Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i need a serios help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 jhoki

jhoki

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 06 November 2008 - 08:14 AM

guys i hope you can help me..i run a small internet cafe and im freaking infected by this browser........your the only hope that i have....i have 15 pcs that was infected by this useless browser.....thanks :thumbsup:



Logfile of random's system information tool 1.04 (written by random/random)
Run by jhoki at 2008-11-06 20:56:57
Microsoft Windows XP Professional Service Pack 2
System drive C: has 72 GB (94%) free of 76 GB
Total RAM: 1023 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:59 PM, on 11/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jhoki\Local Settings\Temporary Internet Files\Content.IE5\E5PPBFJ8\RSIT[1].exe
C:\Program Files\trend micro\jhoki.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.redtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = SoWar Browser
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RawOs] wscript.exe "C:\WINDOWS\sowar.vbs"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2870 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll [2008-04-25 62728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-10-07 13574144]
"nwiz"=nwiz.exe /install []
"RawOs"=wscript.exe C:\WINDOWS\sowar.vbs []
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2007-12-21 1443072]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-10-07 86016]
"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2008-04-25 201992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINDOWS\system32\klogon.dll [2008-04-25 206088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=128
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01c508c4-abfc-11dd-a673-00e018085109}]
shell\AutoRun\command - wscript.exe sowar.vbs
shell\Open\command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ceec0b88-abee-11dd-a66e-00e018085109}]
shell\AutoRun\command - wscript.exe sowar.vbs
shell\Open\command - wscript.exe sowar.vbs


======List of files/folders created in the last 1 months======

2008-11-06 23:30:22 ----A---- C:\WINDOWS\system32\h323log.txt
2008-11-06 23:10:29 ----A---- C:\WINDOWS\imsins.BAK
2008-11-06 23:10:26 ----SHD---- C:\WINDOWS\Installer
2008-11-06 23:10:26 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-06 23:10:25 ----D---- C:\Program Files\Common Files\ODBC
2008-11-06 23:10:25 ----A---- C:\WINDOWS\ODBCINST.INI
2008-11-06 23:10:22 ----RD---- C:\Program Files
2008-11-06 23:10:22 ----D---- C:\Program Files\Common Files\SpeechEngines
2008-11-06 23:10:22 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-06 23:10:22 ----D---- C:\Program Files\Common Files
2008-11-06 23:10:11 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2008-11-06 23:10:10 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2008-11-06 23:10:09 ----A---- C:\WINDOWS\system32\CONFIG.TMP
2008-11-06 23:10:07 ----A---- C:\WINDOWS\system32\storprop.dll
2008-11-06 23:10:00 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2008-11-06 23:09:56 ----RA---- C:\WINDOWS\SET8.tmp
2008-11-06 23:09:54 ----RA---- C:\WINDOWS\SET4.tmp
2008-11-06 23:09:53 ----RA---- C:\WINDOWS\SET3.tmp
2008-11-06 23:09:49 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-06 23:09:49 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-06 23:09:43 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-06 23:09:26 ----A---- C:\WINDOWS\setuplog.txt
2008-11-06 23:09:23 ----SHD---- C:\System Volume Information
2008-11-06 23:09:23 ----D---- C:\Documents and Settings
2008-11-06 23:08:18 ----SH---- C:\boot.ini
2008-11-06 23:03:09 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-06 23:03:09 ----RSD---- C:\WINDOWS\Fonts
2008-11-06 23:03:09 ----RD---- C:\WINDOWS\Web
2008-11-06 23:03:09 ----HD---- C:\WINDOWS\inf
2008-11-06 23:03:09 ----D---- C:\WINDOWS\WinSxS
2008-11-06 23:03:09 ----D---- C:\WINDOWS\twain_32
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Temp
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\wins
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\wbem
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\usmt
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\spool
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\ShellExt
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\Setup
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\ras
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\oobe
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\npp
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\mui
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\inetsrv
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\IME
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\icsxml
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\ias
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\export
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\drivers
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\dhcp
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\config
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\3com_dmi
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\3076
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\2052
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\1054
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\1042
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\1041
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\1037
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\1033
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\1031
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\1028
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32\1025
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system32
2008-11-06 23:03:09 ----D---- C:\WINDOWS\system
2008-11-06 23:03:09 ----D---- C:\WINDOWS\security
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Resources
2008-11-06 23:03:09 ----D---- C:\WINDOWS\repair
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Provisioning
2008-11-06 23:03:09 ----D---- C:\WINDOWS\PeerNet
2008-11-06 23:03:09 ----D---- C:\WINDOWS\pchealth
2008-11-06 23:03:09 ----D---- C:\WINDOWS\mui
2008-11-06 23:03:09 ----D---- C:\WINDOWS\msapps
2008-11-06 23:03:09 ----D---- C:\WINDOWS\msagent
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Media
2008-11-06 23:03:09 ----D---- C:\WINDOWS\java
2008-11-06 23:03:09 ----D---- C:\WINDOWS\ime
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Help
2008-11-06 23:03:09 ----D---- C:\WINDOWS\ehome
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Driver Cache
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Debug
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Cursors
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Connection Wizard
2008-11-06 23:03:09 ----D---- C:\WINDOWS\Config
2008-11-06 23:03:09 ----D---- C:\WINDOWS\AppPatch
2008-11-06 23:03:09 ----D---- C:\WINDOWS\addins
2008-11-06 23:03:09 ----D---- C:\WINDOWS
2008-11-06 20:53:04 ----D---- C:\Program Files\trend micro
2008-11-06 20:53:03 ----D---- C:\rsit
2008-11-06 20:29:33 ----D---- C:\Program Files\Kaspersky Lab
2008-11-06 20:29:33 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-11-06 20:11:14 ----D---- C:\Program Files\NoAdware
2008-11-06 19:56:38 ----D---- C:\Documents and Settings\jhoki\Application Data\Malwarebytes
2008-11-06 19:56:33 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-06 19:56:33 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-06 19:49:47 ----D---- C:\Program Files\EPSON
2008-11-06 19:49:46 ----D---- C:\Documents and Settings\All Users\Application Data\EPSON
2008-11-06 19:49:37 ----A---- C:\WINDOWS\CDEC90ASIA.ini
2008-11-06 19:38:20 ----D---- C:\WINDOWS\Prefetch
2008-11-06 19:33:55 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2008-11-06 19:27:38 ----A---- C:\WINDOWS\system32\spxcoins.dll
2008-11-06 19:27:38 ----A---- C:\WINDOWS\system32\irclass.dll
2008-11-06 19:27:23 ----RA---- C:\WINDOWS\SET2F.tmp
2008-11-06 19:27:19 ----RA---- C:\WINDOWS\SET23.tmp
2008-11-06 19:27:18 ----RA---- C:\WINDOWS\SET20.tmp
2008-11-06 18:55:39 ----D---- C:\Documents and Settings\jhoki\Application Data\ESET
2008-11-06 18:55:34 ----D---- C:\Documents and Settings\jhoki\Application Data\WinRAR
2008-11-06 18:55:31 ----D---- C:\WINDOWS\system32\PreInstall
2008-11-06 18:55:29 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-06 18:55:17 ----D---- C:\Documents and Settings\jhoki\Application Data\Adobe
2008-11-06 18:55:15 ----D---- C:\WINDOWS\system32\DRVSTORE
2008-11-06 18:55:14 ----D---- C:\Program Files\Vimicro
2008-11-06 18:55:14 ----D---- C:\Documents and Settings\jhoki\Application Data\InstallShield
2008-11-06 18:55:06 ----D---- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-11-06 18:52:31 ----D---- C:\Config.Msi
2008-11-06 18:46:03 ----D---- C:\Program Files\ESET
2008-11-06 18:46:03 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2008-11-06 18:45:01 ----D---- C:\Program Files\WinRAR
2008-11-06 18:38:24 ----RASH---- C:\WINDOWS\sowar.vbs
2008-11-06 18:38:22 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-11-06 18:38:22 ----A---- C:\WINDOWS\system32\spmsg.dll
2008-11-06 18:38:20 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-06 18:30:24 ----D---- C:\WINDOWS\nview
2008-11-06 18:30:24 ----A---- C:\WINDOWS\system32\nvudisp.exe
2008-11-06 18:30:13 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2008-11-06 18:30:03 ----D---- C:\NVIDIA
2008-11-06 16:55:11 ----D---- C:\Documents and Settings\jhoki\Application Data\Macromedia
2008-11-06 16:53:11 ----D---- C:\Program Files\Common Files\Adobe
2008-11-06 16:49:38 ----A---- C:\WINDOWS\ZSSnp211.exe
2008-11-06 16:49:38 ----A---- C:\WINDOWS\Domino.exe
2008-11-06 16:40:32 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-06 16:37:55 ----RSD---- C:\WINDOWS\assembly
2008-11-06 16:37:40 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-06 16:13:34 ----A---- C:\WINDOWS\system32\atidrae.dll
2008-11-06 15:56:55 ----A---- C:\WINDOWS\system32\wpa.bak
2008-11-06 15:56:39 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-11-06 15:54:23 ----D---- C:\Documents and Settings\jhoki\Application Data\Identities
2008-11-06 15:54:22 ----HD---- C:\Program Files\Uninstall Information
2008-11-06 15:54:16 ----SD---- C:\Documents and Settings\jhoki\Application Data\Microsoft
2008-11-06 15:54:16 ----ASH---- C:\Documents and Settings\jhoki\Application Data\desktop.ini
2008-11-06 15:53:16 ----D---- C:\WINDOWS\SoftwareDistribution
2008-11-06 15:53:04 ----SD---- C:\WINDOWS\system32\Microsoft
2008-11-06 15:53:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-06 15:38:48 ----D---- C:\WINDOWS\system32\xircom
2008-11-06 15:38:48 ----D---- C:\Program Files\xerox
2008-11-06 15:38:48 ----D---- C:\Program Files\microsoft frontpage
2008-11-06 15:38:33 ----A---- C:\WINDOWS\control.ini
2008-11-06 15:38:33 ----A---- C:\AUTOEXEC.BAT
2008-11-06 15:38:24 ----A---- C:\WINDOWS\OEWABLog.txt
2008-11-06 15:38:20 ----A---- C:\WINDOWS\system32\mapi32.dll
2008-11-06 15:37:18 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-06 15:37:18 ----RD---- C:\WINDOWS\Offline Web Pages
2008-11-06 15:37:13 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-11-06 15:37:09 ----HD---- C:\Program Files\WindowsUpdate
2008-11-06 15:36:52 ----D---- C:\WINDOWS\system32\DirectX
2008-11-06 15:36:34 ----A---- C:\WINDOWS\system32\atrace.dll
2008-11-06 15:36:32 ----A---- C:\WINDOWS\system32\desktop.ini
2008-11-06 15:36:32 ----A---- C:\WINDOWS\desktop.ini
2008-11-06 15:36:26 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2008-11-06 15:36:25 ----D---- C:\Program Files\Common Files\Services
2008-11-06 15:36:25 ----A---- C:\WINDOWS\system32\acctres.dll
2008-11-06 15:36:23 ----SD---- C:\WINDOWS\Tasks
2008-11-06 15:36:23 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2008-11-06 15:36:22 ----D---- C:\Program Files\Common Files\MSSoap
2008-11-06 15:36:19 ----D---- C:\WINDOWS\srchasst
2008-11-06 15:36:18 ----D---- C:\WINDOWS\system32\Macromed
2008-11-06 15:36:16 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wups.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wups(2)(2).dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wuauserv.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2008-11-06 15:36:15 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2008-11-06 15:36:14 ----A---- C:\WINDOWS\system32\qmgr.dll
2008-11-06 15:36:11 ----D---- C:\Program Files\Movie Maker
2008-11-06 15:36:08 ----A---- C:\WINDOWS\system32\safrslv.dll
2008-11-06 15:36:08 ----A---- C:\WINDOWS\system32\safrdm.dll
2008-11-06 15:36:08 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2008-11-06 15:36:08 ----A---- C:\WINDOWS\system32\racpldlg.dll
2008-11-06 15:36:05 ----D---- C:\WINDOWS\system32\Restore
2008-11-06 15:36:05 ----A---- C:\WINDOWS\system32\srsvc.dll
2008-11-06 15:36:05 ----A---- C:\WINDOWS\system32\srrstr.dll
2008-11-06 15:36:05 ----A---- C:\WINDOWS\system32\fltMc.exe
2008-11-06 15:36:05 ----A---- C:\WINDOWS\system32\fltlib.dll
2008-11-06 15:36:04 ----A---- C:\WINDOWS\system32\srclient.dll
2008-11-06 15:36:04 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2008-11-06 15:36:04 ----A---- C:\WINDOWS\system32\mnmdd.dll
2008-11-06 15:36:04 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2008-11-06 15:36:04 ----A---- C:\WINDOWS\system32\ils.dll
2008-11-06 15:36:03 ----A---- C:\WINDOWS\system32\msconf.dll
2008-11-06 15:36:03 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2008-11-06 15:36:01 ----D---- C:\Program Files\NetMeeting
2008-11-06 15:36:01 ----A---- C:\WINDOWS\system32\msoert2.dll
2008-11-06 15:36:01 ----A---- C:\WINDOWS\system32\msoeacct.dll
2008-11-06 15:36:00 ----A---- C:\WINDOWS\system32\inetres.dll
2008-11-06 15:36:00 ----A---- C:\WINDOWS\system32\inetcomm.dll
2008-11-06 15:35:59 ----D---- C:\Program Files\Outlook Express
2008-11-06 15:35:59 ----A---- C:\WINDOWS\system32\schedsvc.dll
2008-11-06 15:35:59 ----A---- C:\WINDOWS\system32\mstinit.exe
2008-11-06 15:35:58 ----A---- C:\WINDOWS\system32\mstask.dll
2008-11-06 15:35:58 ----A---- C:\WINDOWS\system32\isign32.dll
2008-11-06 15:35:58 ----A---- C:\WINDOWS\system32\inetcfg.dll
2008-11-06 15:35:58 ----A---- C:\WINDOWS\system32\icwphbk.dll
2008-11-06 15:35:58 ----A---- C:\WINDOWS\system32\icwdial.dll
2008-11-06 15:35:53 ----D---- C:\Program Files\Common Files\System
2008-11-06 15:35:52 ----D---- C:\Program Files\Internet Explorer
2008-11-06 15:35:25 ----D---- C:\Program Files\ComPlus Applications
2008-11-06 15:35:23 ----A---- C:\WINDOWS\vbaddin.ini
2008-11-06 15:35:23 ----A---- C:\WINDOWS\vb.ini
2008-11-06 15:35:19 ----D---- C:\WINDOWS\Registration
2008-11-06 15:35:13 ----D---- C:\Program Files\Windows Media Player
2008-11-06 15:35:13 ----D---- C:\Program Files\Online Services
2008-11-06 15:35:08 ----D---- C:\Program Files\Messenger
2008-11-06 15:35:05 ----D---- C:\Program Files\MSN Gaming Zone
2008-11-06 15:35:05 ----A---- C:\WINDOWS\system32\write.exe
2008-11-06 15:34:57 ----A---- C:\WINDOWS\system32\sndvol32.exe
2008-11-06 15:34:57 ----A---- C:\WINDOWS\system32\hticons.dll
2008-11-06 15:34:57 ----A---- C:\WINDOWS\system32\avwav.dll
2008-11-06 15:34:57 ----A---- C:\WINDOWS\system32\avmeter.dll
2008-11-06 15:34:56 ----A---- C:\WINDOWS\system32\winchat.exe
2008-11-06 15:34:56 ----A---- C:\WINDOWS\system32\avtapi.dll
2008-11-06 15:34:50 ----A---- C:\WINDOWS\system32\getuname.dll
2008-11-06 15:34:50 ----A---- C:\WINDOWS\system32\charmap.exe
2008-11-06 15:34:50 ----A---- C:\WINDOWS\system32\calc.exe
2008-11-06 15:34:49 ----A---- C:\WINDOWS\system32\winmine.exe
2008-11-06 15:34:49 ----A---- C:\WINDOWS\system32\sol.exe
2008-11-06 15:34:49 ----A---- C:\WINDOWS\system32\reset.exe
2008-11-06 15:34:49 ----A---- C:\WINDOWS\system32\mshearts.exe
2008-11-06 15:34:49 ----A---- C:\WINDOWS\system32\freecell.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\tslabels.ini
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\tskill.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\tscon.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\shadow.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\rwinsta.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\regini.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\qwinsta.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\qappsrv.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\msg.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\logoff.exe
2008-11-06 15:34:48 ----A---- C:\WINDOWS\system32\cdmodem.dll
2008-11-06 15:34:47 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2008-11-06 15:34:47 ----A---- C:\WINDOWS\system32\mtxex.dll
2008-11-06 15:34:47 ----A---- C:\WINDOWS\system32\mtxdm.dll
2008-11-06 15:34:47 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2008-11-06 15:34:47 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2008-11-06 15:34:46 ----A---- C:\WINDOWS\system32\stclient.dll
2008-11-06 15:34:46 ----A---- C:\WINDOWS\system32\comsnap.dll
2008-11-06 15:34:46 ----A---- C:\WINDOWS\system32\comrepl.dll
2008-11-06 15:34:46 ----A---- C:\WINDOWS\system32\comaddin.dll
2008-11-06 15:34:42 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2008-11-06 15:34:32 ----D---- C:\Program Files\MSN
2008-11-06 15:34:32 ----A---- C:\WINDOWS\system32\accwiz.exe
2008-11-06 15:34:31 ----D---- C:\Program Files\Windows NT
2008-11-06 15:34:31 ----A---- C:\WINDOWS\system32\sndrec32.exe
2008-11-06 15:34:31 ----A---- C:\WINDOWS\system32\mspaint.exe
2008-11-06 15:34:31 ----A---- C:\WINDOWS\system32\mplay32.exe
2008-11-06 15:34:31 ----A---- C:\WINDOWS\system32\hypertrm.dll
2008-11-06 15:34:31 ----A---- C:\WINDOWS\system32\clipbrd.exe
2008-11-06 15:34:30 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2008-11-06 15:34:30 ----A---- C:\WINDOWS\system32\spider.exe
2008-11-06 15:34:30 ----A---- C:\WINDOWS\system32\mstscax.dll
2008-11-06 15:34:30 ----A---- C:\WINDOWS\system32\mstsc.exe
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\sessmgr.exe
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\remotepg.dll
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\rdshost.exe
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\rdpclip.exe
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\rdchost.dll
2008-11-06 15:34:29 ----A---- C:\WINDOWS\system32\qprocess.exe
2008-11-06 15:34:28 ----D---- C:\WINDOWS\system32\MsDtc
2008-11-06 15:34:28 ----A---- C:\WINDOWS\system32\xolehlp.dll
2008-11-06 15:34:28 ----A---- C:\WINDOWS\system32\mtxoci.dll
2008-11-06 15:34:28 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2008-11-06 15:34:28 ----A---- C:\WINDOWS\system32\msdtctm.dll
2008-11-06 15:34:28 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2008-11-06 15:34:28 ----A---- C:\WINDOWS\system32\icaapi.dll
2008-11-06 15:34:28 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2008-11-06 15:34:27 ----D---- C:\WINDOWS\system32\Com
2008-11-06 15:34:27 ----A---- C:\WINDOWS\system32\msdtclog.dll
2008-11-06 15:34:27 ----A---- C:\WINDOWS\system32\msdtc.exe
2008-11-06 15:34:27 ----A---- C:\WINDOWS\system32\colbact.dll
2008-11-06 15:34:27 ----A---- C:\WINDOWS\system32\clbcatex.dll
2008-11-06 15:34:27 ----A---- C:\WINDOWS\system32\catsrvps.dll
2008-11-06 15:34:26 ----A---- C:\WINDOWS\system32\comuid.dll
2008-11-06 15:34:26 ----A---- C:\WINDOWS\system32\comsvcs.dll
2008-11-06 15:34:26 ----A---- C:\WINDOWS\system32\catsrvut.dll
2008-11-06 15:34:26 ----A---- C:\WINDOWS\system32\catsrv.dll
2008-11-06 15:34:25 ----A---- C:\WINDOWS\system32\clbcatq.dll
2008-11-06 15:34:21 ----A---- C:\WINDOWS\system32\servdeps.dll
2008-11-06 15:34:21 ----A---- C:\WINDOWS\system32\mmfutil.dll
2008-11-06 15:34:20 ----A---- C:\WINDOWS\system32\licwmi.dll
2008-11-06 15:34:20 ----A---- C:\WINDOWS\system32\cmprops.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nwiz.exe
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvwss.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvwimg.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvwdmcpl.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvwddi.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvvitvs.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvsvc32.exe
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvshell.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvoglnt.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvnt4cpl.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvmobls.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvmctray.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvmccss.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvmccsrs.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvmccs.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nview.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvgames.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvdspsch.exe
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvdisps.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvcuda.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvcplui.exe
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvcpl.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvcolor.exe
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvcodins.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvcod.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvappbar.exe
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nvapi.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\nv4_disp.dll
2008-10-07 13:33:00 ----A---- C:\WINDOWS\system32\keystone.exe

======List of files/folders modified in the last 1 months======

2008-11-06 19:33:43 ----A---- C:\WINDOWS\win.ini
2008-11-06 19:27:42 ----A---- C:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-12-21 30216]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2007-12-21 53768]
R1 KLIF;Kaspersky Lab Driver; C:\WINDOWS\system32\DRIVERS\klif.sys [2008-11-06 187408]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-12-21 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2007-12-21 71176]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2007-12-21 30728]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 24592]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-10-07 6133856]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 atirage3;atirage3; C:\WINDOWS\system32\DRIVERS\atimpae.sys [2001-08-17 75136]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AVP;Kaspersky Anti-Virus; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2008-04-25 201992]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-10-07 163908]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 AM

Posted 18 November 2008 - 04:35 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTScanIt
Download OTScanIt2 by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box.
  • Under the Additional Scans bar, click "Extras". Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.


Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 AM

Posted 23 November 2008 - 12:31 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users