Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis log:highly suspicious malware


  • This topic is locked This topic is locked
26 replies to this topic

#1 Dylanz Of Dylanz

Dylanz Of Dylanz

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 16 November 2008 - 10:02 AM

yesterday i was surfing the internet....all of a sudden...my computer went on a rage....the explorer.exe process keeps on restarting...and then a windows device error keeps on popping up.....the services in service.msc are all disabled.....but now i enabled some of them back.....
till now....the explorer.exe is still restarting...although in safe mode....and my sound card driver is corrupted too....i tried reinstalling the sound card driver many times but after rebooting a message with readreg appeared for a while....i googled for readreg and found that it may be a malware.....my sound driver gives an error....below is the exact error message for the sound driver...

This device cannot find enough free resources that it can use. (Code 12)

If you want to use this device, you will need to disable one of the other devices on this system.

Click Troubleshoot to start the troubleshooter for this device.

i am pretty sure im infected by some kind of malware/virus...heres my hijackthis log file....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:50 PM, on 11/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozzila\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\ivan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 123.111.230.136:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O1 - Hosts: 211.155.224.14 www.tvants.com
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive2\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173349954228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173349907491
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} (CamRegCleanControl Object) - http://www.amustsoft.com/onlineregistrysca...eRegCleaner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

--
End of file - 8650 bytes

[update]
i did a trend micro online scan and deleted some trojans but theres one more which cant be deleted....
this is my after scan hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:28 AM, on 11/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Mozzila\firefox.exe
D:\Program Files\BitComet\BitComet.exe
C:\Documents and Settings\ivan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 123.111.230.136:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O1 - Hosts: 211.155.224.14 www.tvants.com
O2 - BHO: (no name) - {31CDFCB9-37D6-4C1D-A31D-AA2DD56F637B} - C:\WINDOWS\system32\cbXOIaWq.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BF0CA4FC-6378-4062-B546-3CDE8A28B1E0} - (no file)
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173349954228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173349907491
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} (CamRegCleanControl Object) - http://www.amustsoft.com/onlineregistrysca...eRegCleaner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cbXOIaWq - C:\WINDOWS\SYSTEM32\cbXOIaWq.dll
O20 - Winlogon Notify: nnnoNdcb - nnnoNdcb.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

--
End of file - 8996 bytes

Attached Files


Edited by Dylanz Of Dylanz, 16 November 2008 - 11:04 PM.


BC AdBot (Login to Remove)

 


#2 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 18 November 2008 - 11:33 AM

hey there I'm so sorry but i cannot find the edit button for my post........sorry if i caused u to analyse too many logs......
one of the virus that i have is virtumonde.i tried running vundofix in safe mode but did not found anything.tried spybot and superantispyware they came up with virtumonde and some other trojans but they reappear after deleted...

if u read this post first...the hijackthis log above may not need be readed.
anyway here's the latest one....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:51 AM, on 11/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Mozzila\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ivan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 123.111.230.136:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net
O1 - Hosts: 211.155.224.14 www.tvants.com
O3 - Toolbar: blueserver toolbar - {83ef376d-8874-4769-a2e7-7096480e7def} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173349954228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173349907491
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} (CamRegCleanControl Object) - http://www.amustsoft.com/onlineregistrysca...eRegCleaner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs:
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9017 bytes

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:38 AM

Posted 18 November 2008 - 04:01 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTScanIt
Download OTScanIt2 by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box.
  • Under the Additional Scans bar, click "Extras". Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


In your next reply include:
-the OTScanIt log (attached)
-the Kaspersky log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

Edited by PropagandaPanda, 18 November 2008 - 06:42 PM.


#4 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 19 November 2008 - 12:16 AM

currently my explorer.exe and sound device is not working.....here's what you asked me to do....the kaspersky scan log.....

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 19, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, November 19, 2008 01:42:22
Records in database: 1392958
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 71535
Threat name: 7
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 02:36:47


File name / Threat name / Threats count
C:\Documents and Settings\ivan\.housecall6.6\Quarantine\cbXOIaWq.dll.bac_a01048 Infected: Trojan.Win32.Monderb.vqc 1
C:\Documents and Settings\ivan\.housecall6.6\Quarantine\Heart Bend.exe.bac_a01048 Infected: Trojan.Win32.Obfuscated.gen 1
C:\Documents and Settings\ivan\.housecall6.6\Quarantine\Jacky Cheung - For My Broken Heart (duet with Reba McEntire).mp3.bac_a01048 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\ivan\.housecall6.6\Quarantine\opnkhecb.dll.bac_a01048 Infected: Trojan.Win32.Monderb.vqc 1
C:\Documents and Settings\ivan\.housecall6.6\Quarantine\there for me jacky cheung.mp3.bac_a01048 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\WINDOWS\system32\vistaupgrade.exe Infected: Trojan-Downloader.Win32.Agent.nrg 1
C:\WINDOWS\system32\vntiho03\vntiho031064.exe Infected: Trojan-Downloader.Win32.VB.exf 1
D:\Program Files\LimeWire\.NetworkShare\seaworld adventure park tycoon_Crack.zip Infected: Trojan.Win32.Buzus.adbl 1
D:\Program Files\WinZix\WinZix.exe Infected: not-a-virus:FraudTool.Win32.WinZix.e 1

The selected area was scanned.

Attached File  OTScanIt.Txt   173.83KB   8 downloads

Edited by Dylanz Of Dylanz, 19 November 2008 - 04:10 AM.


#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:38 AM

Posted 19 November 2008 - 11:51 AM

Hello Dylanz Of Dylanz.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run.

To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Run Fix with OTScanIt
We will run OTScanIt again, but the directions are slightly different. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {31CDFCB9-37D6-4C1D-A31D-AA2DD56F637B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {6756792F-C7D4-474D-8C7E-13EC89491F8E} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YY -> {D29DE9A7-97DC-4D54-88C4-467346D5C5F3} [HKLM] -> %SystemRoot%\system32\khfCvWOG.dll [Reg Error: Value  does not exist or could not be read.]
    < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
    YN -> "{0BF43445-2F28-4351-9252-17FE6E806AA0}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> "{83ef376d-8874-4769-a2e7-7096480e7def}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [blueserver toolbar]
    YN -> "{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Ask Toolbar]
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YN -> cbXOIaWq -> 
    YN -> nnnoNdcb -> 
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YY -> C:\WINDOWS\system32\khfCvWOG -> %SystemRoot%\system32\khfCvWOG.dll
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    [Files/Folders - Created Within 30 Days]
    NY -> GOWvCfhk.ini -> %SystemRoot%\System32\GOWvCfhk.ini
    NY -> GOWvCfhk.ini2 -> %SystemRoot%\System32\GOWvCfhk.ini2
    NY -> khfCvWOG.dll -> %SystemRoot%\System32\khfCvWOG.dll
    NY -> edJRrtwa.ini -> %SystemRoot%\System32\edJRrtwa.ini
    NY -> hQYcLRqr.ini -> %SystemRoot%\System32\hQYcLRqr.ini
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Please post back with:
-the OTScanIt fix log
-the MalwareBytes log
-a new OTScanIt log (default settings, attached)

How is your computer running now?

With Regards,
The Panda

#6 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 November 2008 - 12:49 AM

explorer.exe has stopped restarting this is great.but im not sure whether the viruses is still here....below is all the logs u requested.is hijackthis log needed?

-OTScanIt fix log-
Explorer killed successfully
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31CDFCB9-37D6-4C1D-A31D-AA2DD56F637B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31CDFCB9-37D6-4C1D-A31D-AA2DD56F637B}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6756792F-C7D4-474D-8C7E-13EC89491F8E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6756792F-C7D4-474D-8C7E-13EC89491F8E}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D29DE9A7-97DC-4D54-88C4-467346D5C5F3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D29DE9A7-97DC-4D54-88C4-467346D5C5F3}\ not found.
C:\WINDOWS\system32\khfCvWOG.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{83ef376d-8874-4769-a2e7-7096480e7def} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83ef376d-8874-4769-a2e7-7096480e7def}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXOIaWq\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnoNdcb\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\khfCvWOG deleted successfully.
File C:\WINDOWS\system32\khfCvWOG.dll not found.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\System32\GOWvCfhk.ini moved successfully.
C:\WINDOWS\System32\GOWvCfhk.ini2 moved successfully.
File C:\WINDOWS\System32\khfCvWOG.dll not found!
C:\WINDOWS\System32\edJRrtwa.ini moved successfully.
C:\WINDOWS\System32\hQYcLRqr.ini moved successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\ivan\Local Settings\Temp\etilqs_KqLVYeQeX9ZRcjFXDu7p scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.35b fix logfile created on 11202008_114939

Files moved on Reboot...
File C:\Documents and Settings\ivan\Local Settings\Temp\etilqs_KqLVYeQeX9ZRcjFXDu7p not found!

-MalwareBytes log-
Malwarebytes' Anti-Malware 1.30
Database version: 1412
Windows 5.1.2600 Service Pack 2

11/20/2008 1:35:23 PM
mbam-log-2008-11-20 (13-35-23).txt

Scan type: Quick Scan
Objects scanned: 58096
Time elapsed: 10 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 28
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\browsingenhancer.browserwatcher (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.browserwatcher.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.pornpro_bho (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.pornpro_bho.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.precachebrowserhost (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.precachebrowserhost.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{125e9d24-2428-38d2-8e23-804e3275209c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3f2579e9-ec37-3112-9bde-d2db14e95c32} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e12688ce-9384-28e3-a041-4e1a9ce14506} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{96fdc0f6-929e-e96c-597f-386cd3c7d7aa} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b056fd59-0c72-3878-da81-4c5239908200} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98d555cc-a569-43fb-2f43-3a98ccda4b50} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{40b2127e-cc18-37d0-43ca-afa158c64001} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e1e1d3a0-66ea-46d2-bbcf-43730668e1eb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{31cdfcb9-37d6-4c1d-a31d-aa2dd56f637b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BrowsingEnhancer.DLL (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BrowsingEnhancer (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Common Files\Carlson.1 (Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Carlson.2 (Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Carlson.3 (Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Carlson.4 (Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Carlson.5 (Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Carlson.6 (Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Carlson.7 (Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Carlson.8 (Dialer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Carlson.9 (Dialer) -> Quarantined and deleted successfully.
C:\Documents and Settings\ivan\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\ivan\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\ivan\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\ivan\Application Data\RegistrySmart\Registry Backups\2008-08-03_14-25-34.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.

Attached File  OTScanIt.Txt   110.69KB   19 downloads

#7 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 November 2008 - 03:15 AM

here is the antivir personal edition scan log......



Avira AntiVir Personal
Report file date: Thursday, November 20, 2008 15:01

Scanning for 1042450 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: IVAN-E4MCGRW4H4

Version information:
BUILD.DAT : 8.2.0.336 16933 Bytes 10/30/2008 11:40:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 02:57:54
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 01:56:42
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 06:44:20
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 01:58:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 06:56:40
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 06:56:48
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 06:56:54
ANTIVIR3.VDF : 7.1.0.110 109568 Bytes 11/19/2008 06:57:00
Engineversion : 8.2.0.34
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 04:05:58
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/20/2008 06:57:52
AESCN.DLL : 8.1.1.5 123251 Bytes 11/20/2008 06:57:50
AERDL.DLL : 8.1.1.3 438645 Bytes 11/20/2008 06:57:48
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/20/2008 06:57:40
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/20/2008 06:57:34
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/20/2008 06:57:32
AEHELP.DLL : 8.1.2.0 119159 Bytes 11/20/2008 06:57:20
AEGEN.DLL : 8.1.1.4 319861 Bytes 11/20/2008 06:57:16
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 04:05:58
AECORE.DLL : 8.1.5.0 172407 Bytes 11/20/2008 06:57:08
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 04:05:58
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 02:40:06
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 03:28:02
AVREP.DLL : 8.0.0.2 98344 Bytes 11/20/2008 06:57:02
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 05:26:42
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 02:29:24
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 06:27:50
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 11:28:04
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 06:49:42
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 06:05:12
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 07:48:08
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 07:34:38

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: d:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, November 20, 2008 15:01

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'devldr32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'CTHELPER.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
25 processes with 25 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '67' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\ivan\.housecall6.6\Quarantine\cbXOIaWq.dll.bac_a01048
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\ivan\.housecall6.6\Quarantine\cbXOIaWq.dll.bac_a01048
[DETECTION] Is the TR/Vundo.fnr.21 Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\ivan\.housecall6.6\Quarantine\Heart Bend.exe.bac_a01048
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\ivan\.housecall6.6\Quarantine\Heart Bend.exe.bac_a01048
[DETECTION] Is the TR/Agent.ZM Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\ivan\.housecall6.6\Quarantine\opnkhecb.dll.bac_a01048
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\ivan\.housecall6.6\Quarantine\opnkhecb.dll.bac_a01048
[DETECTION] Is the TR/Vundo.fnr.21 Trojan
[NOTE] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\rqrqp.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\vistaupgrade.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was deleted!
C:\WINDOWS\system32\vntiho03\vntiho031064.exe
[DETECTION] Is the TR/Dldr.VB.exf Trojan
[NOTE] The file was deleted!
C:\_OTScanIt\MovedFiles\11202008_114939\C_WINDOWS\system32\khfCvWOG.dll
[DETECTION] Is the TR/Vundo.fxr.18 Trojan
[NOTE] The file was deleted!
Begin scan in 'D:\'
D:\Program Files\Gravity\Ro\ijl20.dll
[DETECTION] Contains HEUR/Malware suspicious code
[WARNING] The file was ignored!
D:\Program Files\LimeWire\.NetworkShare\Track 9.wma
[DETECTION] Is the TR/Wimad.A.Gen Trojan
[NOTE] The file was deleted!
D:\Program Files\LimeWire\.NetworkShare\seaworld adventure park tycoon_Crack.zip
[0] Archive type: ZIP
--> Crack.exe
[DETECTION] Is the TR/Buzus.adbl Trojan
[NOTE] The file was deleted!
D:\Program Files\WinZix\WinZix.exe
[DETECTION] Is the TR/Agent.794624.B Trojan
[NOTE] The file was deleted!
D:\Program Files\UCPlay\data\ucpw3cl.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was deleted!
D:\Program Files\UCPlay\data\ucw3core.dll
[DETECTION] Is the TR/Zlob.1.Gen.7 Trojan
[NOTE] The file was deleted!


End of the scan: Thursday, November 20, 2008 16:13
Used time: 1:12:54 Hour(s)

The scan has been done completely.

5655 Scanning directories
238314 Files were scanned
12 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
12 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
238300 Files not concerned
1571 Archives were scanned
2 Warnings
12 Notes

#8 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 November 2008 - 06:13 AM

after i shut down my computer(due it was raining thunderstorm) and later i on it back.....the taskbar is changed to white/gray coz the settings are changed,and the services.msc are all disabled.btw,i've run combofix....and found some threats.sorry if i done something u didn't ask me to.here's the latest hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:41 PM, on 11/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Mozzila\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\ivan\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 123.111.230.136:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173349954228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173349907491
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} (CamRegCleanControl Object) - http://www.amustsoft.com/onlineregistrysca...eRegCleaner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8162 bytes

Edited by Dylanz Of Dylanz, 20 November 2008 - 10:57 AM.


#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:38 AM

Posted 20 November 2008 - 11:47 AM

Hello.

That's alright, but please avoid things like that in the future.

Pleas post C:\COmboFix.txt.

I want to see what ComboFix found.

Are there signs of infection right now?

With Regards,
The Panda

#10 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 November 2008 - 12:01 PM

here's what combo fix found.....currently no signs of infection.but i'll wait and see if there's an sign...im afraid that service disabled sign comes.....

ComboFix 08-11-19.08 - ivan 2008-11-20 23:27:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT 8:00]
Running from: c:\documents and settings\ivan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\IEXPLORER.EXE
C:\temp.exe
C:\update.exe
c:\windows\admintxt.txt
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\mdm.exe
c:\windows\system32\Microsoft\backup.ftp
c:\windows\system32\Microsoft\backup.tftp
c:\windows\system32\MSINET.oca
c:\windows\system32\system.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV


((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-20 12:08 . 2008-11-20 12:08 <DIR> d-------- c:\documents and settings\ivan\Application Data\Malwarebytes
2008-11-20 12:08 . 2008-11-20 12:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 12:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 12:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-20 11:49 . 2008-11-20 11:49 <DIR> d----c--- C:\_OTScanIt
2008-11-18 18:47 . 2001-08-17 12:19 96,256 --a------ c:\windows\system32\drivers\ctlsb16.sys
2008-11-18 13:39 . 2008-11-20 13:39 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-18 13:39 . 2008-11-18 13:39 <DIR> d-------- c:\documents and settings\ivan\Application Data\SUPERAntiSpyware.com
2008-11-18 13:39 . 2008-11-18 13:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-18 11:40 . 2008-11-20 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-18 01:38 . 2008-11-18 01:42 <DIR> d-------- c:\windows\nview
2008-11-18 01:38 . 2005-04-01 16:16 176,128 --a------ c:\windows\system32\nvudisp.exe
2008-11-18 01:38 . 2005-04-01 16:16 14,435 --a------ c:\windows\system32\nvdisp.nvu
2008-11-18 01:31 . 2008-11-18 01:31 <DIR> d----c--- C:\NVIDIA
2008-11-18 01:20 . 2008-11-18 01:20 <DIR> d-------- c:\program files\SystemRequirementsLab
2008-11-17 21:41 . 2001-07-21 18:49 2,104,298 --a------ c:\windows\system32\drivers\2gmgsmt.sf2
2008-11-17 21:37 . 2000-05-11 01:00 90,112 --------- c:\windows\Updreg.EXE
2008-11-17 21:37 . 1998-06-05 02:00 84,992 --a------ c:\windows\system32\SFCVRT32.DLL
2008-11-17 21:37 . 1995-08-30 02:02 82,432 --a------ c:\windows\system32\CTWFLT32.DLL
2008-11-17 21:37 . 1998-10-20 16:05 54,784 --a------ c:\windows\system32\INETWH32.DLL
2008-11-17 21:37 . 1994-12-05 03:11 53,552 --------- c:\windows\CTCCW.DLL
2008-11-17 21:37 . 1995-07-13 02:01 26,768 --a------ c:\windows\system32\CTL3D.DLL
2008-11-17 21:37 . 1996-05-23 02:24 24,976 --------- c:\windows\CTRES.DLL
2008-11-17 21:37 . 1999-01-14 14:04 231 --------- c:\windows\AC3API.INI
2008-11-17 21:36 . 2008-11-17 21:36 <DIR> d-------- c:\windows\system32\Defaults
2008-11-17 21:36 . 1998-01-08 01:00 1,048,576 --a------ c:\windows\system32\SFMAN.DAT
2008-11-17 21:35 . 2002-07-24 13:52 998,004 --a------ c:\windows\system32\drivers\HA10KX2K.SYS
2008-11-17 21:35 . 2002-07-19 10:48 156,604 --a------ c:\windows\system32\drivers\EMUPIA2K.SYS
2008-11-17 21:35 . 2002-07-19 13:09 37,727 --a------ c:\windows\system32\Emu10kx.ini
2008-11-17 21:35 . 2002-06-04 07:45 20,480 --a------ c:\windows\INRES.DLL
2008-11-17 21:35 . 2002-07-19 10:56 29 --a------ c:\windows\system32\ctzapxx.ini
2008-11-17 21:33 . 2001-05-28 13:47 32,768 --a------ c:\windows\system32\AudioHQU.cpl
2008-11-17 21:33 . 2001-05-28 13:47 12,288 --a------ c:\windows\system32\AHQCpURes.dll
2008-11-17 20:08 . 2001-08-17 12:19 283,904 --a------ c:\windows\system32\drivers\emu10k1m.sys
2008-11-17 20:08 . 2001-08-17 22:36 256,512 --a------ c:\windows\system32\devcon32.dll
2008-11-17 20:08 . 2001-08-17 12:19 36,480 --a------ c:\windows\system32\drivers\sfmanm.sys
2008-11-17 20:08 . 2001-08-17 22:36 24,064 --a------ c:\windows\system32\devldr32.exe
2008-11-17 20:08 . 2001-08-17 12:19 6,912 --a------ c:\windows\system32\drivers\ctlfacem.sys
2008-11-17 18:17 . 2008-11-17 18:17 <DIR> d----c--- C:\VundoFix Backups
2008-11-16 20:20 . 2008-11-16 20:20 <DIR> d-------- c:\program files\iXi Tools
2008-11-16 19:57 . 2008-11-17 01:31 <DIR> d-------- c:\documents and settings\ivan\.housecall6.6
2008-11-16 19:34 . 1995-01-13 14:10 149,504 --a------ c:\windows\system32\MFCANS32.DLL
2008-11-16 19:34 . 1995-01-13 14:10 108,032 --a------ c:\windows\system32\MFCUIA32.DLL
2008-11-16 19:33 . 2008-11-17 20:08 <DIR> d-------- c:\windows\system32\Data
2008-11-16 11:09 . 2008-11-16 11:09 <DIR> d-------- c:\program files\Lavasoft
2008-11-07 23:30 . 2008-10-16 00:57 332,800 --a------ c:\windows\system32\SET5C.tmp
2008-11-01 16:48 . 2008-11-01 16:59 65,536 --a------ c:\windows\IFinst27.exe
2008-10-31 23:21 . 2008-10-31 23:22 <DIR> d----c--- C:\india
2008-10-31 22:59 . 2008-10-31 22:59 0 --a------ c:\windows\Irremote.ini
2008-10-28 14:33 . 2008-10-28 14:33 <DIR> d-------- c:\windows\system32\XPSViewer
2008-10-28 14:32 . 2008-10-28 14:32 <DIR> d-------- c:\program files\Reference Assemblies
2008-10-28 14:27 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-10-27 11:26 . 2008-10-27 11:26 <DIR> d-------- c:\program files\MSXML 6.0
2008-10-20 01:38 . 2008-10-20 01:38 <DIR> d-------- c:\documents and settings\Dylan\Application Data\Comodo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 14:48 --------- d-----w c:\documents and settings\ivan\Application Data\MegauploadToolbar
2008-11-20 09:48 --------- d-----w c:\documents and settings\ivan\Application Data\Atari
2008-11-20 09:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 05:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-17 17:20 --------- d-----w c:\documents and settings\ivan\Application Data\SystemRequirementsLab
2008-11-16 17:20 --------- d-----w c:\documents and settings\All Users\Application Data\SITE ONLINE DOWNLOAD BAT
2008-11-16 13:56 --------- d-----w c:\program files\Creative
2008-11-16 11:27 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-15 09:04 --------- d-----w c:\documents and settings\ivan\Application Data\Azureus
2008-11-14 09:11 --------- d-----w c:\documents and settings\ivan\Application Data\ppstream
2008-11-03 08:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 07:16 --------- d-----w c:\program files\PCPitstop
2008-11-02 11:05 --------- d-----w c:\documents and settings\ivan\Application Data\MP3Rocket
2008-10-20 03:42 --------- d-----w c:\documents and settings\ivan\Application Data\Comodo
2008-10-18 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-18 16:24 1,298,432 -c--a-w C:\cc.exe
2008-10-18 14:53 --------- d-----w c:\program files\Real
2008-10-18 12:33 --------- d-----w c:\program files\Common Files\Download Manager
2008-10-18 08:43 --------- d-----w c:\program files\Real Alternative
2008-10-18 08:43 --------- d-----w c:\documents and settings\ivan\Application Data\Media Player Classic
2008-10-18 08:40 --------- d-----w c:\documents and settings\ivan\Application Data\vlc
2008-10-17 03:37 --------- d-----w c:\documents and settings\ivan\Application Data\Regrun
2008-10-11 04:58 --------- d-----w c:\program files\Microsoft
2008-10-11 04:53 --------- d-----w c:\program files\Common Files\Windows Live
2008-10-10 17:29 360,320 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-10-10 17:29 360,320 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-10-10 08:38 --------- d-----w c:\program files\DivX
2008-09-22 16:33 --------- d-----w c:\documents and settings\ivan\Application Data\gtk-2.0
2008-01-31 11:29 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-07-27 07:50 4,570,624 ----a-w c:\documents and settings\ivan\praat.exe
1998-12-09 02:53 99,840 -c--a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 -c--a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 -c--a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 -c--a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 -c--a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 -c--a-w c:\program files\Common Files\IRASRIAL.DLL
2008-07-17 13:08 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344]
"SetDefaultMIDI"="MIDIDef.exe" [2002-01-14 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\READREG" [X]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]
"nwiz"="nwiz.exe" [2005-04-01 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 01000000
"DisableChangePassword"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoResolveTrack"= 1 (0x1)
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ivan^Start Menu^Programs^Startup^Azureus Ultra Accelerator.lnk]
backup=c:\windows\pss\Azureus Ultra Accelerator.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60c48108

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DevconDefaultDB]
c:\windows\READREG [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drtg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorFixer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messaging
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyClean
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrustRef
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a--c--- 2007-06-20 00:05 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2008-02-22 17:35 3057152 d:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a--c--- 2001-08-23 20:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a--c--- 2004-08-03 22:32 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-08-23 17:36 455968 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2008-09-09 00:02 3513344 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIMETIPSYNC]
--a--c--- 2003-07-14 06:57 95296 c:\program files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
--a------ 2008-08-07 15:31 165240 d:\program files\PPStream\PPSAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2008-03-08 07:33 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-18 22:53 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 12:49 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2002-01-14 14:42 61440 c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=3 (0x3)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"usprserv"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nla"=2 (0x2)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"LightScribeService"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"cisvc"=3 (0x3)
"Browser"=3 (0x3)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"d:\\Program Files\\Warcraft III\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\DAP\\DAP.exe"=
"d:\\Program Files\\Azureus\\Azureus.exe"=
"d:\\Program Files\\Mozzila\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"d:\\Program Files\\Counter-Strike\\hl.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Program Files\\PPStream\\PPStream.exe"=
"d:\\Program Files\\PPStream\\PPSAP.exe"=
"d:\\Program Files\\Counter-Strike\\hlds.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"d:\\Program Files\\Garena\\Garena.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"54124:TCP"= 54124:TCP:BitComet 54124 TCP
"54124:UDP"= 54124:UDP:BitComet 54124 UDP

R0 isapnpex;isapnpex;c:\windows\system32\drivers\isapnpex.sys []
R1 usbs2k;usbs2k;c:\windows\system32\drivers\usbs2k.sys []
S0 Partizan;Partizan; []
S1 nullnt;nullnt;c:\windows\system32\drivers\nullnt.sys []
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-11-18 96256]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter; []
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ivan\LOCALS~1\Temp\GPE9D.tmp []
S3 itztehhack;itztehhack;\??\c:\documents and settings\ivan\Desktop\Captain Hook\itztehhack.sys []
S3 npkycryp;npkycryp; []
S3 rkhdrv40;Rootkit Unhooker Driver; []
S3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504]
S3 sejt1;sejt1; []
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{281c33a0-3da6-11dc-8ad6-0040050cb1ac}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{281c33a1-3da6-11dc-8ad6-0040050cb1ac}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe WinProcess.exe.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29a07c18-811d-11dd-851e-0040050cb1ac}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL a.exe
\Shell\default\command - E:\a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99675990-4be5-11dc-8b00-0040050cb1ac}]
\Shell\AutoRun\command - auhohmyv.exe
\Shell\explore\Command - auhohmyv.exe
\Shell\open\Command - auhohmyv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\ACD4C4D891B37860.job
- c:\docume~1\ivan\applic~1\remote~1\This jugs first.exe []

2007-03-22 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe []
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Ipt50.sys
MSConfigStartUp-avgnt - d:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-BDAgent - d:\program files\Softwin\BitDefender10\bdagent.exe
MSConfigStartUp-BDMCon - d:\program files\Softwin\BitDefender10\bdmcon.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-DOWNLOAD BAT SCR 1 - c:\documents and settings\All Users\Application Data\SITE ONLINE DOWNLOAD BAT\Heart Bend.exe
MSConfigStartUp-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
MSConfigStartUp-Flashget - d:\program files\FlashGet\FlashGet.exe
MSConfigStartUp-InCD - d:\program files\Nero 7\InCD\InCD.exe
MSConfigStartUp-Jet Detection - c:\program files\Creative\SBLive2\PROGRAM\ADGJDet.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-SecurDisc - d:\program files\Nero 7\InCD\NBHGui.exe
MSConfigStartUp-svhosts - c:\windows\System32\svhosts.exe
MSConfigStartUp-VistaUpgrade - c:\windows\system32\vistaupgrade.exe
MSConfigStartUp-Memory Allocation Services - cisrv.exe
MSConfigStartUp-services - (no file)
MSConfigStartUp-ubass - mmdsvc.exe
MSConfigStartUp-UfSeAgnt - (no file)
MSConfigStartUp-Windows Live Client - msnclient.exe
MSConfigStartUp-Windows Live Servicer - usrserv.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\ivan\Application Data\Mozilla\Firefox\Profiles\x30we9af.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - d:\program files\Mozzila\plugins\np32dsw.dll
FF -: plugin - d:\program files\Mozzila\plugins\NPAskSBr.dll
FF -: plugin - d:\program files\Mozzila\plugins\npBitCometAgent.dll
FF -: plugin - d:\program files\Mozzila\plugins\npdivx32.dll
FF -: plugin - d:\program files\Mozzila\plugins\npmozax.dll
FF -: plugin - d:\program files\Mozzila\plugins\npmusicn.dll
FF -: plugin - d:\program files\Mozzila\plugins\npnul32.dll
FF -: plugin - d:\program files\Mozzila\plugins\npOGAPlugin.dll
FF -: plugin - d:\program files\Mozzila\plugins\nppl3260.dll
FF -: plugin - d:\program files\Mozzila\plugins\nprjplug.dll
FF -: plugin - d:\program files\Mozzila\plugins\nprpjplug.dll
FF -: plugin - d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 23:37:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\isapnpex.sys 19968 bytes executable
c:\windows\system32\drivers\usbs2k.sys 470656 bytes executable
c:\windows\system32\iprtx86.dll 941568 bytes executable
c:\windows\system32\wsh32.dll 135168 bytes executable
c:\windows\system32\tsshusvr.exe 2392064 bytes executable
c:\windows\system32\d3dcache.dll 87388041 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ivan\LOCALS~1\Temp\GPE9D.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-11-20 23:43:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 15:43:37
ComboFix2.txt 2008-01-16 04:53:18
ComboFix3.txt 2008-01-16 02:05:20

Pre-Run: 242,475,008 bytes free
Post-Run: 381,927,424 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

423 --- E O F --- 2008-11-08 21:23:06

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:38 AM

Posted 20 November 2008 - 12:11 PM

Hello.

That doesn't look all that great. Good job running ComboFix though. Saved us some time.

Do you have any idea what this is?
c:\documents and settings\ivan\Desktop\Captain Hook
Looks like you installed something into it.

Before continueing, I want to make sure nothing is hiding.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

Next round we'll get CombFix to nuke what's left of the infections.

With Regards,
The Panda

#12 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 November 2008 - 12:39 PM

captain hook was a hack i used for a game but i deleted it.....btw,in my country here its already AM in the morning,im going to sleep now
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-21 01:37:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\usbs2k.sys ZwEnumerateKey [0xF363D642]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs isapnpex.sys
AttachedDevice \FileSystem\Fastfat \Fat isapnpex.sys

---- EOF - GMER 1.0.14 ----

Edited by Dylanz Of Dylanz, 20 November 2008 - 12:49 PM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:38 AM

Posted 20 November 2008 - 03:33 PM

Hello Dylanz Of Dylanz .

Did you change the settings in GMER? Log looks really small. Anyway, let move on.

captain hook was a hack i used for a game but i deleted it

In that case, I will remove the driver associated with it.

Run ComboFix with CFScript
We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\cc.exe
    c:\windows\Tasks\ACD4C4D891B37860.job
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{281c33a1-3da6-11dc-8ad6-0040050cb1ac}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29a07c18-811d-11dd-851e-0040050cb1ac}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99675990-4be5-11dc-8b00-0040050cb1ac}]
    
    Driver::
    isapnpex
    usbs2k
    nullnt
    GarenaPEngine
    itztehhack
    hpt3xx
    sejt1
    
    Rootkit::
    c:\windows\system32\drivers\isapnpex.sys
    c:\windows\system32\drivers\usbs2k.sys
    c:\windows\system32\iprtx86.dll
    c:\windows\system32\wsh32.dll 
    c:\windows\system32\tsshusvr.exe 
    c:\windows\system32\d3dcache.dll
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall
--
Had you disabled services with MSConfig? If you have, please re-enable all of those. You should be using services.msc to disable services.
--
Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Please post back with:
-the ComboFix log
-a new HijackThis log from after you installed the antivirus

How is your computer running now?

With Regards,
The Panda

#14 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 November 2008 - 09:31 PM

ComboFix 08-11-19.08 - ivan 2008-11-21 10:22:13.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.158 [GMT 8:00]
Running from: c:\documents and settings\ivan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ivan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-21 01:18 . 2008-11-21 01:37 345 --a------ c:\windows\gmer.ini
2008-11-20 12:08 . 2008-11-20 12:08 <DIR> d-------- c:\documents and settings\ivan\Application Data\Malwarebytes
2008-11-20 12:08 . 2008-11-20 12:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 12:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 12:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-20 11:49 . 2008-11-20 11:49 <DIR> d----c--- C:\_OTScanIt
2008-11-18 18:47 . 2001-08-17 12:19 96,256 --a------ c:\windows\system32\drivers\ctlsb16.sys
2008-11-18 13:39 . 2008-11-20 13:39 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-18 13:39 . 2008-11-18 13:39 <DIR> d-------- c:\documents and settings\ivan\Application Data\SUPERAntiSpyware.com
2008-11-18 13:39 . 2008-11-18 13:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-18 11:40 . 2008-11-20 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-18 01:38 . 2008-11-18 01:42 <DIR> d-------- c:\windows\nview
2008-11-18 01:38 . 2005-04-01 16:16 176,128 --a------ c:\windows\system32\nvudisp.exe
2008-11-18 01:38 . 2005-04-01 16:16 14,435 --a------ c:\windows\system32\nvdisp.nvu
2008-11-18 01:31 . 2008-11-18 01:31 <DIR> d----c--- C:\NVIDIA
2008-11-18 01:20 . 2008-11-18 01:20 <DIR> d-------- c:\program files\SystemRequirementsLab
2008-11-17 21:41 . 2001-07-21 18:49 2,104,298 --a------ c:\windows\system32\drivers\2gmgsmt.sf2
2008-11-17 21:37 . 2000-05-11 01:00 90,112 --------- c:\windows\Updreg.EXE
2008-11-17 21:37 . 1998-06-05 02:00 84,992 --a------ c:\windows\system32\SFCVRT32.DLL
2008-11-17 21:37 . 1995-08-30 02:02 82,432 --a------ c:\windows\system32\CTWFLT32.DLL
2008-11-17 21:37 . 1998-10-20 16:05 54,784 --a------ c:\windows\system32\INETWH32.DLL
2008-11-17 21:37 . 1994-12-05 03:11 53,552 --------- c:\windows\CTCCW.DLL
2008-11-17 21:37 . 1995-07-13 02:01 26,768 --a------ c:\windows\system32\CTL3D.DLL
2008-11-17 21:37 . 1996-05-23 02:24 24,976 --------- c:\windows\CTRES.DLL
2008-11-17 21:37 . 1999-01-14 14:04 231 --------- c:\windows\AC3API.INI
2008-11-17 21:36 . 2008-11-17 21:36 <DIR> d-------- c:\windows\system32\Defaults
2008-11-17 21:36 . 1998-01-08 01:00 1,048,576 --a------ c:\windows\system32\SFMAN.DAT
2008-11-17 21:35 . 2002-07-24 13:52 998,004 --a------ c:\windows\system32\drivers\HA10KX2K.SYS
2008-11-17 21:35 . 2002-07-19 10:48 156,604 --a------ c:\windows\system32\drivers\EMUPIA2K.SYS
2008-11-17 21:35 . 2002-07-19 13:09 37,727 --a------ c:\windows\system32\Emu10kx.ini
2008-11-17 21:35 . 2002-06-04 07:45 20,480 --a------ c:\windows\INRES.DLL
2008-11-17 21:35 . 2002-07-19 10:56 29 --a------ c:\windows\system32\ctzapxx.ini
2008-11-17 21:33 . 2001-05-28 13:47 32,768 --a------ c:\windows\system32\AudioHQU.cpl
2008-11-17 21:33 . 2001-05-28 13:47 12,288 --a------ c:\windows\system32\AHQCpURes.dll
2008-11-17 20:08 . 2001-08-17 12:19 283,904 --a------ c:\windows\system32\drivers\emu10k1m.sys
2008-11-17 20:08 . 2001-08-17 22:36 256,512 --a------ c:\windows\system32\devcon32.dll
2008-11-17 20:08 . 2001-08-17 12:19 36,480 --a------ c:\windows\system32\drivers\sfmanm.sys
2008-11-17 20:08 . 2001-08-17 22:36 24,064 --a------ c:\windows\system32\devldr32.exe
2008-11-17 20:08 . 2001-08-17 12:19 6,912 --a------ c:\windows\system32\drivers\ctlfacem.sys
2008-11-17 18:17 . 2008-11-17 18:17 <DIR> d----c--- C:\VundoFix Backups
2008-11-16 20:20 . 2008-11-16 20:20 <DIR> d-------- c:\program files\iXi Tools
2008-11-16 19:57 . 2008-11-17 01:31 <DIR> d-------- c:\documents and settings\ivan\.housecall6.6
2008-11-16 19:34 . 1995-01-13 14:10 149,504 --a------ c:\windows\system32\MFCANS32.DLL
2008-11-16 19:34 . 1995-01-13 14:10 108,032 --a------ c:\windows\system32\MFCUIA32.DLL
2008-11-16 19:33 . 2008-11-17 20:08 <DIR> d-------- c:\windows\system32\Data
2008-11-16 11:09 . 2008-11-16 11:09 <DIR> d-------- c:\program files\Lavasoft
2008-11-07 23:30 . 2008-10-16 00:57 332,800 --a------ c:\windows\system32\SET5C.tmp
2008-11-01 16:48 . 2008-11-01 16:59 65,536 --a------ c:\windows\IFinst27.exe
2008-10-31 23:21 . 2008-10-31 23:22 <DIR> d----c--- C:\india
2008-10-31 22:59 . 2008-10-31 22:59 0 --a------ c:\windows\Irremote.ini
2008-10-28 14:33 . 2008-10-28 14:33 <DIR> d-------- c:\windows\system32\XPSViewer
2008-10-28 14:32 . 2008-10-28 14:32 <DIR> d-------- c:\program files\Reference Assemblies
2008-10-28 14:27 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-10-27 11:26 . 2008-10-27 11:26 <DIR> d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 17:51 --------- d-----w c:\documents and settings\ivan\Application Data\MegauploadToolbar
2008-11-20 09:48 --------- d-----w c:\documents and settings\ivan\Application Data\Atari
2008-11-20 09:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 05:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-17 17:20 --------- d-----w c:\documents and settings\ivan\Application Data\SystemRequirementsLab
2008-11-16 17:20 --------- d-----w c:\documents and settings\All Users\Application Data\SITE ONLINE DOWNLOAD BAT
2008-11-16 13:56 --------- d-----w c:\program files\Creative
2008-11-16 11:27 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-15 09:04 --------- d-----w c:\documents and settings\ivan\Application Data\Azureus
2008-11-14 09:11 --------- d-----w c:\documents and settings\ivan\Application Data\ppstream
2008-11-03 08:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-03 07:16 --------- d-----w c:\program files\PCPitstop
2008-11-02 11:05 --------- d-----w c:\documents and settings\ivan\Application Data\MP3Rocket
2008-10-20 03:42 --------- d-----w c:\documents and settings\ivan\Application Data\Comodo
2008-10-19 17:38 --------- d-----w c:\documents and settings\Dylan\Application Data\Comodo
2008-10-18 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-18 16:24 1,298,432 -c--a-w C:\cc.exe
2008-10-18 14:53 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-10-18 14:53 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-18 14:53 --------- d-----w c:\program files\Real
2008-10-18 12:33 --------- d-----w c:\program files\Common Files\Download Manager
2008-10-18 08:43 --------- d-----w c:\program files\Real Alternative
2008-10-18 08:43 --------- d-----w c:\documents and settings\ivan\Application Data\Media Player Classic
2008-10-18 08:40 --------- d-----w c:\documents and settings\ivan\Application Data\vlc
2008-10-17 03:37 --------- d-----w c:\documents and settings\ivan\Application Data\Regrun
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-11 04:58 --------- d-----w c:\program files\Microsoft
2008-10-11 04:53 --------- d-----w c:\program files\Common Files\Windows Live
2008-10-10 17:29 360,320 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-10-10 17:29 360,320 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-10-10 08:38 --------- d-----w c:\program files\DivX
2008-09-22 16:33 --------- d-----w c:\documents and settings\ivan\Application Data\gtk-2.0
2008-09-16 00:12 200,704 -c--a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 1,044,480 -c--a-w c:\windows\system32\libdivx.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-08 16:03 51,712 ----a-w c:\windows\system32\sirenacm.dll
2008-08-28 08:00 74,752 ----a-w c:\windows\system32\msw3prt.dll
2008-08-28 08:00 104,448 ----a-w c:\windows\system32\win32spl.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-01-31 11:29 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-07-27 07:50 4,570,624 ----a-w c:\documents and settings\ivan\praat.exe
1998-12-09 02:53 99,840 -c--a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 -c--a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 -c--a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 -c--a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 -c--a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 -c--a-w c:\program files\Common Files\IRASRIAL.DLL
2008-07-17 13:08 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( snapshot@2008-11-20_23.41.57.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-20 17:18:40 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 13:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-11-20 15:36:41 2,180 ----a-w c:\windows\system32\d3d8caps.dat
+ 2008-11-21 02:13:10 2,180 ----a-w c:\windows\system32\d3d8caps.dat
+ 2008-11-20 17:18:40 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344]
"SetDefaultMIDI"="MIDIDef.exe" [2002-01-14 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\READREG" [X]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]
"nwiz"="nwiz.exe" [2005-04-01 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 01000000
"DisableChangePassword"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoResolveTrack"= 1 (0x1)
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ivan^Start Menu^Programs^Startup^Azureus Ultra Accelerator.lnk]
backup=c:\windows\pss\Azureus Ultra Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DevconDefaultDB]
c:\windows\READREG [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a--c--- 2007-06-20 00:05 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2008-02-22 17:35 3057152 d:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a--c--- 2001-08-23 20:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a--c--- 2004-08-03 22:32 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-08-23 17:36 455968 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2008-09-09 00:02 3513344 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIMETIPSYNC]
--a--c--- 2003-07-14 06:57 95296 c:\program files\Common Files\Microsoft Shared\IME\IMTC65\Phonetic\TINTLCFG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
--a------ 2008-08-07 15:31 165240 d:\program files\PPStream\PPSAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2008-03-08 07:33 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-18 22:53 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 12:49 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2002-01-14 14:42 61440 c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=3 (0x3)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"usprserv"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nla"=2 (0x2)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"LightScribeService"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"cisvc"=3 (0x3)
"Browser"=3 (0x3)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"d:\\Program Files\\Warcraft III\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\DAP\\DAP.exe"=
"d:\\Program Files\\Azureus\\Azureus.exe"=
"d:\\Program Files\\Mozzila\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"d:\\Program Files\\Counter-Strike\\hl.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Program Files\\PPStream\\PPStream.exe"=
"d:\\Program Files\\PPStream\\PPSAP.exe"=
"d:\\Program Files\\Counter-Strike\\hlds.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"d:\\Program Files\\Garena\\Garena.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"54124:TCP"= 54124:TCP:BitComet 54124 TCP
"54124:UDP"= 54124:UDP:BitComet 54124 UDP

R0 isapnpex;isapnpex;c:\windows\system32\drivers\isapnpex.sys []
R1 usbs2k;usbs2k;c:\windows\system32\drivers\usbs2k.sys []
S0 Partizan;Partizan; []
S1 nullnt;nullnt;c:\windows\system32\drivers\nullnt.sys []
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-11-18 96256]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter; []
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ivan\LOCALS~1\Temp\GPE9D.tmp []
S3 itztehhack;itztehhack;\??\c:\documents and settings\ivan\Desktop\Captain Hook\itztehhack.sys []
S3 npkycryp;npkycryp; []
S3 rkhdrv40;Rootkit Unhooker Driver; []
S3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 31504]
S3 sejt1;sejt1; []
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{281c33a0-3da6-11dc-8ad6-0040050cb1ac}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{281c33a1-3da6-11dc-8ad6-0040050cb1ac}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe WinProcess.exe.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29a07c18-811d-11dd-851e-0040050cb1ac}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL a.exe
\Shell\default\command - E:\a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99675990-4be5-11dc-8b00-0040050cb1ac}]
\Shell\AutoRun\command - auhohmyv.exe
\Shell\explore\Command - auhohmyv.exe
\Shell\open\Command - auhohmyv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\ACD4C4D891B37860.job
- c:\docume~1\ivan\applic~1\remote~1\This jugs first.exe []

2007-03-22 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 10:26:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\isapnpex.sys 19968 bytes executable
c:\windows\system32\drivers\usbs2k.sys 470656 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ivan\LOCALS~1\Temp\GPE9D.tmp"
.
Completion time: 2008-11-21 10:29:18
ComboFix-quarantined-files.txt 2008-11-21 02:28:33
ComboFix2.txt 2008-11-20 15:43:48
ComboFix3.txt 2008-01-16 04:53:18
ComboFix4.txt 2008-01-16 02:05:20

Pre-Run: 380,321,792 bytes free
Post-Run: 380,272,640 bytes free

367 --- E O F --- 2008-11-08 21:23:06

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:38 AM

Posted 21 November 2008 - 08:25 AM

Hello.

Are you sure the script was saved properly? It doesn't look like ComboFix read it. Please try the CFScript over again and post back with the log.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users