic is locked This topic is locked
39 replies to this topic

#1 Jestman

Jestman

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 16 October 2008 - 02:09 PM

Hi,
This virus constantly opens up Chinese websites and installs all types of wierd programs including but not restricted to:
Vonine.exe, PBHealth, SpoolSV, PlayerKM, WoKuTo, IEKoolK, ieaspi, Counter.exe, and a few other programs in chinese
that show up in my program files and start menu.
Have searched and tried everything on this site and still will not go away.
Please review and advise!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:01 AM, on 10/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\8hfa.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\qqshel.exe
C:\WINDOWS\RavNT.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\RavNT.exe
C:\WINDOWS\360safe.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vonine.exe
O2 - BHO: Info cache - {285AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\sebs\pbhealth.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Invoke Class - {B7CD4A03-A3BB-42c0-A5FF-B635DE07BCDA} - C:\WINDOWS\system32\dhg8.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [RavMonS] C:\WINDOWS\soni.exe
O4 - HKLM\..\Run: [360] C:\WINDOWS\360safe.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [622b] rundll32 "C:\WINDOWS\Downlo~1\622b.dll",Run
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5543 bytes

Edited by Jestman, 17 October 2008 - 02:39 AM.


BC AdBot (Login to Remove)

 


#2 Jestman

Jestman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 October 2008 - 02:23 AM

Can anyone please help.
I can't continue my work until I can get my computer stable.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 27 October 2008 - 09:05 AM

Hello Jestman,

I apologise for the delay, the forum is very busy.

If you still need help, post a new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#4 Jestman

Jestman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 27 October 2008 - 07:47 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:55 PM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\AIM6\aim6.exe
C:\program files\steam\steam.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RavNT.exe
C:\WINDOWS\qqshel.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\8kfa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vonine.exe
O2 - BHO: Info cache - {285AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\sebs\pbhealth.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [622b] rundll32 "C:\WINDOWS\Downlo~1\622b.dll",Run
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5487 bytes


Its fine I understand there are hundreds of thousands of people looking to clean their computers from viruses.
I've managed to sort of quarantine the problem using spybot and sygate firewall. This unfortunatly
slows my computer quite significantly. I'm hoping to totally clean my computer so that I may run at
100 percent once again. Thank you for your help.

#5 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 28 October 2008 - 01:14 AM

Hello Jestman,

MSIE: Unable to get Internet Explorer version!

Do you use IE8?
----------------------------------------------
No wonder why you are so terribly infected.

You do not have an Anti-Virus on your pc.

Please install one immediately, update and run it, and let it remove/quarantee what if finds.
----------------------------------------------
You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.
----------------------------------------------
After running your Anti-Virus you some of the files i want to upload to Jotti, may not be found, please continue with the rest.

As i want you to upload 3 files, you might find it convenient to copy/paste Jotti results for each file in Notepad, untill all 3 are scanned, and then you post them all together back here.

Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\WINDOWS\qqshel.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Follow the same instructions and upload these 2 files too:

C:\WINDOWS\system32\8kfa.exe
C:\WINDOWS\Downlo~1\622b.dll

----------------------------------------------
Post back:
A new HijackThis log.
Jotti results, for each file found.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#6 Jestman

Jestman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 28 October 2008 - 05:30 PM

File: qqshel.exe
Status:
INFECTED/MALWARE
MD5: c35ef46cfd0a6d45a65ed4fd8d7e0ed6
Packers detected:
-
Scanner results
Scan taken on 28 Oct 2008 22:22:03 (GMT)
A-Squared
Found Trojan.Win32.BHO.ejw!IK
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.744105
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found Trojan.Win32.BHO.ejw
Kaspersky Anti-Virus
Found nothing
NOD32
Found a variant of Win32/Agent.NXB
Norman Virus Control
Found nothing
Panda Antivirus
Found Generic
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


File: 8kfa.exe
Status:
INFECTED/MALWARE
MD5: 515dcd0cbd197fa28885df6e0b8dbc6d
Packers detected:
-
Scanner results
Scan taken on 28 Oct 2008 22:24:42 (GMT)
A-Squared
Found Trojan.Win32.Jhee.V!IK
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Adware:W32/DesktopMedia.F, Trojan.Win32.BHO.hor
G DATA
Found nothing
Ikarus
Found Trojan.Win32.Jhee.V
Kaspersky Anti-Virus
Found Trojan.Win32.BHO.hor
NOD32
Found a variant of Win32/BHO.NCY
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


File: 622b.dll
Status:
INFECTED/MALWARE
MD5: e9389d11dc24b129d7dcf23180ad31e1
Packers detected:
-
Scanner results
Scan taken on 28 Oct 2008 22:28:17 (GMT)
A-Squared
Found Virus.Win32.Agent.GRW!IK
AntiVir
Found TR/Agent.49152
ArcaVir
Found nothing
Avast
Found Win32:Agent-GRW
AVG Antivirus
Found nothing
BitDefender
Found Adware.BDSearch.1
ClamAV
Found nothing
CPsecure
Found Troj.Downloader.W32.Agent.ajwu
Dr.Web
Found Trojan.DownLoader.origin
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Agent.ajwu
G DATA
Found nothing
Ikarus
Found Virus.Win32.Agent.GRW
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.ajwu
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.KGAT
Panda Antivirus
Found nothing
Sophos Antivirus
Found Sus/Behav-1012 (probable variant)
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.Win32.Agent.ajwu



Anti Virus Is Up and Running now. I thought that Sygate and Spybot would be enough but thank you for the anti-virus info.
Oh and I uninstalled IE for now because it kept opening windows from there. Should I reinstall IE?

Edited by Jestman, 28 October 2008 - 05:32 PM.


#7 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 29 October 2008 - 07:23 AM

Hello Jestman,

Thank you for the Jotti results.

Anti Virus Is Up and Running now. I thought that Sygate and Spybot would be enough but thank you for the anti-virus info.

You are welcome.

I would like you to post a new HijackThis log, so i can see what/if your newly installed Antivirus removed some infection, so i will know how to proceed.

Oh and I uninstalled IE for now because it kept opening windows from there. Should I reinstall IE?

Not necessarily if you wish not to use it, but having 2 browsers is not a bad idea.
I have both FF and IE on my pc.
Windows kept opening due to the infections.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#8 Jestman

Jestman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 29 October 2008 - 07:44 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:04 PM, on 10/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\program files\steam\steam.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\8lfa.exe
C:\WINDOWS\qqshel.exe
C:\WINDOWS\RavNT.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\nDoors\Atlantica\Atlantica.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vonine.exe
O2 - BHO: Info cache - {285AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\sebs\pbhealth.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [622b] rundll32 "C:\WINDOWS\Downlo~1\622b.dll",Run
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6140 bytes

#9 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 30 October 2008 - 07:50 AM

Hello Jestman,

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
Download ComboFix from one of these locations:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this topic if you need help to disable your protection programs.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a HijackThis log so we can continue cleaning the system.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#10 Jestman

Jestman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 30 October 2008 - 06:53 PM

ComboFix 08-10-30.09 - DoOoMo! 2008-10-30 16:41:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1584 [GMT -7:00]
Running from: C:\Documents and Settings\DoOoMo!\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\2005.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\2145.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\cpush.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\YiqilaiLyrics_2001.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\obj\wmpobj.sys
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\webbrowser_2145.dll
C:\Documents and Settings\All Users\Application Data\microsoft\pctools
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\a1829.dat
C:\Documents and Settings\All Users\Application Data\t\b1829.dat
C:\Documents and Settings\All Users\Application Data\t\k1829.dat
C:\Documents and Settings\All Users\Application Data\t\p1829.dat
C:\Documents and Settings\All Users\Application Data\t\r1829.dat
C:\Documents and Settings\All Users\Start Menu\Internet Explorer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Explorer.lnk
C:\Documents and Settings\DoOoMo!\Favorites\一起来音乐社区.url
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\__fdkfjfjgjitijk
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_inifiletime3
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_inimac
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_KC
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_KC\3003
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_KC\3004
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_KC\3015
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_KC\3018
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_KC\3019
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_KC\3043
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_KC\3056
C:\Documents and Settings\DoOoMo!\Local Settings\Temporary Internet Files\_loaderfiletime2
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\_inimac
C:\Internet Explorer.lnk
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\PushWare
C:\Program Files\Common Files\PushWare\cpush.dll
C:\Program Files\Common Files\PushWare\Uninst.exe
C:\Program Files\zzToolBar
C:\Program Files\zzToolBar\Toolbar_bho.dll.old
C:\text.txt
C:\WINDOWS\5lc1.exe
C:\WINDOWS\6ld5.bmp
C:\WINDOWS\AntiEng.dll
C:\WINDOWS\avtapit.dll
C:\WINDOWS\Downloaded Program Files.\622ac.dll
C:\WINDOWS\Downloaded Program Files.\622b.dll
C:\WINDOWS\Downloaded Program Files.\olgd5y.dll
C:\WINDOWS\ias.dll
C:\WINDOWS\icpb.dll
C:\WINDOWS\MayaBaby
C:\WINDOWS\MayaBaby\go.exe
C:\WINDOWS\MayaBaby\ri.dat
C:\WINDOWS\mspcexp.dll
C:\WINDOWS\MsWino.dat
C:\WINDOWS\MSWMPlayer.exe
C:\WINDOWS\qqshel.exe
C:\WINDOWS\RavNT.exe
C:\WINDOWS\sebs
C:\WINDOWS\soni.exe
C:\WINDOWS\sv.dat
C:\WINDOWS\sv.ini
C:\WINDOWS\system32\0.ext
C:\WINDOWS\system32\1.ext
C:\WINDOWS\system32\10.ext
C:\WINDOWS\system32\11.ext
C:\WINDOWS\system32\12.ext
C:\WINDOWS\system32\13.ext
C:\WINDOWS\system32\3.ext
C:\WINDOWS\system32\4.ext
C:\WINDOWS\system32\6.ext
C:\WINDOWS\system32\7.ext
C:\WINDOWS\system32\8.ext
C:\WINDOWS\system32\8lfa.exe
C:\WINDOWS\system32\9.ext
C:\WINDOWS\system32\C3madx.dll
C:\WINDOWS\system32\Com\Config.cfg
C:\WINDOWS\system32\comarshal.dat
C:\WINDOWS\system32\comspring.dat
C:\WINDOWS\system32\config.txt
C:\WINDOWS\system32\config\PlugsList.dat
C:\WINDOWS\system32\config\sam2.log
C:\WINDOWS\system32\conmis.exe
C:\WINDOWS\system32\discard.ini
C:\WINDOWS\system32\dlg8.dll
C:\WINDOWS\system32\inf\mscg24.exe
C:\WINDOWS\system32\inf\mscs24.exe
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\sslsocket.dll
C:\WINDOWS\system32\windows.txt
C:\WINDOWS\system32\xunleiBHO_Now6.dll
C:\WINDOWS\Tasks\0x01xx8p.exe
C:\WINDOWS\Tasks\SysFile.brk
C:\WINDOWS\UP
C:\WINDOWS\vapa.ini
C:\WINDOWS\vv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_NETWORK_SERVICES
-------\Legacy_NPF
-------\Legacy_PROTECTEDSTORI
-------\Legacy_RESSDT
-------\Legacy_WBWIN
-------\Service_Apcdli
-------\Service_Ias
-------\Service_IPRIP
-------\Service_Nessery
-------\Service_Network Services
-------\Service_NPF
-------\Service_ProtectedStori
-------\Service_RESSDT
-------\Service_WbWin
-------\Service_wmpobj


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-30 16:47 . 2008-10-30 16:47 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-10-30 16:47 . 2008-10-30 16:47 <DIR> d-------- C:\WINDOWS\srchasst
2008-10-30 16:47 . 2008-10-30 16:47 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-10-29 01:40 . 2008-10-30 10:31 679,936 -r------- C:\WINDOWS\system32\dlhd.dll
2008-10-28 15:20 . 2008-10-28 15:20 <DIR> d-------- C:\Program Files\Avira
2008-10-28 15:20 . 2008-10-28 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-26 12:59 . 2008-10-26 12:59 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-10-26 12:32 . 2008-10-26 12:35 <DIR> d-------- C:\nDoors
2008-10-26 02:27 . 2008-02-09 15:46 67,108,864 --a------ C:\2002 - Professor Layton and the Curious Village (U).nds
2008-10-23 19:33 . 2008-10-15 09:34 337,408 --------- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 13:13 . 2008-10-23 13:13 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-10-23 13:13 . 2008-10-23 13:13 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-10-23 13:13 . 2008-10-23 13:13 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\SmartFTP
2008-10-23 12:59 . 2008-10-23 12:59 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Media Player Classic
2008-10-23 12:58 . 2008-10-23 12:58 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-10-20 13:20 . 2008-10-20 13:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-19 02:10 . 2008-10-19 02:10 <DIR> d-------- C:\Program Files\ESTsoft
2008-10-19 02:10 . 2008-10-19 02:10 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\ESTsoft
2008-10-17 14:40 . 2008-10-28 15:23 <DIR> d-------- C:\Program Files\Counter
2008-10-17 13:18 . 2008-08-06 15:27 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-17 13:18 . 2008-08-06 15:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-10-17 13:17 . 2008-10-17 13:18 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-10-17 13:01 . 2008-10-30 16:26 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Azureus
2008-10-17 13:01 . 2008-10-17 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-10-17 13:00 . 2008-10-29 23:14 <DIR> d-------- C:\Program Files\Vuze
2008-10-17 12:54 . 2008-10-17 12:54 <DIR> d-------- C:\Program Files\LimeWire
2008-10-17 12:54 . 2008-10-30 16:26 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\LimeWire
2008-10-17 10:44 . 2008-10-17 10:44 82 --a------ C:\WINDOWS\125-33-4107
2008-10-17 01:14 . 2005-01-22 12:12 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-10-17 00:51 . 2008-10-17 00:51 <DIR> d-------- C:\Program Files\WinPcap
2008-10-17 00:51 . 2008-10-17 01:59 <DIR> d-------- C:\Program Files\WC3Banlist
2008-10-16 14:32 . 2008-10-16 14:38 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-10-16 14:32 . 2008-10-16 15:07 77,605 --a------ C:\WINDOWS\War3Unin.dat
2008-10-16 14:32 . 2008-10-16 14:38 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-10-16 14:29 . 2008-10-30 01:31 <DIR> d-------- C:\Program Files\Warcraft III
2008-10-16 14:18 . 2008-10-16 14:18 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\QuickTime
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\iTunes
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\iPod
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\Bonjour
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Apple Computer
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 13:56 . 2008-04-17 13:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-10-16 13:56 . 2008-04-17 13:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-10-16 13:55 . 2008-10-16 13:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-16 13:55 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-10-16 13:55 . 2008-10-16 13:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-16 13:55 . 2008-10-16 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-10-16 13:49 . 2008-10-16 13:49 <DIR> d-------- C:\Program Files\Stardock
2008-10-16 13:49 . 2008-10-16 13:49 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-10-16 12:11 . 2008-10-16 12:11 <DIR> d-------- C:\Program Files\Sygate
2008-10-16 12:11 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-10-16 12:11 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-10-16 12:11 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-10-16 12:11 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-10-16 12:11 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-10-16 12:11 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-10-16 12:11 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-10-16 11:46 . 2008-10-16 11:46 <DIR> d-------- C:\WINDOWS\Sun
2008-10-16 11:46 . 2008-10-16 11:54 <DIR> d-------- C:\Documents and Settings\DoOoMo!\.housecall6.6
2008-10-16 11:43 . 2008-10-16 11:43 <DIR> d-------- C:\Program Files\Java
2008-10-16 11:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-16 11:42 . 2008-10-16 11:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-16 11:33 . 2008-10-16 14:07 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Ventrilo
2008-10-16 11:32 . 2008-10-16 11:32 <DIR> d-------- C:\Program Files\Ventrilo
2008-10-16 10:30 . 2008-10-16 10:30 68 --a------ C:\WINDOWS\system32\f06
2008-10-16 10:00 . 2008-10-16 10:00 68 --a------ C:\WINDOWS\system32\c6df
2008-10-16 09:30 . 2008-10-16 09:30 68 --a------ C:\WINDOWS\system32\9a7
2008-10-16 09:00 . 2008-10-16 09:00 68 --a------ C:\WINDOWS\system32\91fc
2008-10-16 08:30 . 2008-10-16 08:30 68 --a------ C:\WINDOWS\system32\71d8
2008-10-16 08:00 . 2008-10-16 08:00 68 --a------ C:\WINDOWS\system32\6df
2008-10-16 07:30 . 2008-10-16 07:30 68 --a------ C:\WINDOWS\system32\61b3
2008-10-16 06:00 . 2008-10-16 06:00 68 --a------ C:\WINDOWS\system32\1d85c6
2008-10-16 04:59 . 2008-10-16 04:59 68 --a------ C:\WINDOWS\system32\591
2008-10-16 04:51 . 2008-10-16 04:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-16 04:51 . 2008-10-16 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 04:42 . 2008-10-16 04:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 04:29 . 2008-10-16 04:29 68 --a------ C:\WINDOWS\system32\1fc6d
2008-10-16 04:21 . 2008-10-16 04:21 <DIR> d-------- C:\Program Files\UltraMon
2008-10-16 04:21 . 2008-10-16 04:21 <DIR> d-------- C:\Program Files\Common Files\Realtime Soft
2008-10-16 04:21 . 2008-10-16 04:21 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Realtime Soft
2008-10-16 04:21 . 2008-10-16 04:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-10-16 04:17 . 2008-10-30 16:48 <DIR> d-------- C:\Program Files\Steam
2008-10-16 02:46 . 2008-10-16 02:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-10-16 02:46 . 2008-10-16 02:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-16 02:45 . 2008-10-16 02:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-16 02:31 . 2008-10-16 02:31 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-10-16 02:31 . 2008-10-16 02:31 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-10-16 02:30 . 2008-10-16 02:30 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-10-16 02:26 . 2008-08-14 03:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-16 02:26 . 2008-08-14 03:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-16 02:26 . 2008-08-14 02:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-16 02:26 . 2008-08-14 02:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-16 02:26 . 2008-09-15 05:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-16 02:26 . 2008-09-08 03:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-16 02:26 . 2008-06-13 04:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-10-16 02:26 . 2008-06-13 04:05 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-16 02:24 . 2008-07-23 16:51 16,804,864 --a------ C:\WINDOWS\RTHDCPL.exe
2008-10-16 02:24 . 2008-06-19 16:42 2,808,832 --a------ C:\WINDOWS\alcwzrd.exe
2008-10-16 02:24 . 2007-06-28 16:44 2,165,760 --a------ C:\WINDOWS\MicCal.exe
2008-10-16 02:24 . 2008-07-15 13:58 524,288 --a------ C:\WINDOWS\RtlExUpd.dll
2008-10-16 02:24 . 2008-10-16 02:24 319,488 --a------ C:\WINDOWS\HideWin.exe
2008-10-16 02:24 . 2008-06-19 16:24 278,528 --a------ C:\WINDOWS\system32\ALSndMgr.cpl
2008-10-16 02:24 . 2008-06-19 16:20 57,344 --a------ C:\WINDOWS\Alcmtr.exe
2008-10-16 02:23 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-16 02:23 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-16 02:23 . 2008-05-08 07:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-16 02:20 . 2008-10-23 20:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-10-16 02:20 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-10-16 02:09 . 2008-10-16 02:09 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\acccore
2008-10-16 02:07 . 2008-10-16 02:07 <DIR> d-------- C:\Program Files\Viewpoint
2008-10-16 02:07 . 2008-10-16 02:07 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-10-16 02:07 . 2008-10-16 02:08 <DIR> d-------- C:\Program Files\AIM6
2008-10-16 02:07 . 2008-10-16 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-16 02:07 . 2008-10-16 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-10-16 02:07 . 2008-10-16 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-10-16 02:07 . 2008-10-16 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-10-16 02:07 . 2008-10-16 02:08 376 --ah----- C:\IPH.PH
2008-10-16 02:04 . 2008-10-16 02:04 1,172 --a------ C:\WINDOWS\mozver.dat
2008-10-16 02:03 . 2008-10-16 02:03 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Talkback
2008-10-16 02:01 . 2008-10-16 02:01 133 --a------ C:\WINDOWS\system32\o72Bab.bat
2008-10-16 02:00 . 2008-10-16 02:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-10-16 02:00 . 2008-10-16 02:00 8 --a------ C:\WINDOWS\system32\nvModes.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2039-06-01 07:00 33,280 ----a-w C:\WINDOWS\system32\vonine.exe
2008-10-26 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-16 18:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-16 09:24 --------- d-----w C:\Program Files\Realtek
2008-10-16 08:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-16 08:49 --------- d-----w C:\Program Files\Common Files\Real
2008-10-16 08:47 368,640 ----a-w C:\WINDOWS\system32\x1.exe
2008-10-16 08:47 --------- d-----w C:\Documents and Settings\DoOoMo!\Application Data\InstallShield
2008-10-16 08:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-16 08:39 --------- d-----w C:\Program Files\Lavasoft
2008-09-16 00:14 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-09-16 00:11 683,520 ----a-w C:\WINDOWS\system32\divx.dll
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-29 17:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 16:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-07 18:38 9,728 ----a-w C:\WINDOWS\system32\RtNicProp32.dll
2008-07-15 20:47 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 50472]
"Steam"="c:\program files\steam\steam.exe" [2008-10-16 1410296]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2006-10-12 304640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-06 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-06 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-11-06 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 C:\WINDOWS\RTHDCPL.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 C:\WINDOWS\alcwzrd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-04-13 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\DoOoMo!\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-10-16 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^DoOoMo!^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\DoOoMo!\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2008-04-13 13:13 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"Spooler"=2 (0x2)
"Network Services"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Steam\\steamapps\\jestftw\\counter-strike\\hl.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 crplj;crplj;C:\WINDOWS\system32\drivers\crplj.sys [2008-04-13 25216]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S2 AdWin;AdWin;C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S2 WinCCom;WinCCom;C:\WINDOWS\system32\8lfa.exe [ ]
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AdWin

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2e10d0-a1fb-11dd-b8d0-001d7daab84b}]
\Shell\Auto\command - E:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7559bea8-9b5d-11dd-b8bd-d766e4dfd933}]
\Shell\AutoRun\command - E:\MSDOS.bat
\Shell\explore\Command - E:\MSDOS.bat
\Shell\open\Command - E:\MSDOS.bat

*Newly Created Service* - ADWIN
*Newly Created Service* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-30 C:\WINDOWS\Tasks\622ac.job
- C:\WINDOWS\Downlo~1\622ac.dll []

2008-10-30 C:\WINDOWS\Tasks\622b.job
- C:\WINDOWS\Downlo~1\622b.dll []

2008-10-29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{433B8FF7-3671-49f9-B382-4EAFDB83CFCF} - C:\WINDOWS\system32\dlg8.dll
HKLM-Run-RavMonS - C:\WINDOWS\soni.exe
HKLM-Run-360 - C:\WINDOWS\360safe.exe
HKLM-Explorer_Run-622b - C:\WINDOWS\Downlo~1\622b.dll
MSConfigStartUp-360 - C:\WINDOWS\360safe.exe
MSConfigStartUp-QQfaces - C:\PlayrKM.exe
MSConfigStartUp-RavMonS - C:\WINDOWS\soni.exe
MSConfigStartUp-UUcallo - c:\woKuto.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\DoOoMo!\Application Data\Mozilla\Firefox\Profiles\9ts5b22h.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 16:47:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-30 16:50:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-30 23:50:43

Pre-Run: 70,195,412,992 bytes free
Post-Run: 70,183,145,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

414 --- E O F --- 2008-10-24 03:26:48



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:22 PM, on 10/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: WinCCom - Unknown owner - C:\WINDOWS\system32\8lfa.exe (file missing)

--
End of file - 5603 bytes



Also now I am getting a RUNDLL error: Error Loading C:\WINDOWS\Downlo~1\622ac.dll, The specified module could not be found.
Any ideas?

Edited by Jestman, 30 October 2008 - 07:02 PM.


#11 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 31 October 2008 - 03:17 PM

Hello Jestman,

Also now I am getting a RUNDLL error: Error Loading C:\WINDOWS\Downlo~1\622ac.dll, The specified module could not be found.

We'll fix this.
----------------------------------------------
REMOVE VIEWPOINT

You have Viewpoint, Viewpoint Manager, Viewpoint Media Player installed on your system. These programs are not malware but are considered as foistware instead of malware since they are installed without user's approval, and for this reason I recommend you remove them.

To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Vuze
LimeWire


References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
Did you set this as your start page?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7

If you didn't, please fix it using HijackThis.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7

Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/174778/super-infected-with-win32adwarecinmus/?p=991779
    
    Collect::
    C:\WINDOWS\system32\dlhd.dll
    C:\WINDOWS\125-33-4107
    C:\WINDOWS\system32\f06
    C:\WINDOWS\system32\c6df
    C:\WINDOWS\system32\9a7
    C:\WINDOWS\system32\91fc
    C:\WINDOWS\system32\71d8
    C:\WINDOWS\system32\6df
    C:\WINDOWS\system32\61b3
    C:\WINDOWS\system32\1d85c6
    C:\WINDOWS\system32\591
    C:\WINDOWS\system32\1fc6d
    C:\WINDOWS\system32\o72Bab.bat
    C:\WINDOWS\system32\vonine.exe
    C:\WINDOWS\system32\x1.exe
    C:\WINDOWS\system32\8lfa.exe
    C:\WINDOWS\Downlo~1\622ac.dll
    C:\WINDOWS\Downlo~1\622b.dll
    C:\WINDOWS\qqshel.exe
    C:\WINDOWS\RavNT.exe
    
    File::
    C:\WINDOWS\Tasks\622ac.job
    C:\WINDOWS\Tasks\622b.job
    
    Folder::
    C:\Program Files\Viewpoint
    
    Driver::
    WinCCom
    Viewpoint Manager Service
    AdWin
    
    NetSvc::
    AdWin
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Do you still get the error?
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#12 Jestman

Jestman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 November 2008 - 12:56 AM

ComboFix 08-10-30.09 - DoOoMo! 2008-10-31 22:43:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1578 [GMT -7:00]
Running from: C:\Documents and Settings\DoOoMo!\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DoOoMo!\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Tasks\622ac.job
C:\WINDOWS\Tasks\622b.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\125-33-4107
C:\WINDOWS\system32\1d85c6
C:\WINDOWS\system32\1fc6d
C:\WINDOWS\system32\591
C:\WINDOWS\system32\61b3
C:\WINDOWS\system32\6df
C:\WINDOWS\system32\71d8
C:\WINDOWS\system32\91fc
C:\WINDOWS\system32\9a7
C:\WINDOWS\system32\c6df
C:\WINDOWS\system32\dlhd.dll
C:\WINDOWS\system32\f06
C:\WINDOWS\system32\o72Bab.bat
C:\WINDOWS\system32\vonine.exe
C:\WINDOWS\system32\x1.exe
C:\WINDOWS\Tasks\622ac.job
C:\WINDOWS\Tasks\622b.job
E:\MSDOS.bat
E:\RECYCLER\.DS_Store

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADWIN
-------\Legacy_NPF
-------\Legacy_PROTECTEDSTORI
-------\Legacy_WINCCOM
-------\Service_AdWin
-------\Service_NPF
-------\Service_WinCCom


((((((((((((((((((((((((( Files Created from 2008-10-01 to 2008-11-01 )))))))))))))))))))))))))))))))
.

2008-10-30 18:14 . 2008-10-30 18:14 <DIR> d-------- C:\Program Files\AIM Music Link
2008-10-30 16:47 . 2008-10-30 16:47 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-10-30 16:47 . 2008-10-30 16:47 <DIR> d-------- C:\WINDOWS\srchasst
2008-10-30 16:47 . 2008-10-30 16:47 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-10-28 15:20 . 2008-10-28 15:20 <DIR> d-------- C:\Program Files\Avira
2008-10-28 15:20 . 2008-10-28 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-26 12:59 . 2008-10-26 12:59 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-10-26 12:32 . 2008-10-26 12:35 <DIR> d-------- C:\nDoors
2008-10-26 02:27 . 2008-02-09 15:46 67,108,864 --a------ C:\2002 - Professor Layton and the Curious Village (U).nds
2008-10-23 19:33 . 2008-10-15 09:34 337,408 --------- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 13:13 . 2008-10-23 13:13 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-10-23 13:13 . 2008-10-23 13:13 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-10-23 13:13 . 2008-10-23 13:13 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\SmartFTP
2008-10-23 12:59 . 2008-10-23 12:59 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Media Player Classic
2008-10-23 12:58 . 2008-10-23 12:58 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-10-20 13:20 . 2008-10-20 13:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-19 02:10 . 2008-10-19 02:10 <DIR> d-------- C:\Program Files\ESTsoft
2008-10-19 02:10 . 2008-10-19 02:10 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\ESTsoft
2008-10-17 14:40 . 2008-10-28 15:23 <DIR> d-------- C:\Program Files\Counter
2008-10-17 13:18 . 2008-08-06 15:27 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-17 13:18 . 2008-08-06 15:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-10-17 13:17 . 2008-10-17 13:18 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-10-17 13:01 . 2008-10-31 12:41 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Azureus
2008-10-17 13:01 . 2008-10-17 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-10-17 13:00 . 2008-10-29 23:14 <DIR> d-------- C:\Program Files\Vuze
2008-10-17 12:54 . 2008-10-30 16:57 <DIR> d-------- C:\Program Files\LimeWire
2008-10-17 12:54 . 2008-10-30 18:18 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\LimeWire
2008-10-17 01:14 . 2005-01-22 12:12 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-10-17 00:51 . 2008-10-17 00:51 <DIR> d-------- C:\Program Files\WinPcap
2008-10-17 00:51 . 2008-10-17 01:59 <DIR> d-------- C:\Program Files\WC3Banlist
2008-10-16 14:32 . 2008-10-16 14:38 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-10-16 14:32 . 2008-10-16 15:07 77,605 --a------ C:\WINDOWS\War3Unin.dat
2008-10-16 14:32 . 2008-10-16 14:38 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-10-16 14:29 . 2008-10-31 04:44 <DIR> d-------- C:\Program Files\Warcraft III
2008-10-16 14:18 . 2008-10-16 14:18 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\QuickTime
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\iTunes
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\iPod
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\Bonjour
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Apple Computer
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-16 13:56 . 2008-10-16 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 13:56 . 2008-04-17 13:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-10-16 13:56 . 2008-04-17 13:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-10-16 13:55 . 2008-10-16 13:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-16 13:55 . 2008-10-16 13:56 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-10-16 13:55 . 2008-10-16 13:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-16 13:55 . 2008-10-16 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-10-16 13:49 . 2008-10-16 13:49 <DIR> d-------- C:\Program Files\Stardock
2008-10-16 13:49 . 2008-10-16 13:49 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-10-16 12:11 . 2008-10-16 12:11 <DIR> d-------- C:\Program Files\Sygate
2008-10-16 12:11 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-10-16 12:11 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-10-16 12:11 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-10-16 12:11 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-10-16 12:11 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-10-16 12:11 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-10-16 12:11 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-10-16 11:46 . 2008-10-16 11:46 <DIR> d-------- C:\WINDOWS\Sun
2008-10-16 11:46 . 2008-10-16 11:54 <DIR> d-------- C:\Documents and Settings\DoOoMo!\.housecall6.6
2008-10-16 11:43 . 2008-10-16 11:43 <DIR> d-------- C:\Program Files\Java
2008-10-16 11:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-16 11:42 . 2008-10-16 11:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-16 11:33 . 2008-10-16 14:07 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Ventrilo
2008-10-16 11:32 . 2008-10-16 11:32 <DIR> d-------- C:\Program Files\Ventrilo
2008-10-16 04:51 . 2008-10-16 04:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-16 04:51 . 2008-10-16 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 04:42 . 2008-10-16 04:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 04:21 . 2008-10-16 04:21 <DIR> d-------- C:\Program Files\UltraMon
2008-10-16 04:21 . 2008-10-16 04:21 <DIR> d-------- C:\Program Files\Common Files\Realtime Soft
2008-10-16 04:21 . 2008-10-16 04:21 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Realtime Soft
2008-10-16 04:21 . 2008-10-16 04:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-10-16 04:17 . 2008-10-31 22:50 <DIR> d-------- C:\Program Files\Steam
2008-10-16 02:46 . 2008-10-16 02:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-10-16 02:46 . 2008-10-16 02:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-16 02:45 . 2008-10-16 02:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-16 02:31 . 2008-10-16 02:31 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-10-16 02:31 . 2008-10-16 02:31 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-10-16 02:30 . 2008-10-16 02:30 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-10-16 02:26 . 2008-08-14 03:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-16 02:26 . 2008-08-14 03:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-16 02:26 . 2008-08-14 02:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-16 02:26 . 2008-08-14 02:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-16 02:26 . 2008-09-15 05:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-16 02:26 . 2008-09-08 03:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-16 02:26 . 2008-06-13 04:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-10-16 02:26 . 2008-06-13 04:05 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-16 02:24 . 2008-07-23 16:51 16,804,864 --a------ C:\WINDOWS\RTHDCPL.exe
2008-10-16 02:24 . 2008-06-19 16:42 2,808,832 --a------ C:\WINDOWS\alcwzrd.exe
2008-10-16 02:24 . 2007-06-28 16:44 2,165,760 --a------ C:\WINDOWS\MicCal.exe
2008-10-16 02:24 . 2008-07-15 13:58 524,288 --a------ C:\WINDOWS\RtlExUpd.dll
2008-10-16 02:24 . 2008-10-16 02:24 319,488 --a------ C:\WINDOWS\HideWin.exe
2008-10-16 02:24 . 2008-06-19 16:24 278,528 --a------ C:\WINDOWS\system32\ALSndMgr.cpl
2008-10-16 02:24 . 2008-06-19 16:20 57,344 --a------ C:\WINDOWS\Alcmtr.exe
2008-10-16 02:23 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-16 02:23 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-16 02:23 . 2008-05-08 07:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-16 02:20 . 2008-10-23 20:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-10-16 02:20 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-10-16 02:09 . 2008-10-16 02:09 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\acccore
2008-10-16 02:07 . 2008-10-16 02:07 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-10-16 02:07 . 2008-10-16 02:08 <DIR> d-------- C:\Program Files\AIM6
2008-10-16 02:07 . 2008-10-31 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-16 02:07 . 2008-10-16 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-10-16 02:07 . 2008-10-16 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-10-16 02:07 . 2008-10-16 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-10-16 02:07 . 2008-10-16 02:08 376 --ah----- C:\IPH.PH
2008-10-16 02:04 . 2008-10-16 02:04 1,172 --a------ C:\WINDOWS\mozver.dat
2008-10-16 02:03 . 2008-10-16 02:03 <DIR> d-------- C:\Documents and Settings\DoOoMo!\Application Data\Talkback
2008-10-16 02:00 . 2008-10-16 02:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-10-16 02:00 . 2008-10-16 02:00 8 --a------ C:\WINDOWS\system32\nvModes.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 13:29 90,112 ----a-w C:\WINDOWS\DUMP592c.tmp
2008-10-26 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-16 18:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-16 09:24 --------- d-----w C:\Program Files\Realtek
2008-10-16 08:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-16 08:49 --------- d-----w C:\Program Files\Common Files\Real
2008-10-16 08:47 --------- d-----w C:\Documents and Settings\DoOoMo!\Application Data\InstallShield
2008-10-16 08:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-16 08:39 --------- d-----w C:\Program Files\Lavasoft
2008-09-16 00:14 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-09-16 00:11 683,520 ----a-w C:\WINDOWS\system32\divx.dll
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-29 17:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 16:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-07 18:38 9,728 ----a-w C:\WINDOWS\system32\RtNicProp32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-30_16.50.31.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-21 03:45:39 84,661 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-10-31 01:08:53 84,661 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 50472]
"Steam"="c:\program files\steam\steam.exe" [2008-10-16 1410296]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2006-10-12 304640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-06 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-06 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-11-06 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 C:\WINDOWS\RTHDCPL.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 C:\WINDOWS\alcwzrd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-04-13 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\DoOoMo!\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-10-16 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^DoOoMo!^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\DoOoMo!\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2008-04-13 13:13 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"Spooler"=2 (0x2)
"Network Services"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Steam\\steamapps\\jestftw\\counter-strike\\hl.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 crplj;crplj;C:\WINDOWS\system32\drivers\crplj.sys [2008-04-13 25216]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2e10d0-a1fb-11dd-b8d0-001d7daab84b}]
\Shell\Auto\command - E:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7559bea8-9b5d-11dd-b8bd-d766e4dfd933}]
\Shell\AutoRun\command - E:\MSDOS.bat
\Shell\explore\Command - E:\MSDOS.bat
\Shell\open\Command - E:\MSDOS.bat
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 22:49:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-31 22:52:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-01 05:52:08
ComboFix2.txt 2008-10-30 23:50:46

Pre-Run: 71,898,746,880 bytes free
Post-Run: 71,889,793,024 bytes free

289 --- E O F --- 2008-10-24 03:26:48



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:24 PM, on 10/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.345dh.cn?tg=7
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 5518 bytes


So far no error. Will get back to you on that.
Also on HiJackThis that line you wanted me to fix checked was still there after I fixed and closed it. Should it still be on the list?

#13 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 01 November 2008 - 03:27 AM

Hello Jestman,

Also on HiJackThis that line you wanted me to fix checked was still there after I fixed and closed it. Should it still be on the list?

Unfortunately to remove that you have to re-install Internet Explorer, and then fix it.
I forgot you uninstalled IE. :thumbsup:

That's why it's still there.
Will you do it please?
I believe you will not have problems with IE now, most probably the infections created the problem you had. Install IE7.

Re-Install IE, and then run HijackThis to remove that line.
If it still stays there, let me know.
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\WINDOWS\system32\drivers\crplj.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
Post back:
Jotti results.
Let me know what happened with that line.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#14 Jestman

Jestman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 November 2008 - 04:05 PM

Jotti gave me this,
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
I already tried disabling my firewall and it gave me the same result. I just manually browsed for it and it seems like that file
doesn't exist or is relocated because I could not find it in that folder.

After reinstalling IE7 the line indeed went away.

Also the error that I had told you about before is now gone. I now get a new error that I get on startup and will not load
my desktop until I press ok. It was something like Madx.dll. It only happens once in a while I'm sorry I do not have the full name right now.
I will update once it happens again.

Edited by Jestman, 01 November 2008 - 04:12 PM.


#15 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 02 November 2008 - 02:37 AM

Hello Jestman,

Let's see if this tool can find the file C:\WINDOWS\system32\drivers\crplj.sys

Now about Madx.dll, and your desktop problem we haven't done anything which would create these problems.
So your desktop doesn't load? Please explain more.

Can you post a screenshot of the above error?
----------------------------------------------
FileLook

Please download FileLook by jpshortstuff from one of the following mirrors:
Link 1
Link 2
  • Double-click FileLook.exe to run it. (Vista users will almost certainly have to right click and select Run As Administrator)
  • Ensure that the BBCode Ouput checkbox is checked.
  • Copy the content of the following codebox into the main textfield:

    C:\WINDOWS\system32\drivers\crplj.sys
    Madx.dll /s

    If you remember that Madx.dll was indeed the file which created the problem, copy the above coded box as it is.
    If you have the actuall name and it's different copy replace it with Madx.dll but leave the /s in the code box.
    (A space is needed after the file-and before the /s)
    If it happens again write down the file name please.
  • Click the FileLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at C:\fl_log.txt
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
FileLook report.
Malwarebytes' Anti-Malware report.
Screenshot of the problem.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users