Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Laptop, Please help


  • This topic is locked This topic is locked
26 replies to this topic

#1 marliaths

marliaths

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 18 November 2008 - 11:43 AM

Hey my laptop was infected a while ago but it was cleaned mostly but it seems like there is more on there now. I got a hijackthis log and the otviewit logs so I would really appreciate the help if someone would help me fix it :D

Here is the hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:25 PM, on 11/17/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\LTSMMSG.exe
C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\FIDMOU\WIN2K\FTMSFLT.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\winnt\system32\jownw64q.exe
C:\WINNT\System32\Rundll32.exe
C:\WINNT\system32\kcntpkdn.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Twain\Twain.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\explorer.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.samc.com:9119
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.samc.com;<local>
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [BATTERYAID] C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [FTMSFLT] C:\Program Files\FIDMOU\WIN2K\FTMSFLT.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [{35-54-4C-C6-DW}] C:\winnt\system32\jownw64q.exe DWram
O4 - HKLM\..\Run: [spa_start] C:\WINNT\System32\Rundll32.exe "C:\WINNT\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll" DllInit
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\kcntpkdn.exe DWram
O4 - HKLM\..\Run: [78835469] rundll32.exe "C:\WINNT\system32\ovuppghg.dll",b
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BM7bb067f5] Rundll32.exe "C:\WINNT\system32\fklqofgy.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINNT\system32\kcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINNT\system32\jownw64q.exe
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SAMC.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SAMC.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SAMC.COM
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

--
End of file - 5249 bytes


Here is the Otviewit stuff:

Otviewit Log:


OTViewIt logfile created on: 11/17/2008 9:33:05 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = E:\
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.48 Mb Total Physical Memory | 45.32 Mb Available Physical Memory | 17.74% Memory free
617.24 Mb Paging File | 368.57 Mb Available in Paging File | 59.71% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 13.94 Gb Total Space | 10.04 Gb Free Space | 72.04% Space Free | Partition Type: NTFS
Drive D: | 4.67 Gb Total Space | 4.66 Gb Free Space | 99.85% Space Free | Partition Type: FAT32
Drive E: | 982.05 Mb Total Space | 980.47 Mb Free Space | 99.84% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HS-59
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2001/07/17 23:32:18 | 00,081,920 | ---- | M] () -- C:\WINNT\system32\ati2evxx.exe
[2008/03/13 15:49:56 | 00,472,320 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
[2006/01/04 17:09:34 | 00,094,208 | ---- | M] () -- C:\Program Files\Network Monitor\netmon.exe
[2003/06/19 11:05:04 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
[2004/04/05 09:51:40 | 00,119,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
[2003/06/19 11:05:04 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
[2000/08/08 12:32:12 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mspmspsv.exe
[2007/07/30 18:19:16 | 00,053,080 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wuauclt.exe
[2001/07/05 16:53:32 | 00,217,088 | ---- | M] (ATI Technologies, Inc.) -- C:\WINNT\system32\atiptaxx.exe
[2001/12/17 14:50:44 | 00,032,768 | ---- | M] (Lucent Technologies) -- C:\WINNT\LTSMMSG.exe
[2001/03/19 15:27:08 | 00,217,088 | ---- | M] (FUJITSU LIMITED) -- C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
[2000/01/06 08:00:00 | 00,032,768 | ---- | M] (Intel Corporation) -- C:\WINNT\system32\prpcui.exe
[2000/08/08 10:52:28 | 00,049,152 | ---- | M] (FUJITSU LIMITED) -- C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
[1999/11/26 13:18:02 | 00,036,864 | ---- | M] (Fujitsu Takamisawa Component Limited) -- C:\Program Files\FIDMOU\WIN2K\FTMSFLT.EXE
[2005/04/13 03:48:52 | 00,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
[2007/02/13 10:29:00 | 00,035,328 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
[2008/04/21 20:58:41 | 00,049,188 | ---- | M] () -- C:\WINNT\system32\jownw64q.exe
[2001/05/09 13:00:00 | 00,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\rundll32.exe
[2008/04/21 20:11:48 | 00,200,777 | ---- | M] () -- C:\WINNT\system32\kcntpkdn.exe
[2001/05/09 13:00:00 | 00,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\rundll32.exe
[2008/03/13 15:48:30 | 01,443,072 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
[2001/05/09 13:00:00 | 00,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\rundll32.exe
[2007/09/04 16:40:18 | 06,856,704 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe
[2002/08/29 07:14:40 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2008/04/22 07:44:30 | 00,057,344 | ---- | M] () -- C:\Program Files\Twain\Twain.exe
[2008/04/22 07:54:43 | 00,147,456 | ---- | M] () -- C:\Program Files\JavaCore\JavaCore.exe
[2006/12/22 11:17:32 | 00,598,016 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
[2007/01/19 12:49:30 | 00,103,928 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
[2008/11/17 18:09:46 | 00,422,400 | ---- | M] (OldTimer Tools) -- E:\OTViewIt.exe

========== (O23) Win32 Services ==========

[2004/07/15 00:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2001/07/17 23:32:18 | 00,081,920 | ---- | M] () -- C:\WINNT\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2001/11/02 10:50:00 | 00,110,651 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\pcAnywhere\AWHOST32.EXE -- (awhost32 [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,147,728 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\system32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
[2008/03/13 15:55:26 | 00,019,200 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv [On_Demand | Stopped])
[2008/03/13 15:49:56 | 00,472,320 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn [Auto | Running])
[2003/06/19 11:05:04 | 00,094,992 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\FAXSVC.EXE -- (Fax [On_Demand | Stopped])
[2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2006/01/04 17:09:34 | 00,094,208 | ---- | M] () -- C:\Program Files\Network Monitor\netmon.exe -- (Network Monitor [Auto | Running])
[2003/06/19 11:05:04 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry [Auto | Running])
[2004/04/05 09:51:40 | 00,119,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe -- (Schedule [Auto | Running])
[2003/06/19 11:05:04 | 00,022,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\utilman.exe -- (UtilMan [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt [Auto | Running])
[2000/08/08 12:32:12 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mspmspsv.exe -- (WMDM PMSP Service [Auto | Running])

========== Driver Services ==========

[2007/03/02 18:40:13 | 00,019,643 | ---- | M] (Meetinghouse Data Communications) -- C:\WINNT\system32\drivers\AegisP.sys -- (AegisP [Auto | Running])
[2000/02/07 00:09:14 | 00,020,162 | ---- | M] (Kyushu Matsubleepa Electric Co., Ltd.) -- C:\WINNT\system32\drivers\atakmini.sys -- (atakmini [Boot | Running])
[2001/08/13 23:52:42 | 00,315,888 | ---- | M] (ATI Technologies Inc.) -- C:\WINNT\system32\drivers\ati2mpab.sys -- (ati2mpab [On_Demand | Running])
[1999/11/10 15:34:08 | 00,071,632 | ---- | M] (ATI Technologies Inc.) -- C:\WINNT\system32\drivers\atimpab.sys -- (atirage3 [On_Demand | Stopped])
[2000/09/11 10:50:00 | 00,010,816 | ---- | M] (Symantec Corporation) -- C:\WINNT\system32\drivers\AWLEGACY.SYS -- (awlegacy [System | Running])
[2001/10/22 10:50:00 | 00,031,192 | ---- | M] (Symantec Corporation) -- C:\WINNT\system32\drivers\AW_HOST5.sys -- (AW_HOST [Disabled | Stopped])
[2000/08/08 10:52:28 | 00,013,282 | ---- | M] (FUJITSU LIMITED) -- C:\Program Files\Fujitsu\BtnHnd\BtnHnd.sys -- (BtnHnd [Auto | Running])
[2007/01/29 21:03:34 | 00,002,432 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdr4_2k.sys -- (Cdr4_2K [System | Stopped])
[2007/01/29 21:03:34 | 00,002,560 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k [Auto | Stopped])
[2003/06/19 11:05:04 | 00,007,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf [Boot | Running])
[2003/06/19 11:05:04 | 00,369,104 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot [Disabled | Stopped])
[2003/06/19 11:05:04 | 00,137,936 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\system32\drivers\dmio.sys -- (dmio [Boot | Running])
[2003/06/19 11:05:04 | 00,007,312 | ---- | M] (VERITAS Software Corp.) -- C:\WINNT\system32\drivers\dmload.sys -- (dmload [Boot | Running])
[2008/03/13 15:43:42 | 00,040,456 | ---- | M] (ESET) -- C:\WINNT\system32\drivers\eamon.sys -- (eamon [Auto | Running])
[2008/03/13 15:44:36 | 00,029,704 | ---- | M] (ESET) -- C:\WINNT\system32\drivers\easdrv.sys -- (easdrv [System | Running])
[2003/06/19 11:05:04 | 00,027,440 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\efs.sys -- (EFS [Disabled | Running])
[2008/03/13 15:52:12 | 00,071,176 | ---- | M] (ESET) -- C:\WINNT\system32\drivers\epfw.sys -- (epfw [Auto | Running])
[2008/03/13 15:52:14 | 00,033,800 | ---- | M] (ESET) -- C:\WINNT\system32\drivers\epfwndhk.sys -- (epfwndhk [System | Running])
[2008/03/13 15:52:16 | 00,054,280 | ---- | M] (ESET) -- C:\WINNT\system32\drivers\epfwtdi.sys -- (epfwtdi [System | Running])
[1999/11/26 13:00:36 | 00,010,588 | ---- | M] (Fujitsu Takamisawa Component Limited) -- C:\WINNT\system32\drivers\FIDMOU.sys -- (FIDMOU [On_Demand | Running])
[2000/10/21 01:11:20 | 00,005,449 | R--- | M] (FUJITSU LIMITED) -- C:\WINNT\system32\drivers\fuj02b1.sys -- (FUJ02B1 [On_Demand | Running])
[2001/10/09 10:50:00 | 00,014,944 | ---- | M] (Symantec Corporation) -- C:\WINNT\System32\drivers\GERNUWA.SYS -- (Gernuwa [Boot | Running])
[2001/12/18 16:42:48 | 00,807,021 | ---- | M] (Lucent Technologies) -- C:\WINNT\system32\drivers\LTSM.sys -- (LucentSoftModem [On_Demand | Running])
[2004/07/09 01:58:10 | 00,015,104 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\mpe.sys -- (MPE [On_Demand | Stopped])
[2001/05/09 13:00:00 | 00,009,680 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,060,208 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel [On_Demand | Running])
[2000/01/06 08:00:00 | 00,012,182 | ---- | M] (Intel Corp.) -- C:\WINNT\System32\drivers\prpc.sys -- (PRPC [Auto | Running])
[2003/06/19 11:05:04 | 00,017,680 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/01/29 21:03:34 | 00,036,624 | ---- | M] (Sonic Solutions) -- C:\WINNT\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2001/05/09 13:00:00 | 00,021,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\rca.sys -- (RCA [On_Demand | Stopped])
[2001/04/23 16:17:06 | 00,024,727 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINNT\system32\drivers\RTL8139.sys -- (rtl8139 [On_Demand | Running])
[2006/12/26 14:58:02 | 00,189,312 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINNT\system32\drivers\RTL8187B.sys -- (RTL8187B [On_Demand | Stopped])
[2002/10/02 09:57:12 | 00,013,532 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINNT\system32\drivers\SjyPkt.sys -- (SjyPkt [On_Demand | Stopped])
[1999/09/24 19:18:02 | 00,036,112 | ---- | M] (SMC) -- C:\WINNT\system32\drivers\smcirda.sys -- (SMCIRDA [On_Demand | Stopped])
[1999/09/28 15:14:04 | 00,019,376 | ---- | M] (Adaptec, Inc.) -- C:\WINNT\system32\drivers\sparrow.sys -- (Sparrow [Boot | Running])
[2001/07/23 20:32:40 | 00,088,976 | R--- | M] (SigmaTel, Inc.) -- C:\WINNT\system32\drivers\STAC97FJ.sys -- (STAC97 [On_Demand | Running])
[2008/04/21 20:11:32 | 00,086,144 | ---- | M] () -- C:\WINNT\system32\drivers\streamss.sys -- (streamss [System | Running])
[2002/11/22 10:29:22 | 00,057,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Stopped])
[2003/06/19 11:05:04 | 00,032,848 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINNT\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINNT\system32\SHDOCVW.DLL (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.samc.com;<local>

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINNT\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com/

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINNT\system32\SHDOCVW.DLL (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.samc.com;<local>

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINNT\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
{6156A32A-C512-4e23-AA9A-2315F4265681} (HKLM) -- C:\WINNT\system32\myss_sb.dll ()
{9f768a18-8a64-1a02-d3b0-b5edd158d76f} (HKLM) -- C:\WINNT\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll ( )
{C6397ABC-743F-4550-91F0-958B5343E1EE} (HKLM) -- C:\WINNT\system32\vtUklkLB.dll ()
{EF833EA3-A232-F29A-119A-A48F045B7E97} (HKLM) -- Reg Error: Value does not exist. File not found
{f40fd3b5-0d0d-43ab-ad18-d9c45453c585} (HKLM) -- C:\WINNT\system32\dogaikpg.dll ()
{F50B3F5E-856E-4757-9BB1-B35D46CA7719} (HKLM) -- C:\WINNT\system32\byXNhiHb.dll ()

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8E718888-423F-11D2-876E-00A0C9082467}" (HKLM) -- C:\WINNT\system32\msdxm.ocx ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{35-54-4C-C6-DW}"=C:\winnt\system32\jownw64q.exe DWram ()
"78835469"=rundll32.exe "C:\WINNT\system32\ovuppghg.dll",b ()
"AtiPTA"=Atiptaxx.exe (ATI Technologies, Inc.)
"BATTERYAID"=C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe (FUJITSU LIMITED)
"BM7bb067f5"=Rundll32.exe "C:\WINNT\system32\fklqofgy.dll",s ()
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice (ESET)
"ExploreUpdSched"=C:\WINNT\system32\kcntpkdn.exe DWram ()
"FTMSFLT"=C:\Program Files\FIDMOU\WIN2K\FTMSFLT.exe (Fujitsu Takamisawa Component Limited)
"LoadBtnHnd"=C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe (FUJITSU LIMITED)
"LTSMMSG"=LTSMMSG.exe (Lucent Technologies)
"PRPCMonitor"=PRPCUI.exe (Intel Corporation)
"spa_start"=C:\WINNT\System32\Rundll32.exe "C:\WINNT\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll" DllInit ( )
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
"Synchronization Manager"=mobsync.exe /logon (Microsoft Corporation)
"WinampAgent"=C:\Program Files\Winamp\winampa.exe ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaCore"=C:\Program Files\\JavaCore\\JavaCore.exe ()
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"Twain"=C:\Program Files\Twain\Twain.exe ()
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaCore"=C:\Program Files\\JavaCore\\JavaCore.exe ()
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"Twain"=C:\Program Files\Twain\Twain.exe ()
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

========== (O4) RunOnce Keys ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (Microsoft Corporation)

========== (O4) Startup Folders ==========

[2008/04/21 20:11:48 | 00,200,777 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk = C:\WINNT\system32\kcntpkdn.exe
[2008/04/21 20:58:41 | 00,049,188 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk = C:\WINNT\system32\jownw64q.exe
[2006/12/22 11:17:32 | 00,598,016 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149
"CDRAutoRun"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=149
"CDRAutoRun"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office10\EXCEL.EXE [2001/02/16 01:05:38 | 09,164,192 | R--- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office10\EXCEL.EXE [2001/02/16 01:05:38 | 09,164,192 | R--- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{c95fe080-8f5d-11d2-a20b-00aa003c157a}: Button: @shdoclc.dll,-866 -- %SystemRoot%\Web\RELATED.HTM [2002/08/29 07:14:40 | 00,000,654 | ---- | M] ()
{c95fe080-8f5d-11d2-a20b-00aa003c157a}: Menu: @shdoclc.dll,-864 -- %SystemRoot%\Web\RELATED.HTM [2002/08/29 07:14:40 | 00,000,654 | ---- | M] ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKLM] -> [@shdoclc.dll,-866] -> File not found

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKLM] -> [@shdoclc.dll,-866] -> File not found

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKLM] -> [@shdoclc.dll,-866] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery
Extension\.spop: -- C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll [2001/01/30 13:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{9F1C11AA-197B-4942-BA54-47A8489BB47F}: http://v4.windowsupdate.microsoft.com/CAB/...7923.3641203704 -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/shockwa...ash/swflash.cab -- Shockwave Flash Object
DirectAnimation Java Classes: file://C:\WINNT\Java\classes\dajava.cab -- Reg Error: Key does not exist or could not be opened.
Microsoft XML Parser for Java: file://C:\WINNT\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{2FF6F5F1-25D0-4E08-A407-67F61A624418} (Servers: | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC)
{428DFE1E-8235-49F0-A0CD-749D8E751475} (Servers: | Description: TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
byXNhiHb: "DllName" = byXNhiHb.dll -- C:\WINNT\system32\byXNhiHb.dll ()
PCANotify: "DllName" = PCANotify.dll -- C:\WINNT\system32\PCANotify.dll (Symantec Corporation)
wzcnotif: "DllName" = wzcdlg.dll -- C:\WINNT\system32\wzcdlg.dll (Microsoft Corporation)

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"={7007ACCF-3202-11D1-AAD2-00805FC1270E} (HKLM) -- C:\WINNT\system32\netshell.dll (Microsoft Corporation)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F50B3F5E-856E-4757-9BB1-B35D46CA7719}" (HKLM) -- C:\WINNT\system32\byXNhiHb.dll ()

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,C:\WINNT\system32\vtUklkLB,
>[2008/04/21 20:16:30 | 00,272,896 | ---- | M] () -- C:\WINNT\system32\vtUklkLB.dll

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2001/10/05 15:35:56 | 00,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2008/11/17 21:30:56 | 00,000,303 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2008/11/17 21:30:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/17 21:26:08 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_358.dat

========== Files - Modified Within 30 Days ==========

[1 C:\WINNT\*.tmp files]
[2008/11/17 21:33:15 | 00,417,763 | -HS- | M] () -- C:\WINNT\System32\BLklkUtv.ini
[2008/11/17 21:31:54 | 00,000,303 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2008/11/17 21:30:41 | 01,541,596 | -HS- | M] () -- C:\WINNT\System32\ghgppuvo.ini
[2008/11/17 21:30:23 | 00,417,589 | -HS- | M] () -- C:\WINNT\System32\BLklkUtv.ini2
[2008/11/17 21:30:21 | 00,000,021 | ---- | M] () -- C:\WINNT\pskt.ini
[2008/11/17 21:28:12 | 00,000,543 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk
[2008/11/17 21:27:09 | 00,000,507 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
[2008/11/17 21:26:53 | 00,109,734 | ---- | M] () -- C:\WINNT\BM7bb067f5.xml
[2008/11/17 21:26:08 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_358.dat
[2008/11/17 21:23:54 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
< End of report >



and here is the Extras Log:

OTViewIt Extras logfile created on: 11/17/2008 9:33:05 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = E:\
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.48 Mb Total Physical Memory | 45.32 Mb Available Physical Memory | 17.74% Memory free
617.24 Mb Paging File | 368.57 Mb Available in Paging File | 59.71% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 13.94 Gb Total Space | 10.04 Gb Free Space | 72.04% Space Free | Partition Type: NTFS
Drive D: | 4.67 Gb Total Space | 4.66 Gb Free Space | 99.85% Space Free | Partition Type: FAT32
Drive E: | 982.05 Mb Total Space | 980.47 Mb Free Space | 99.84% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HS-59
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2007/09/07 15:01:54 | 00,043,008 | ---- | M] () -- C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] -- C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000001 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000002 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000003 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000004 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000005 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000006 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000007 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000008 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000009 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000010 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000011 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000012 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000013 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000014 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000015 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000016 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000017 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)
Protocol_Catalog9\Catalog_Entries\000000000018 -- C:\WINNT\system32\msafd.dll (Microsoft Corporation)

========== HKEY_CURRENT_USER Protocol Defaults ==========


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2001/01/22 03:25:24 | 00,872,448 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (cdo:{CD00020A-8B95-11D1-82DB-00C04FB1625D} (HKLM) [Microsoft PKM KnowledgePluggable Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2001/02/12 03:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2001/02/12 03:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2001/02/12 03:25:24 | 01,187,840 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2001/02/23 18:36:24 | 07,436,272 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/09/17 10:01:28 | 00,844,048 | ---- | M] () C:\WINNT\system32\msdxm.ocx (vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} (HKLM) [AsyncPProt Class])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{1DCC7418-2089-4BDD-B321-3771956160FC}"=ijji Auto Installer
"{1DD342C7-51B2-11D4-BA13-00A0C920DFD7}"=Security Panel Application
"{3248F0A8-6813-11D6-A77B-00B0D0150030}"=J2SE Runtime Environment 5.0 Update 3
"{3877C2CD-F137-4144-BDB2-0A811492F920}"=Command
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}"=Microsoft Windows Journal Viewer
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{6F716D8C-398F-11D3-85E1-005004838609}"=WebFldrs
"{7959721D-8268-4565-9E0E-C41A9F4848A9}"=SigmaTel AC97 Audio Drivers
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX Codec
"{86727C60-51B4-11D4-BA13-00A0C920DFD7}"=Security Panel Application for Supervisor
"{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
"{90110409-6000-11D3-8CFE-0050048383C9}"=Microsoft Office XP Professional
"{90FA23DE-7B2E-43D4-8223-E2E280156BB4}"=MDIUpgrade
"{9DE8D465-A169-4CC7-BAF7-CDD1C9E2EE56}"=ESET Smart Security
"{A394E835-C8D6-4B4B-884B-D2709059F3BE}"=Network Monitor
"{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}"=MSN Messenger 7.0
"{B13A7C41581B411290FBC0395694E2A9}"=DivX Converter
"{C05E8183-866A-11D3-97DF-0000F8D8F2E9}"=Symantec pcAnywhere
"{C43421C0-0DCB-4F26-8A3B-BF16155F9879}"=TRENDnet TEW-424UB
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{DF1D5FEC-D67C-43C8-9230-41F5DF350196}"=MetaFrame Presentation Server Client
"{F2B2E46B-1C30-11D5-B08D-00000E5F1C10}"=Fujitsu BatteryAid
"7-Zip"=7-Zip 4.57
"AC3Filter"=AC3Filter (remove only)
"Adobe Acrobat 5.0"=Adobe Acrobat 5.0
"ATI Display Driver"=ATI Display Driver Utilities
"AUV"=LifeBook Application Panel
"BitTorrent"=BitTorrent 5.0.9
"CCleaner"=CCleaner (remove only)
"Deewoo Network Manager"=Deewoo Network Manager removal
"DivX Content Uploader"=DivX Content Uploader
"DIVXAudioCompressor4.02"=DivX ;-) Audio Compressor 4.02
"FIDMOU"=Fujitsu Touch Panel (PS/2)
"Fujitsu Service Assistant"=Fujitsu Service Assistant
"gooochi"=Enhancement Browser Tools Gooochi
"Gunbound Revolution_is1"=Gunbound Revolution
"HijackThis"=HijackThis 2.0.2
"IE40"=Microsoft Internet Explorer 6 SP1
"InstallShield_{C43421C0-0DCB-4F26-8A3B-BF16155F9879}"=TRENDnet TEW-424UB
"Intel SpeedStep technology Applet"=Intel SpeedStep technology Applet
"LimeWire"=LimeWire 4.12.11
"LiveReg"=LiveReg (Symantec Corporation)
"LiveUpdate1.6"=LiveUpdate 1.6 (Symantec Corporation)
"Lucent Technologies Soft Modem"=Lucent Technologies Soft Modem AMR
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"mySearchAssistant"=MySidesearch Search Assistant Adzgalore
"Outerinfo"=Outerinfo
"PCDoctor"=PC-Doctor for Windows
"PCDoctor WINDSAPI SDK"=PC-Doctor WINDSAPI SDK
"Q818043"=Windows 2000 Hotfix (SP5) Q818043
"Q828026"=Windows Media Player Hotfix [See Q828026 for more information]
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"TSA"=TargetSaver
"vgxupdate"=Microsoft VGX Q833989
"Winamp"=Winamp (remove only)
"WinZip"=WinZip
"WMP7"=Windows Media Player 7
"Yahoo! Messenger"=Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"CPV"=CPV
"ijji.com"=ijji
"Twain"=Twain
"WinTouch"=WinTouch

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1166568564-2063280430-1627275695-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"CPV"=CPV
"ijji.com"=ijji
"Twain"=Twain
"WinTouch"=WinTouch

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/1/2008 12:38:02 AM | Computer Name = HS-59 | Source = rasctrs | ID = 2001
Description =

Error - 5/1/2008 12:47:51 AM | Computer Name = HS-59 | Source = McLogEvent | ID = 5051
Description =

Error - 5/1/2008 12:47:52 AM | Computer Name = HS-59 | Source = McLogEvent | ID = 1008
Description =

Error - 5/29/2008 11:35:19 PM | Computer Name = HS-59 | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 6/2/2008 11:53:02 PM | Computer Name = HS-59 | Source = McLogEvent | ID = 5051
Description =

Error - 6/2/2008 11:53:02 PM | Computer Name = HS-59 | Source = McLogEvent | ID = 1008
Description =

Error - 6/2/2008 11:55:27 PM | Computer Name = HS-59 | Source = McLogEvent | ID = 5051
Description =

Error - 6/2/2008 11:55:41 PM | Computer Name = HS-59 | Source = McLogEvent | ID = 1008
Description =

Error - 6/2/2008 11:58:27 PM | Computer Name = HS-59 | Source = McLogEvent | ID = 5051
Description =

Error - 6/2/2008 11:58:28 PM | Computer Name = HS-59 | Source = McLogEvent | ID = 1008
Description =

[ System Events ]
Error - 6/2/2008 11:53:02 PM | Computer Name = HS-59 | Source = Service Control Manager | ID = 7031
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 0
milliseconds: No action.

Error - 6/2/2008 11:55:41 PM | Computer Name = HS-59 | Source = Service Control Manager | ID = 7031
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in 0
milliseconds: No action.

Error - 6/2/2008 11:58:07 PM | Computer Name = HS-59 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 6/2/2008 11:58:28 PM | Computer Name = HS-59 | Source = Service Control Manager | ID = 7031
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 3 time(s). The following corrective action will be taken in 0
milliseconds: No action.

Error - 6/3/2008 12:00:12 AM | Computer Name = HS-59 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 6/3/2008 12:00:55 AM | Computer Name = HS-59 | Source = Service Control Manager | ID = 7031
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 4 time(s). The following corrective action will be taken in 0
milliseconds: No action.

Error - 6/10/2008 12:33:16 AM | Computer Name = HS-59 | Source = Service Control Manager | ID = 7000
Description = The Cdralw2k service failed to start due to the following error: %%1058

Error - 6/10/2008 12:38:26 AM | Computer Name = HS-59 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 11/18/2008 1:23:36 AM | Computer Name = HS-59 | Source = Service Control Manager | ID = 7000
Description = The Cdralw2k service failed to start due to the following error: %%1058

Error - 11/18/2008 1:29:26 AM | Computer Name = HS-59 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >



thank you in advance :D

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 AM

Posted 26 November 2008 - 10:04 PM

Hello, marliaths
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to run a Scan with DDS
  • Please download DDS, and save it to your desktop, from one of the following mirrors:
  • Disable any type of "Script Blockers" or "Script Protection" installed on your system.
  • Double click Posted Image on your desktop.
  • If prompted by any script blocking tools, please allow any actions taken by DDS.
  • When prompted to preform an Optional Scan, please select Posted Image
  • Two reports will open. Please reply with the generated reports:
    • DDS.txt <-- Copy and paste into your next post
    • Attach.txt <-- Attach to your next post
We need to scan for rootkits with GMER
  • Please download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.)
  • When you have done this, disconnect from the Internet and close all running programs.
    Note: There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    Important! Please do not select the "Show all" checkbox during the scan.
  • Click on the "Scan" and wait for the scan to finish.
    • Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
In your next reply, please include the following:
  • DDS.txt
  • Attach.txt
  • GMER's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 AM

Posted 30 November 2008 - 02:14 PM

EDIT: User returned, topic reopened. Please post DDS and GMER logs below :thumbsup:

Billy3

Edited by Billy O'Neal, 30 November 2008 - 03:49 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 01 December 2008 - 01:36 PM

Here is the DDS Log:


DDS (Version 1.0) - NTFSx86
Run by Administrator at 18:48:41.94 on Sun 11/30/2008
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.27 [GMT -8:00]

============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\LTSMMSG.exe
C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\FIDMOU\WIN2K\FTMSFLT.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\winnt\system32\jownw64q.exe
C:\WINNT\System32\Rundll32.exe
C:\WINNT\system32\kcntpkdn.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Twain\Twain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = proxy.samc.com:9119
uInternet Settings,ProxyOverride = *.samc.com;<local>
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {3CC502DC-1E2F-45C4-8AC0-61ABFCD31EB7} - c:\winnt\system32\vtUklkLB.dll
BHO: {6156A32A-C512-4e23-AA9A-2315F4265681} - c:\winnt\system32\myss_sb.dll
BHO: {9f768a18-8a64-1a02-d3b0-b5edd158d76f} - c:\winnt\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll
BHO: {EF833EA3-A232-F29A-119A-A48F045B7E97} -
BHO: {f40fd3b5-0d0d-43ab-ad18-d9c45453c585} - c:\winnt\system32\dogaikpg.dll
BHO: {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - c:\winnt\system32\byXNhiHb.dll
TB: {8E718888-423F-11D2-876E-00A0C9082467} - c:\winnt\system32\msdxm.ocx
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Twain] c:\program files\twain\Twain.exe
uRun: [JavaCore] c:\program files\\javacore\\JavaCore.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [AtiPTA] Atiptaxx.exe
mRun: [LTSMMSG] LTSMMSG.exe
mRun: [BATTERYAID] c:\program files\fujitsu\batteryaid\BATTERYAID.exe
mRun: [PRPCMonitor] PRPCUI.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [FTMSFLT] c:\program files\fidmou\win2k\FTMSFLT.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [{35-54-4C-C6-DW}] c:\winnt\system32\jownw64q.exe DWram
mRun: [spa_start] c:\winnt\system32\rundll32.exe "c:\winnt\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll" DllInit
mRun: [ExploreUpdSched] c:\winnt\system32\kcntpkdn.exe DWram
mRun: [78835469] rundll32.exe "c:\winnt\system32\ovuppghg.dll",b
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [BM7bb067f5] Rundll32.exe "c:\winnt\system32\fklqofgy.dll",s
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\deewoo.lnk - c:\winnt\system32\kcntpkdn.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dw_start.lnk - c:\winnt\system32\jownw64q.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-424ub\WlanCU.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - c:\winnt\system32\msdxm.ocx
Notify: byXNhiHb - byXNhiHb.dll
Notify: PCANotify - PCANotify.dll
SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - c:\winnt\system32\NETSHELL.dll
SEH: {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - c:\winnt\system32\byXNhiHb.dll
LSA: Authentication Packages = msv1_0 c:\winnt\system32\vtUklkLB

============= SERVICES / DRIVERS ===============

R0 atakmini;atakmini;c:\winnt\system32\drivers\atakmini.sys [2000-3-8 20162]
R1 epfwndhk;epfwndhk;c:\winnt\system32\drivers\EPFWNDHK.sys [2008-3-13 33800]
R1 streamss;streamss;c:\winnt\system32\drivers\streamss.sys [2008-4-21 86144]
R2 Network Monitor;Network Monitor;c:\program files\network monitor\netmon.exe service []
R2 PRPC;PRPC;c:\winnt\system32\drivers\PRPC.sys [2001-10-5 12182]
R3 ati2mpab;ati2mpab;c:\winnt\system32\drivers\ati2mpab.sys [2001-8-13 315888]
R3 FIDMOU;Fujitsu Touch Panel;c:\winnt\system32\drivers\FIDMOU.sys [2002-10-28 10588]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\winnt\system32\drivers\LTSM.sys [2001-12-18 807021]
S1 sglfb;sglfb; []
S1 tga;tga; []
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys []
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\winnt\system32\drivers\RTL8187B.sys [2007-3-2 189312]
S3 SjyPkt;SjyPkt;\??\c:\winnt\system32\drivers\SjyPkt.sys [2002-10-2 13532]
S4 aic116x;aic116x; []
S4 ami0nt;ami0nt; []
S4 cpqarry2;cpqarry2; []
S4 cpqfcalm;cpqfcalm; []
S4 cpqfws2e;cpqfws2e; []
S4 deckzpsx;deckzpsx; []
S4 Fd16_700;Fd16_700; []
S4 fireport;fireport; []
S4 flashpnt;flashpnt; []
S4 ipsraidn;ipsraidn; []
S4 lp6nds35;lp6nds35; []
S4 Ncrc710;Ncrc710; []
S4 ql2100;ql2100; []
S4 ultra66;ultra66; []

=============== Created Last 30 ================

2008-11-30 18:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_340.dat
2008-11-17 21:30 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2008-11-30 18:48 418,113 a--sh--- c:\winnt\system32\BLklkUtv.ini2
2008-04-30 20:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\ESET
2008-04-30 20:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\?dobe
2008-04-22 08:15 <DIR> --d----- c:\docume~1\admini~1\applic~1\WinTouch
2007-12-13 17:48 <DIR> --d-h--- c:\docume~1\admini~1\applic~1\ijjigame
2007-03-03 22:14 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent
2002-11-22 11:33 <DIR> --d----- c:\docume~1\admini~1\applic~1\ICAClient
2002-11-22 10:29 <DIR> --d----- c:\docume~1\admini~1\applic~1\Symantec
2002-11-22 10:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2001-10-05 19:19 <DIR> --d----- c:\docume~1\admini~1\applic~1\InterTrust
2005-07-29 15:24 472 a--shr-- c:\winnt\u0fnqw\oXIhkT.vbs

============= FINISH: 18:49:53.14 ===============




and here is the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-30 19:40:24
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.14 ----

SSDT BEEAE9A8 ZwClose
SSDT BEEAE7E4 ZwCreateKey
SSDT BEEAE900 ZwDeleteKey
SSDT BEEAE928 ZwDeleteValueKey
SSDT BEEAE9A2 ZwLoadKey
SSDT BEEAE687 ZwOpenKey
SSDT BEEAE886 ZwQueryValueKey
SSDT BEEAE952 ZwReplaceKey
SSDT BEEAE97A ZwRestoreKey
SSDT BEEAE834 ZwSetValueKey

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINNT\System32\drivers\streamss.sys The process cannot access the file because it is being used by another process.

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F3D42170] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F3D421F0] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F3D42260] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F3D42230] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F3D421F0] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F3D42170] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F3D42260] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [F3D42230] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [F3D421F0] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisOpenAdapter] [F3D42260] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisCloseAdapter] [F3D42170] \SystemRoot\system32\DRIVERS\EPFWNDHK.sys (Eset Personal Firewall NDIS filter/ESET)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\streamss \Device\streamss BEEAC58A

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.14 ----

and i attached the Attach file,

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 AM

Posted 01 December 2008 - 05:40 PM

Hello, marliaths
Wow.. there are a __ few __ bad lines in that log :thumbsup:

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 02 December 2008 - 11:47 AM

hey here is the log:

ComboFix 08-12-01.01 - Administrator 12/01/2008 19:15:52.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.78 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Administrator\Application Data\DOBE~1
c:\documents and settings\Administrator\Application Data\DOBE~1\?dobe\
c:\documents and settings\Administrator\Application Data\WinTouch
c:\documents and settings\Administrator\Application Data\WinTouch\wintouch.cfg
c:\documents and settings\Administrator\Application Data\WinTouch\WTUninstaller.exe
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Administrator\Start Menu\Programs\Outerinfo
c:\documents and settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
c:\documents and settings\All Users\Start Menu\Programs\AntiSpywareMaster
c:\program files\Common Files\Yazzle1281OinAdmin.exe
c:\program files\Common Files\Yazzle1281OinUninstaller.exe
c:\program files\CPV
c:\program files\CPV\CPV8.dll
c:\program files\inetget2
c:\program files\JavaCore
c:\program files\JavaCore\JavaCore.exe
c:\program files\JavaCore\UnInstall.exe
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\program files\outerinfo
c:\program files\outerinfo\FF\chrome.manifest
c:\program files\outerinfo\FF\components\FF.dll
c:\program files\outerinfo\FF\components\OuterinfoAds.xpt
c:\program files\outerinfo\FF\install.rdf
c:\program files\outerinfo\Terms.rtf
c:\program files\Temporary
c:\program files\Twain\Twain.exe
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\winnt\17PHolmes1000106.exe
c:\winnt\17PHolmes572.exe
c:\winnt\b103.exe
c:\winnt\b104.exe
c:\winnt\b116.exe
c:\winnt\b138.exe
c:\winnt\b152.exe
c:\winnt\b155.exe
c:\winnt\b156.exe
c:\winnt\b157.exe
c:\winnt\BM7bb067f5.txt
c:\winnt\BM7bb067f5.xml
c:\winnt\cookies.ini
c:\winnt\NDNuninstall7_48.exe
c:\winnt\pskt.ini
c:\winnt\system32\atmtd.dll
c:\winnt\system32\atmtd.dll._
c:\winnt\system32\BLklkUtv.ini
c:\winnt\system32\BLklkUtv.ini2
c:\winnt\system32\byXNhiHb.dll
c:\winnt\system32\dogaikpg.dll
c:\winnt\system32\fklqofgy.dll
c:\winnt\system32\ghgppuvo.ini
c:\winnt\system32\gside.exe
c:\winnt\system32\mcrh.tmp
c:\winnt\system32\msnav32.ax
c:\winnt\system32\mysidesearch_sidebar_uninstall.exe
c:\winnt\system32\myss_sb_uninstall.exe
c:\winnt\system32\ovuppghg.dll
c:\winnt\system32\pac.txt
c:\winnt\system32\rwwnw64d.exe
c:\winnt\system32\tsuninst.exe
c:\winnt\system32\vtUklkLB.dll
c:\winnt\system32\winpfz33.sys
c:\winnt\system32\zxdnt3d.cfg
c:\winnt\t\
c:\winnt\uninstall_nmon.vbs
c:\winnt\Web\default.htt
c:\winnt\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_RPCPATCH
-------\Legacy_RPCTFTPD
-------\Legacy_TNIDRIVER
-------\Service_Network Monitor
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 19:30 . 08-12-01 19:30 49,202 --a------ c:\winnt\system32\rwwnw64d.exe
2008-12-01 19:30 . 08-12-01 19:30 32 --a------ c:\winnt\system32\msnav32.ax
2008-12-01 19:29 . 08-12-01 19:29 <DIR> d-------- c:\temp\tn3
2008-11-30 19:05 . 08-11-30 19:14 345 --a------ c:\winnt\gmer.ini
2008-11-17 21:30 . 08-11-17 21:30 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 03:27 932 ------w c:\winnt\system32\drivers\core.cache.dsk
2008-12-02 03:16 --------- d-----w c:\program files\Twain
2003-11-06 23:59 142 ----a-w c:\documents and settings\All Users\Release IP.cmd
2001-10-05 23:34 271 ---h--w c:\program files\desktop.ini
2001-10-05 23:34 21,952 ---h--w c:\program files\folder.htt
2001-05-09 21:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2005-07-29 23:24 472 --sha-r c:\winnt\U0FNQw\oXIhkT.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9f768a18-8a64-1a02-d3b0-b5edd158d76f}]
08-04-07 08:17 329216 --a------ c:\winnt\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [07-01-19 12:49 4670968]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [07-09-04 16:40 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BATTERYAID"="c:\program files\Fujitsu\BATTERYAID\BATTERYAID.exe" [01-03-19 15:27 217088]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [00-08-08 10:52 49152]
"FTMSFLT"="c:\program files\FIDMOU\WIN2K\FTMSFLT.exe" [99-11-26 13:18 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [05-04-13 03:48 36975]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [07-02-13 10:29 35328]
"{35-54-4C-C6-DW}"="c:\winnt\system32\rwwnw64d.exe" [08-12-01 19:30 49202]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [08-03-13 15:48 1443072]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="Atiptaxx.exe" [01-07-05 16:53 217088 c:\winnt\system32\atiptaxx.exe]
"LTSMMSG"="LTSMMSG.exe" [01-12-17 14:50 32768 c:\winnt\LTSMMSG.exe]
"PRPCMonitor"="PRPCUI.exe" [00-01-06 08:00 32768 c:\winnt\system32\prpcui.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
DW_Start.lnk - c:\winnt\system32\rwwnw64d.exe [2008-12-01 49202]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2006-12-22 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
01-11-02 10:50 24636 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.CTRXAUD"= ctrxaud.acm
"VIDC.CTRX"= ctrxvid.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

R0 atakmini;atakmini;c:\winnt\system32\DRIVERS\atakmini.sys [2000-03-08 20162]
R1 epfwndhk;epfwndhk;c:\winnt\system32\DRIVERS\EPFWNDHK.sys [2008-03-13 33800]
R1 streamss;streamss;c:\winnt\system32\drivers\streamss.sys [2008-04-21 86144]
R2 PRPC;PRPC;c:\winnt\system32\drivers\PRPC.sys [2001-10-05 12182]
R3 ati2mpab;ati2mpab;c:\winnt\system32\DRIVERS\ati2mpab.sys [2001-08-13 315888]
R3 FIDMOU;Fujitsu Touch Panel;c:\winnt\system32\DRIVERS\FIDMOU.sys [2002-10-28 10588]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\winnt\system32\DRIVERS\LTSM.sys [2001-12-18 807021]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys []
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\winnt\system32\DRIVERS\RTL8187B.sys [2007-03-02 189312]
S3 SjyPkt;SjyPkt;\??\c:\winnt\System32\Drivers\SjyPkt.sys [2002-10-02 13532]
.
Contents of the 'Scheduled Tasks' folder

2008-04-22 c:\winnt\Tasks\Homecare Transfer 1.job
- c:\pwhc\apps\fstransfer.exe []

2008-04-22 c:\winnt\Tasks\Homecare Transfer 2.job
- c:\pwhc\apps\fstransfer.exe []

2008-04-22 c:\winnt\Tasks\Hospice Transfer.job
- c:\pwhc\apps\fstransfer.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{8C6722E2-1241-4678-A7C9-80FCE5CC01EF} - c:\winnt\system32\vtUklkLB.dll
BHO-{EF833EA3-A232-F29A-119A-A48F045B7E97} - (no file)
BHO-{f40fd3b5-0d0d-43ab-ad18-d9c45453c585} - c:\winnt\system32\dogaikpg.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ejq9ly8w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 19:29:30
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\rwwnw64d.exe 49202 bytes executable
c:\winnt\system32\msnav32.ax 32 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(100)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2008-12-01 19:33:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 03:33:21

Pre-Run: 10,878,449,152 bytes free
Post-Run: 10,817,647,104 bytes free

198






it seems like combofix fixes everything basically :thumbsup:

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 AM

Posted 02 December 2008 - 07:44 PM

Hello, marliaths

it seems like combofix fixes everything basically

That would be nice, wouldn't it? But no.. it doesn't. It missed quite a bit on your machine actually.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Did you answer no to the prompt or did the RC fail to download?

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    file::
    c:\documents and settings\All Users\Release IP.cmd
    c:\program files\desktop.ini
    c:\program files\folder.htt
    c:\winnt\inf\wbfirdma.sys
    c:\winnt\system32\rwwnw64d.exe
    c:\winnt\system32\msnav32.ax
    c:\winnt\system32\drivers\core.cache.dsk
    c:\documents and settings\All Users\Release IP.cmd
    c:\winnt\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll
    c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
    c:\winnt\System32\Drivers\SjyPkt.sys
    c:\winnt\Tasks\Hospice Transfer.job
    c:\winnt\Tasks\Homecare Transfer 2.job
    c:\winnt\Tasks\Homecare Transfer 1.job
    c:\pwhc\apps\fstransfer.exe
    folder::
    c:\temp\tn3
    c:\winnt\U0FNQw
    registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9f768a18-8a64-1a02-d3b0-b5edd158d76f}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{35-54-4C-C6-DW}"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"=-
    driver::
    SjyPkt
    rootkit::
    c:\winnt\system32\msnav32.ax
    c:\winnt\system32\rwwnw64d.exe
    dirlook::
    c:\pwhc\apps
    c:\pwhc
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 02 December 2008 - 07:47 PM

hey i wanted to ask a question, i usually do the stuff that you ask me to do by downloading the stuff on my regular computer and then doing it on the laptop through a usb drive, i have to wait until the next day so i can use the usb stick on a computer that has registry freeze so i don't get viruses. I could reply faster if i just did the stuff on the laptop and reported it on my regular computer. I am just worried that iwill import some virus from the laptop throught the usb cable, do you think i am at any risk of that?

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 AM

Posted 02 December 2008 - 08:23 PM

I don't think registry freeze is providing much additional protection... I see nothing that infects flash drives on this machine.

That said.. ensure your lappy has antivirus running...

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 02 December 2008 - 09:08 PM

ComboFix 08-12-01.01 - Administrator 12/02/2008 17:44:28.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.76 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
c:\documents and settings\All Users\Release IP.cmd
c:\program files\desktop.ini
c:\program files\folder.htt
c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
c:\pwhc\apps\fstransfer.exe
c:\winnt\inf\wbfirdma.sys
c:\winnt\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll
c:\winnt\system32\drivers\core.cache.dsk
c:\winnt\System32\Drivers\SjyPkt.sys
c:\winnt\system32\msnav32.ax
c:\winnt\system32\rwwnw64d.exe
c:\winnt\Tasks\Homecare Transfer 1.job
c:\winnt\Tasks\Homecare Transfer 2.job
c:\winnt\Tasks\Hospice Transfer.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
c:\documents and settings\All Users\Release IP.cmd
c:\program files\desktop.ini
c:\program files\folder.htt
c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
c:\temp\tn3
c:\winnt\inf\wbfirdma.sys
c:\winnt\system32\{a0ee16b4-bcbb-3d3d-6d3b-92644accd377}.dll
c:\winnt\System32\Drivers\SjyPkt.sys
c:\winnt\system32\msnav32.ax
c:\winnt\system32\rwwnw64d.exe
c:\winnt\t\
c:\winnt\Tasks\Homecare Transfer 1.job
c:\winnt\Tasks\Homecare Transfer 2.job
c:\winnt\Tasks\Hospice Transfer.job
c:\winnt\U0FNQw
c:\winnt\U0FNQw\oXIhkT.vbs
c:\winnt\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SJYPKT
-------\Service_SjyPkt


((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-02 17:52 . 08-12-02 17:52 <DIR> d-------- c:\temp\tn3
2008-11-30 19:05 . 08-11-30 19:14 345 --a------ c:\winnt\gmer.ini
2008-11-17 21:30 . 08-11-17 21:30 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 01:50 932 ------w c:\winnt\system32\drivers\core.cache.dsk
2008-12-02 03:43 --------- d-----w c:\program files\Common Files\rzoz
2008-12-02 03:16 --------- d-----w c:\program files\Twain
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\pwhc ----

c:\pwhc\

---- Directory of c:\pwhc\apps ----

c:\pwhc\apps\


((((((((((((((((((((((((((((( snapshot@Mon 2008-12-01_19.32.10.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-06-19 19:05:04 186,640 ----a-w c:\winnt\system32\dllcache\icwconn1.exe
+ 1999-09-25 03:18:06 32,528 ----a-w c:\winnt\system32\dllcache\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [07-01-19 12:49 4670968]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [07-09-04 16:40 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BATTERYAID"="c:\program files\Fujitsu\BATTERYAID\BATTERYAID.exe" [01-03-19 15:27 217088]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [00-08-08 10:52 49152]
"FTMSFLT"="c:\program files\FIDMOU\WIN2K\FTMSFLT.exe" [99-11-26 13:18 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [05-04-13 03:48 36975]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [07-02-13 10:29 35328]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [08-03-13 15:48 1443072]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="Atiptaxx.exe" [01-07-05 16:53 217088 c:\winnt\system32\atiptaxx.exe]
"LTSMMSG"="LTSMMSG.exe" [01-12-17 14:50 32768 c:\winnt\LTSMMSG.exe]
"PRPCMonitor"="PRPCUI.exe" [00-01-06 08:00 32768 c:\winnt\system32\prpcui.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2006-12-22 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
01-11-02 10:50 24636 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.CTRXAUD"= ctrxaud.acm
"VIDC.CTRX"= ctrxvid.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

R0 atakmini;atakmini;c:\winnt\system32\DRIVERS\atakmini.sys [2000-03-08 20162]
R1 epfwndhk;epfwndhk;c:\winnt\system32\DRIVERS\EPFWNDHK.sys [2008-03-13 33800]
R1 streamss;streamss;c:\winnt\system32\drivers\streamss.sys [2008-04-21 86144]
R2 PRPC;PRPC;c:\winnt\system32\drivers\PRPC.sys [2001-10-05 12182]
R3 ati2mpab;ati2mpab;c:\winnt\system32\DRIVERS\ati2mpab.sys [2001-08-13 315888]
R3 FIDMOU;Fujitsu Touch Panel;c:\winnt\system32\DRIVERS\FIDMOU.sys [2002-10-28 10588]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\winnt\system32\DRIVERS\LTSM.sys [2001-12-18 807021]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys []
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\winnt\system32\DRIVERS\RTL8187B.sys [2007-03-02 189312]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 17:51:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(100)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2008-12-02 17:55:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 01:55:49
ComboFix2.txt 2008-12-02 03:33:31

Pre-Run: 11,453,851,136 bytes free
Post-Run: 11,448,060,928 bytes free

132

#11 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 02 December 2008 - 09:37 PM

and sorry forgot to reply to your question, it didn't prompt to install recovery console

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 AM

Posted 02 December 2008 - 09:40 PM

Hello, marliaths
Grr.. .it's being difficult.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    KILLALL::
    folder::
    c:\temp\tn3
    c:\pwhc
    c:\program files\Common Files\rzoz
    file::
    c:\winnt\system32\dllcache\icwconn1.exe
    c:\winnt\system32\dllcache\wbfirdma.sys
    c:\winnt\system32\drivers\core.cache.dsk
    c:\winnt\system32\DRIVERS\EPFWNDHK.sys
    driver::
    epfwndhk
    NaiAvFilter101
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 02 December 2008 - 10:05 PM

Here you go:

ComboFix 08-12-01.01 - Administrator 12/02/2008 18:46:52.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.76 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\system32\dllcache\icwconn1.exe
c:\winnt\system32\dllcache\wbfirdma.sys
c:\winnt\system32\drivers\core.cache.dsk
c:\winnt\system32\DRIVERS\EPFWNDHK.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\rzoz
c:\program files\Common Files\rzoz\rzoza.lck
c:\program files\Common Files\rzoz\rzozd\class-barrel
c:\program files\Common Files\rzoz\rzozd\rzozc.dll
c:\program files\Common Files\rzoz\rzozh
c:\program files\Common Files\rzoz\rzozl.lck
c:\program files\Common Files\rzoz\rzozm.lck
c:\temp\tn3
c:\winnt\system32\dllcache\icwconn1.exe
c:\winnt\system32\dllcache\wbfirdma.sys
c:\winnt\system32\DRIVERS\EPFWNDHK.sys
c:\winnt\t\
c:\winnt\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EPFWNDHK
-------\Service_epfwndhk
-------\Service_NaiAvFilter101


((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-02 18:53 . 08-12-02 18:53 <DIR> d-------- c:\temp\tn3
2008-11-30 19:05 . 08-11-30 19:14 345 --a------ c:\winnt\gmer.ini
2008-11-17 21:30 . 08-11-17 21:30 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 02:51 932 ------w c:\winnt\system32\drivers\core.cache.dsk
2008-12-02 03:16 --------- d-----w c:\program files\Twain
2008-10-16 22:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\winnt\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\winnt\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\winnt\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\winnt\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@Mon 2008-12-01_19.32.10.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 22:08:58 34,328 ----a-w c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 22:09:44 43,544 ----a-w c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [07-01-19 12:49 4670968]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [07-09-04 16:40 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BATTERYAID"="c:\program files\Fujitsu\BATTERYAID\BATTERYAID.exe" [01-03-19 15:27 217088]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [00-08-08 10:52 49152]
"FTMSFLT"="c:\program files\FIDMOU\WIN2K\FTMSFLT.exe" [99-11-26 13:18 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [05-04-13 03:48 36975]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [07-02-13 10:29 35328]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [08-03-13 15:48 1443072]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="Atiptaxx.exe" [01-07-05 16:53 217088 c:\winnt\system32\atiptaxx.exe]
"LTSMMSG"="LTSMMSG.exe" [01-12-17 14:50 32768 c:\winnt\LTSMMSG.exe]
"PRPCMonitor"="PRPCUI.exe" [00-01-06 08:00 32768 c:\winnt\system32\prpcui.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2006-12-22 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
01-11-02 10:50 24636 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.CTRXAUD"= ctrxaud.acm
"VIDC.CTRX"= ctrxvid.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

R0 atakmini;atakmini;c:\winnt\system32\DRIVERS\atakmini.sys [2000-03-08 20162]
R1 streamss;streamss;c:\winnt\system32\drivers\streamss.sys [2008-04-21 86144]
R2 PRPC;PRPC;c:\winnt\system32\drivers\PRPC.sys [2001-10-05 12182]
R3 ati2mpab;ati2mpab;c:\winnt\system32\DRIVERS\ati2mpab.sys [2001-08-13 315888]
R3 FIDMOU;Fujitsu Touch Panel;c:\winnt\system32\DRIVERS\FIDMOU.sys [2002-10-28 10588]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\winnt\system32\DRIVERS\LTSM.sys [2001-12-18 807021]
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\winnt\system32\DRIVERS\RTL8187B.sys [2007-03-02 189312]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 18:52:57
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(100)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2008-12-02 18:57:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 02:57:02
ComboFix2.txt 2008-12-03 01:55:59
ComboFix3.txt 2008-12-02 03:33:31

Pre-Run: 11,453,744,640 bytes free
Post-Run: 11,450,701,312 bytes free

120

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:54 AM

Posted 02 December 2008 - 10:20 PM

Hello, marliaths
Looks like CF can't deal with this infection. Let's get out some bigger guns...

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Please download The Avenger2 by SwanDog46.
  • Unzip avenger.exe to your desktop.
  • Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    folders to delete:
    c:\temp
    c:\winnt\t
    files to delete:
    c:\winnt\system32\drivers\core.cache.dsk
  • Now start The Avenger2 by double clicking avenger.exe on your desktop.
  • Read the prompt that appears, and press OK.
  • Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  • Press the "Execute" button.
  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • Avenger's Log
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 marliaths

marliaths
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 02 December 2008 - 10:23 PM

okay i will have to reply tommorow, i have to go now, thanks for help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users