Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Issues


  • Please log in to reply
1 reply to this topic

#1 thedood

thedood

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 14 December 2008 - 04:24 PM

Ok so I have been having malware,spyware problems for a while now. I was showed how to use HJT on another forum and posted my log and then was asked to post ComboFix Log and I did but the other forum I posted on is dead. Can someone check out my logs and help me out.

The only big problem I am having is when I login to windows it takes about 10 min for the desktop to show up. And the Combofix log says that my winlogin.exe is hijacked. Anyhow here are my logs.





SDFIX LOG



Checking Files :

Trojan Files Found:



Could Not Remove C:\WINDOWS.0\system32\tdssservers.dat

Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS.0\system32\GP2 - Removed


Removing Temp Files

ADS Check :


C:\WINDOWS.0\system32
:{4B9A1497-0817-47C4-9612-D5A1C53ACF57} 12
:{4B9A1497-0817-47C4-9612-D6A1C53ACF57} 12
Total size: 24 bytes.
system32: deleted 24 bytes in 2 streams.

Checking for remaining Streams

C:\WINDOWS.0\system32
No streams found.


Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 00:16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:d7,aa,29,ea,fc,19,86,7d,71,67,38,00,88,18,82,60,2b,8e,3a,a1,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,30,fd,39,f3,20,4d,11,ae,a0,a3,e5,17,a4,3a,4d,56,a6,..
"khjeh"=hex:30,92,6b,db,1e,63,db,ba,d1,99,2c,5b,8c,34,82,bc,4c,64,cc,12,c7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,36,1f,85,bf,3a,87,2b,64,97,54,91,57,58,c8,d4,f5,f4,cd,63,2a,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmqlt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoiqh.dll"
"tdssservers"="\systemroot\system32\TDSSorvd.dat"
"tdssmain"="\systemroot\system32\TDSSbrsr.dll"
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSSxfum.dll"
"tdssinit"="\systemroot\system32\TDSSlxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsihc.dll"
"tdsserrors"="\systemroot\system32\TDSSrhyp.log"
"TDSSproc"="\systemroot\system32\TDSSkkbu.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:d7,aa,29,ea,fc,19,86,7d,71,67,38,00,88,18,82,60,2b,8e,3a,a1,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,30,fd,39,f3,20,4d,11,ae,a0,a3,e5,17,a4,3a,4d,56,a6,..
"khjeh"=hex:b3,07,f8,c9,ac,18,01,39,36,d5,a1,ed,cc,53,a3,8f,67,be,64,ad,fc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:04,4e,03,20,d8,54,38,33,e5,ef,3c,34,64,db,8d,3d,7f,86,b0,87,7d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:d7,aa,29,ea,fc,19,86,7d,71,67,38,00,88,18,82,60,2b,8e,3a,a1,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,30,fd,39,f3,20,4d,11,ae,a0,a3,e5,17,a4,3a,4d,56,a6,..
"khjeh"=hex:b3,07,f8,c9,ac,18,01,39,36,d5,a1,ed,cc,53,a3,8f,67,be,64,ad,fc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:97,97,95,f0,8c,3f,b8,a2,ce,1b,b3,34,6e,a0,6b,06,61,e0,9b,7e,aa,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:d7,aa,29,ea,fc,19,86,7d,71,67,38,00,88,18,82,60,2b,8e,3a,a1,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,30,fd,39,f3,20,4d,11,ae,a0,a3,e5,17,a4,3a,4d,56,a6,..
"khjeh"=hex:b3,07,f8,c9,ac,18,01,39,36,d5,a1,ed,cc,53,a3,8f,67,be,64,ad,fc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:05,ee,ac,25,97,47,ee,f4,ff,f5,4f,15,c0,b4,53,51,17,df,e8,16,bd,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:d7,aa,29,ea,fc,19,86,7d,71,67,38,00,88,18,82,60,2b,8e,3a,a1,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,30,fd,39,f3,20,4d,11,ae,a0,a3,e5,17,a4,3a,4d,56,a6,..
"khjeh"=hex:30,92,6b,db,1e,63,db,ba,d1,99,2c,5b,8c,34,82,bc,4c,64,cc,12,c7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:95,36,1f,85,bf,3a,87,2b,64,97,54,91,57,58,c8,d4,f5,f4,cd,63,2a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmqlt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoiqh.dll"
"tdssservers"="\systemroot\system32\TDSSorvd.dat"
"tdssmain"="\systemroot\system32\TDSSbrsr.dll"
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSSxfum.dll"
"tdssinit"="\systemroot\system32\TDSSlxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsihc.dll"
"tdsserrors"="\systemroot\system32\TDSSrhyp.log"
"TDSSproc"="\systemroot\system32\TDSSkkbu.log"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS.0\system32\drivers\TDSSmqlt.sys 60416 bytes executable
C:\WINDOWS.0\system32\TDSSbrsr.dll 29696 bytes executable
C:\WINDOWS.0\system32\TDSSkkbu.log 6933 bytes
C:\WINDOWS.0\system32\TDSSlxwp.dll 2271 bytes
C:\WINDOWS.0\system32\TDSSoiqh.dll 35840 bytes executable
C:\WINDOWS.0\system32\TDSSorvd.dat 527 bytes
C:\WINDOWS.0\system32\TDSSriqp.dll 31232 bytes executable
C:\WINDOWS.0\system32\tdssservers.dat 527 bytes
C:\WINDOWS.0\system32\TDSSxfum.dll 73728 bytes executable
C:\WINDOWS.0\Temp\TDSSe23d.tmp 16384 bytes
C:\Documents and Settings\RED\Local Settings\Temp\TDSS93ae.tmp 122880 bytes executable
C:\Documents and Settings\RED\Local Settings\Temp\TDSS943b.tmp 616960 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 12


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"="C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Nexon\\Combat Arms\\CombatArms.exe"="C:\\Nexon\\Combat Arms\\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\\Nexon\\Combat Arms\\Engine.exe"="C:\\Nexon\\Combat Arms\\Engine.exe:*Enabled:Engine.exe"
"C:\\WINDOWS.0\\system32\\PnkBstrA.exe"="C:\\WINDOWS.0\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS.0\\system32\\PnkBstrB.exe"="C:\\WINDOWS.0\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"="C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe:*:Enabled:Enemy Territory - QUAKE Wars™"
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"="C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe:*:Enabled:etqwded.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS.0\\explorer.exe"="C:\\WINDOWS.0\\explorer.exe:*:Enabled:Windows Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"="C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Nexon\\Combat Arms\\CombatArms.exe"="C:\\Nexon\\Combat Arms\\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\\Nexon\\Combat Arms\\Engine.exe"="C:\\Nexon\\Combat Arms\\Engine.exe:*Enabled:Engine.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

C:\WINDOWS.0\system32\tdssservers.dat Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 5 Sep 2007 70,144 A.SH. --- "C:\Setup.exe"
Tue 2 Aug 2005 293,888 A.SHR --- "C:\PcwBak\11-30-2008 18#00\command.exe"
Thu 13 Nov 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS.0\DRM\DRMv1.bak"
Wed 5 Sep 2007 70,144 ..SH. --- "C:\Documents and Settings\Nich\My Documents\Setup.exe"
Sat 19 Jul 2008 444 ...HR --- "C:\Documents and Settings\RED\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\RED\Application Data\U3\temp\Launchpad Removal.exe"
Thu 23 Oct 2008 9,171,440 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\chrome.dll"
Thu 23 Oct 2008 762,352 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\chrome.exe"
Thu 23 Oct 2008 8,835,072 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\icudt38.dll"
Thu 23 Oct 2008 138,752 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\rlz.dll"
Thu 23 Oct 2008 99,328 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\wow_helper.exe"
Thu 23 Oct 2008 133,632 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\ar.dll"
Thu 23 Oct 2008 119,808 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\bg.dll"
Thu 23 Oct 2008 101,376 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\ca.dll"
Thu 23 Oct 2008 99,840 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\cs.dll"
Thu 23 Oct 2008 94,208 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\da.dll"
Thu 23 Oct 2008 83,968 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\de.dll"
Thu 23 Oct 2008 131,584 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\el.dll"
Thu 23 Oct 2008 90,112 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\en-GB.dll"
Thu 23 Oct 2008 90,112 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\en-US.dll"
Thu 23 Oct 2008 102,912 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\es-419.dll"
Thu 23 Oct 2008 101,376 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\es.dll"
Thu 23 Oct 2008 89,600 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\et.dll"
Thu 23 Oct 2008 91,648 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\fi.dll"
Thu 23 Oct 2008 109,056 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\fil.dll"
Thu 23 Oct 2008 104,448 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\fr.dll"
Thu 23 Oct 2008 84,992 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\he.dll"
Thu 23 Oct 2008 133,120 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\hi.dll"
Thu 23 Oct 2008 93,696 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\hr.dll"
Thu 23 Oct 2008 102,912 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\hu.dll"
Thu 23 Oct 2008 93,696 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\id.dll"
Thu 23 Oct 2008 98,816 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\it.dll"
Thu 23 Oct 2008 75,264 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\ja.dll"
Thu 23 Oct 2008 68,096 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\ko.dll"
Thu 23 Oct 2008 98,816 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\lt.dll"
Thu 23 Oct 2008 94,208 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\lv.dll"
Thu 23 Oct 2008 92,672 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\nb.dll"
Thu 23 Oct 2008 98,304 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\nl.dll"
Thu 23 Oct 2008 99,328 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\pl.dll"
Thu 23 Oct 2008 99,840 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\pt-BR.dll"
Thu 23 Oct 2008 100,864 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\pt-PT.dll"
Thu 23 Oct 2008 101,888 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\ro.dll"
Thu 23 Oct 2008 120,320 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\ru.dll"
Thu 23 Oct 2008 102,400 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\sk.dll"
Thu 23 Oct 2008 93,184 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\sl.dll"
Thu 23 Oct 2008 113,152 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\sr.dll"
Thu 23 Oct 2008 91,648 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\sv.dll"
Thu 23 Oct 2008 124,416 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\th.dll"
Thu 23 Oct 2008 95,232 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\tr.dll"
Thu 23 Oct 2008 111,616 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\uk.dll"
Thu 23 Oct 2008 100,864 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\vi.dll"
Thu 23 Oct 2008 51,712 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\zh-CN.dll"
Thu 23 Oct 2008 52,736 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Locales\zh-TW.dll"
Thu 23 Oct 2008 321,024 A..H. --- "C:\Documents and Settings\RED\Desktop\Portable Google Chrome 0.3.154.6\App\Chrome\Themes\default.dll"

Finished!














===============================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:15 AM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\acs.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\PnkBstrA.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WLAN\ACU.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS.0\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cltd.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: agadoo browser enhancer - {427F273B-947D-CA56-59A1-CA4BBC60699F} - C:\WINDOWS.0\system32\twdqqrxksy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {93a3a5a2-c201-9279-0e74-78dfc7d3e1ff} - {ff1e3d7c-fd87-47e0-9729-102c2a5a3a39} - C:\WINDOWS.0\system32\krgqvr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\WLAN\ACU.exe" -nogui
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS.0\system32\prunnet.exe"
O4 - HKLM\..\Run: [{56-66-65-51-DW}] c:\windows.0\system32\dwwnw64r.exe DWmmm01FF
O4 - HKLM\..\Run: [eguphhirbqwownw] C:\WINDOWS.0\System32\regsvr32.exe /s "C:\WINDOWS.0\system32\twdqqrxksy.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS.0\system32\prunnet.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - AppInit_DLLs: krgqvr.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: WLAN Configuration Service (ACS) - Atheros - C:\WINDOWS.0\system32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS.0\system32\PnkBstrA.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe

--
End of file - 8577 bytes


===============================================













COMBO FIX LOG




ComboFix 08-12-07.04 - RED 2008-12-08 19:53:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1641 [GMT -6:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\RED\Application Data\IUpd721
c:\documents and settings\RED\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\RED\nah_haxt.exe
c:\documents and settings\RED\nah_log.dat
C:\setup.exe
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\windows.0\system32\~.exe
c:\windows.0\system32\AutoRun.inf
c:\windows.0\system32\av.dat
c:\windows.0\system32\av.exe
c:\windows.0\system32\dim
c:\windows.0\system32\drivers\TDSSmqlt.sys
c:\windows.0\system32\getwn32.dll
c:\windows.0\system32\ID2
c:\windows.0\system32\ID2\CRAFE913.exe
c:\windows.0\system32\krgqvr.dll
c:\windows.0\system32\sqqtjtqs.ini
c:\windows.0\system32\TDSSbrsr.dll
c:\windows.0\system32\TDSSkkbu.log
c:\windows.0\system32\TDSSlxwp.dll
c:\windows.0\system32\TDSSnmxh.log
c:\windows.0\system32\TDSSoiqh.dll
c:\windows.0\system32\TDSSorvd.dat
c:\windows.0\system32\TDSSrhyp.log
c:\windows.0\system32\TDSSriqp.dll
c:\windows.0\system32\tdssservers.dat
c:\windows.0\system32\TDSSsihc.dll
c:\windows.0\system32\TDSSxfum.dll
c:\windows.0\system32\twdqqrxksy.dll
c:\windows.0\system32\wertyu.dll

c:\windows.0\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 02:21 . 2008-12-08 02:41 <DIR> d-------- c:\documents and settings\RED\Application Data\RegClean
2008-12-08 02:06 . 2008-12-08 02:06 <DIR> d-------- c:\program files\RegClean
2008-12-08 00:17 . 2002-07-31 19:55 144 ---hs---- c:\windows.0\WSYS049.SYS
2008-12-08 00:17 . 2001-09-05 12:28 41 ---h----- c:\windows.0\trfntw32.cfg
2008-12-08 00:15 . 2008-12-08 00:18 <DIR> d-------- c:\program files\Child Timer
2008-12-04 00:04 . 2008-12-04 00:04 <DIR> d-------- c:\windows.0\ERUNT
2008-12-03 18:47 . 2008-12-04 00:19 <DIR> d-------- C:\SDFix
2008-11-30 22:40 . 2008-11-30 22:40 1,529,241 --a------ C:\SDFix.exe
2008-11-28 00:34 . 2008-11-28 00:34 <DIR> d-------- c:\program files\iPod
2008-11-28 00:34 . 2008-04-17 13:12 107,368 --a------ c:\windows.0\system32\GEARAspi.dll
2008-11-28 00:34 . 2008-04-17 13:12 15,464 --a------ c:\windows.0\system32\drivers\GEARAspiWDM.sys
2008-11-28 00:33 . 2008-11-28 00:34 <DIR> d-------- c:\program files\iTunes
2008-11-28 00:33 . 2008-11-28 00:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 00:32 . 2008-11-28 00:33 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\Apple Computer
2008-11-28 00:29 . 2008-11-28 00:34 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-27 02:07 . 2008-11-27 02:07 <DIR> d-------- C:\rsit
2008-11-26 22:27 . 2008-11-26 22:27 <DIR> d-------- c:\program files\Trend Micro
2008-11-22 18:39 . 2008-11-22 18:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-22 18:39 . 2008-11-22 18:39 <DIR> d-------- c:\documents and settings\RED\Application Data\Malwarebytes
2008-11-22 18:39 . 2008-11-22 18:39 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\Malwarebytes
2008-11-22 18:39 . 2008-09-02 00:26 38,528 --a------ c:\windows.0\system32\drivers\mbamswissarmy.sys
2008-11-22 18:39 . 2008-09-02 00:25 17,200 --a------ c:\windows.0\system32\drivers\mbam.sys
2008-11-21 18:40 . 2008-11-30 18:00 <DIR> d--hs---- c:\windows.0\UkVE
2008-11-21 18:40 . 2008-11-21 18:40 153,522 --a------ c:\windows.0\system32\g61.exe
2008-11-21 18:40 . 2008-11-21 18:41 47,584 --a------ c:\windows.0\system32\vrqctrcsgpuokm.exe
2008-11-21 18:39 . 2008-12-08 19:56 <DIR> d-------- C:\Temp
2008-11-21 18:38 . 2008-11-21 18:38 115,016 --a------ c:\windows.0\system32\MSINET.OCX
2008-11-21 18:38 . 2008-11-21 18:38 2,407 --a------ c:\windows.0\system32\MSINET.DEP
2008-11-20 14:44 . 2008-11-20 14:44 42,320 --a------ c:\windows.0\system32\xfcodec.dll
2008-11-16 01:59 . 2008-11-16 01:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS.0\Application Data\FLEXnet
2008-11-16 01:48 . 2008-11-16 01:48 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-13 09:42 . 2008-11-13 09:42 644,400 --a------ c:\windows.0\system32\mscomct2.ocx
2008-11-11 01:09 . 2008-11-11 01:09 68 --a------ c:\windows.0\Awpr.ini
2008-11-11 01:08 . 2008-11-11 01:08 <DIR> d-------- c:\program files\ElcomSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 23:42 --------- d-----w c:\program files\LogMeIn
2008-12-08 00:48 --------- d-----w c:\program files\Steam
2008-12-07 23:37 --------- d-----w c:\documents and settings\RED\Application Data\LimeWire
2008-12-07 22:08 --------- d-----w c:\documents and settings\RED\Application Data\Xfire
2008-12-05 04:57 --------- d-----w c:\program files\Xfire
2008-12-03 07:32 --------- d-----w c:\program files\The KMPlayer
2008-12-01 06:07 --------- d-----w c:\program files\Mount&Blade
2008-12-01 06:03 --------- d-----w c:\program files\Google
2008-11-30 23:58 --------- d-----w c:\program files\PC Washer
2008-11-30 09:19 267,272 --sha-w c:\windows.0\system32\drivers\fidbox.idx
2008-11-30 09:19 19,798,048 --sha-w c:\windows.0\system32\drivers\fidbox.dat
2008-11-28 06:35 --------- d-----w c:\documents and settings\RED\Application Data\Apple Computer
2008-11-28 06:32 --------- d-----w c:\program files\QuickTime
2008-11-28 06:30 --------- d-----w c:\program files\Apple Software Update
2008-11-27 03:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-23 05:38 138,280 ----a-w c:\windows.0\system32\drivers\PnkBstrK.sys
2008-11-16 07:13 --------- d-----w c:\program files\CommViewWiFi
2008-11-01 05:01 --------- d-----w c:\program files\Cain
2008-10-29 04:25 --------- d-----w c:\program files\Image Grabber II
2008-10-28 23:58 --------- d-----w c:\program files\CACE Technologies
2008-10-28 23:49 --------- d-----w c:\program files\FLV Player
2008-10-27 03:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-26 07:19 --------- d-----w c:\documents and settings\RED\Application Data\Mount&Blade
2008-10-26 06:30 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\2DBoy
2008-10-23 23:29 --------- d-----w c:\program files\Image Grabber II.NET
2008-10-16 17:43 --------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\LogMeIn
2008-10-15 22:13 --------- d--h--w c:\documents and settings\RED\Application Data\ijjigame
2008-10-15 06:42 --------- d---a-w c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2008-10-14 06:14 --------- d-----w c:\program files\The Virtual Forbidden City
2008-10-11 19:28 --------- d-----w c:\program files\Euro Truck Simulator
2008-08-12 21:14 22,328 ----a-w c:\documents and settings\RED\Application Data\PnkBstrK.sys
2008-02-10 00:33 22,328 ----a-w c:\documents and settings\Nich\Application Data\PnkBstrK.sys
2008-02-28 19:30 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 19:33 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
2008-07-17 07:01 32,768 -csha-w c:\windows.0\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071720080718\index.dat
2005-07-29 22:24 472 --sha-r c:\windows.0\UkVE\o4pH.vbs
.

------- Sigcheck -------

2008-11-30 00:14 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows.0\system32\winlogon.exe

2008-11-30 00:14 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows.0\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2005-07-01 7118848]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-02-25 589824]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-18 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-18 688217]
"ACU"="c:\program files\WLAN\ACU.exe" [2006-01-09 331776]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 2595616]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RegClean"="c:\program files\RegClean\RegClean.exe" [2008-12-08 10077680]
"SoundMan"="SOUNDMAN.EXE" [2005-09-28 c:\windows.0\SoundMan.exe]

c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-05-07 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):49,73,73,6f,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 09:10 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 c:\windows.0\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=krgqvr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a--c--- 2007-09-21 02:10 55824 c:\windows.0\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS.0\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS.0\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 LBeepKE;LBeepKE;c:\windows.0\system32\Drivers\LBeepKE.sys [2008-04-05 10640]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows.0\system32\drivers\LMIRfsDriver.sys [2008-10-16 47640]
S3 Swnpder;Swnpder; []
S4 Hdiittk2;Hdiittk2; []
S4 LMIRfsClientNP;LMIRfsClientNP; []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a00141b7-7796-11dd-b63c-00026f47bf64}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows.0\Tasks\RegClean Scheduled Scan.job
- c:\program files\RegClean\RegClean.exe [2008-12-08 02:06]

2008-12-09 c:\windows.0\Tasks\RegClean Scheduled Scan.job
- c:\program files\RegClean [2008-12-08 02:06]
.
- - - - ORPHANS REMOVED - - - -

BHO-{427F273B-947D-CA56-59A1-CA4BBC60699F} - c:\windows.0\system32\twdqqrxksy.dll
BHO-{ff1e3d7c-fd87-47e0-9729-102c2a5a3a39} - c:\windows.0\system32\krgqvr.dll
HKCU-Run-prunnet - c:\windows.0\system32\prunnet.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-{56-66-65-51-DW} - c:\windows.0\system32\dwwnw64r.exe
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cltd.net/
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\RED\Application Data\Mozilla\Firefox\Profiles\vj0omtqe.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://passesforthemasses.com/
FF -: plugin - c:\documents and settings\All Users.WINDOWS.0\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\documents and settings\RED\Application Data\Mozilla\Firefox\Profiles\vj0omtqe.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npwbe.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 20:06:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\windows.0\system32\LMIinit.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows.0\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows.0\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows.0\system32\ZoneLabs\vsmon.exe
c:\windows.0\system32\acs.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows.0\system32\nvsvc32.exe
c:\windows.0\system32\PnkBstrA.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows.0\system32\wbem\unsecapp.exe
c:\windows.0\system32\ZoneLabs\avsys\ScanningProcess.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-12-08 20:18:40 - machine was rebooted [RED]
ComboFix-quarantined-files.txt 2008-12-09 02:18:35

Pre-Run: 95,542,362,112 bytes free
Post-Run: 95,842,426,880 bytes free

284 --- E O F --- 2008-11-08 20:03:19

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:29 AM

Posted 23 December 2008 - 07:11 PM

Hello thedood

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users