Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\WINDOWS folder opens on start up


  • This topic is locked This topic is locked
29 replies to this topic

#1 hybrid_101

hybrid_101

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin Oh, USA
  • Local time:03:46 AM

Posted 22 December 2008 - 08:07 PM

Hi, I removed this trojan that said i had virus with spybot and after taht my pc worked fine but had one problem on start up C:\WINDOWS pops up by it self here is a hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:53 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=66026
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66026
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Oturum Açma Yardim Araci - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [CTFMON] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1221428633968
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c95d216071fada) (gupdate1c95d216071fada) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9909 bytes

pls help
P.S. this was in misplaced hijack this i moved to the proper place so if ur redirected here ur in the right place

BC AdBot (Login to Remove)

 


#2 hybrid_101

hybrid_101
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin Oh, USA
  • Local time:03:46 AM

Posted 23 December 2008 - 04:01 PM

I know its like 2 days until chrismas but

I had this spyware removed with spybot and when i removed it a trojan warning came on my antivirus, i said access deny. my computer is running fine right now but when i turn it on C:\Windows pops up on start up

i had posted before but didnt get an answer for about 3 days so im posting again with a newr hijack this log

here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:52 PM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=66026
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66026
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Oturum Açma Yardim Araci - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [CTFMON] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1221428633968
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c95d216071fada) (gupdate1c95d216071fada) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9774 bytes

Edited by Orange Blossom, 23 December 2008 - 05:28 PM.
Merged topics. ~ OB


#3 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:03:46 PM

Posted 28 December 2008 - 03:04 AM

Hi hybrid_101,

Step 1

Please download DDS from Tech Support Forum and save it to your desktop.

Double click on dds to run it.

When done, DDS.txt will open. Another file, Attach.txt will open after a short while. Please save these 2 files to your desktop as they will be deleted once you close them.

Please attach Attach.txt in your next reply by scrolling down to Attachments and clicking on Browse....

An image is below for your reference:

Posted Image

Step 2

Please download gmer.zip from Gmer and save it to your desktop.
  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.
  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.
If you receive no notice, click on the Scan button.
  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.
Note: Do not run any programs while Gmer is running.

In your next reply, please post:
  • DDS.txt
  • Attach.txt (attached to this topic)
  • Gmer.txt

Posted Image

Done your best? Really?


#4 hybrid_101

hybrid_101
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin Oh, USA
  • Local time:03:46 AM

Posted 28 December 2008 - 10:05 AM

Hi, ndmmxiaomayi

Thank you for your help

Here are the Things that you wanted me to post

DDS.txt


DDS (Version 1.1.0) - NTFSx86
Run by Bilerel at 8:28:37.71 on Sun 12/28/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.477 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Fraps\fraps.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Bilerel\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66026
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=66026
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=66026
mWinlogon: Shell=explorer.exe "c:\windows\"
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Oturum Açma Yardim Araci: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp] Alaunch
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunServices: [CTFMON] c:\windows\scvhost.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\wireless 802.11g usb adapter\ZDWlan.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bilerel\applic~1\mozilla\firefox\profiles\517sngwc.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\bilerel\application data\mozilla\firefox\profiles\517sngwc.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-11-20 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-11-20 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-11-20 151297]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-11-20 52032]
S2 gupdate1c95d216071fada;Google Update Service (gupdate1c95d216071fada);"c:\program files\google\update\GoogleUpdate.exe" /svc [2008-12-13 133104]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.sys []

=============== Created Last 30 ================

2008-12-27 08:19 <DIR> --d----- C:\NVIDIA
2008-12-27 08:06 <DIR> --d----- c:\program files\SystemRequirementsLab
2008-12-26 19:30 <DIR> --d----- c:\docume~1\bilerel\applic~1\LimeWire
2008-12-26 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2008-12-26 15:07 <DIR> --d----- c:\windows\system32\xlive
2008-12-25 15:41 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-25 15:34 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2008-12-25 15:33 <DIR> --d----- c:\windows\Logs
2008-12-24 15:57 <DIR> --d----- c:\program files\eMule
2008-12-23 17:17 <DIR> --d----- c:\windows\pss
2008-12-23 14:24 <DIR> --d----- c:\docume~1\bilerel\applic~1\Pamela
2008-12-23 14:24 <DIR> --d----- c:\program files\Pamela
2008-12-23 12:52 <DIR> --d----- c:\program files\iCall
2008-12-21 21:57 118,784 a----r-- c:\windows\system32\P1110vfw.dll
2008-12-21 21:57 40,960 a----r-- c:\windows\P1110cfg.exe
2008-12-21 21:57 4,436 a----r-- c:\windows\P1110.uns
2008-12-21 21:57 90,357 a----r-- c:\windows\system32\drivers\P1110Vid.sys
2008-12-21 21:57 69,632 a----r-- c:\windows\system32\P1110ext.ax
2008-12-21 21:57 40,960 a----r-- c:\windows\system32\P1110hwx.dll
2008-12-21 21:57 32,768 a----r-- c:\windows\system32\P1110pin.dll
2008-12-21 21:57 32,768 a----r-- c:\windows\system32\p1110ext.crl
2008-12-21 21:57 24,576 a----r-- c:\windows\system32\P1110pin.crl
2008-12-21 21:57 24,576 a----r-- c:\windows\system32\P1110cfg.crl
2008-12-19 18:56 <DIR> --d----- C:\Fraps
2008-12-19 18:50 298 a------- c:\windows\thug2.ini
2008-12-18 16:15 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-14 20:07 61,200 a------- c:\windows\system32\x264vfw-uninstall.exe
2008-12-14 18:47 <DIR> --d----- C:\Tmp
2008-12-14 13:18 <DIR> --d----- c:\docume~1\bilerel\applic~1\uTorrent
2008-12-14 11:55 101 a------- c:\windows\delme.bat
2008-12-14 11:53 99,840 a------- c:\windows\KEYLOGGER.EXE
2008-12-14 11:53 43,008 a------- c:\windows\NTDETECT.DLL
2008-12-14 09:42 121,175 a------- c:\windows\system32\DefaultRemote.gcs
2008-12-14 09:42 4,246 a------- c:\windows\system32\ACMAP.gcf
2008-12-14 09:42 <DIR> --d----- c:\windows\system32\Remotes
2008-12-14 09:42 <DIR> --d----- c:\windows\system32\Profiles
2008-12-14 09:42 <DIR> --d----- c:\windows\system32\Media
2008-12-14 08:15 309,616 a------- c:\windows\system32\wmv8dmod.dll
2008-12-14 08:15 245,760 a------- c:\windows\system32\mp4sds32.ax
2008-12-14 08:15 420,240 a------- c:\windows\system32\mpg4c32.dll
2008-12-12 17:10 107,864 a------- c:\windows\system32\tsccvid.dll
2008-12-12 17:10 <DIR> --d----- c:\windows\system32\QuickTime
2008-12-12 17:10 <DIR> --d----- c:\program files\common files\TechSmith Shared
2008-12-05 17:00 765,952 a------- c:\windows\system32\xvidcore.dll
2008-12-05 17:00 77,824 a------- c:\windows\system32\xvid.ax
2008-12-05 17:00 180,224 a------- c:\windows\system32\xvidvfw.dll
2008-12-05 17:00 <DIR> --d----- c:\program files\Xvid
2008-11-29 06:41 2,294,291 a------- c:\windows\system32\x264vfw.dll
2008-11-28 13:19 <DIR> --d----- c:\program files\iPod
2008-11-28 13:19 <DIR> --d----- c:\program files\iTunes
2008-11-28 13:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-10-03 12:41 6,066,176 a------- c:\windows\system32\SETC4.tmp
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-10-02 17:50 81,920 a------- c:\windows\system32\frapsvid.dll
2008-10-02 10:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 8:29:09.23 ===============

Gmer.txt

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-28 09:40:09
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spbv.sys ZwCreateKey [0xF73700E0]
SSDT F7C2DEAC ZwCreateThread
SSDT spbv.sys ZwEnumerateKey [0xF738ECA2]
SSDT spbv.sys ZwEnumerateValueKey [0xF738F030]
SSDT spbv.sys ZwOpenKey [0xF73700C0]
SSDT F7C2DE98 ZwOpenProcess
SSDT F7C2DE9D ZwOpenThread
SSDT spbv.sys ZwQueryKey [0xF738F108]
SSDT spbv.sys ZwQueryValueKey [0xF738EF88]
SSDT spbv.sys ZwSetValueKey [0xF738F19A]
SSDT F7C2DEA7 ZwTerminateProcess
SSDT F7C2DEA2 ZwWriteVirtualMemory

INT 0x63 ? 8596DBF8
INT 0x63 ? 8596DBF8
INT 0x63 ? 8596DBF8
INT 0x73 ? 8596DBF8
INT 0x73 ? 8596DBF8
INT 0x73 ? 858D9BF8
INT 0x73 ? 8596DBF8
INT 0x82 ? 8596DBF8
INT 0xA4 ? 858D9BF8

---- Kernel code sections - GMER 1.0.14 ----

? spbv.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F67FD8AC 5 Bytes JMP 858D91D8
.text as0w5d37.SYS F632F386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text as0w5d37.SYS F632F3AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text as0w5d37.SYS F632F3C4 3 Bytes [ 00, 70, 02 ]
.text as0w5d37.SYS F632F3C9 1 Byte [ 2E ]
.text as0w5d37.SYS F632F3CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[220] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Winamp\winamp.exe[3248] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 0427A68D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3248] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 0427A615 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3248] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 0427A711 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3248] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 0427A63D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3248] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 0427A6B8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3248] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 0427A662 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3248] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 0427A6E3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3248] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 0427A5ED C:\Program Files\Winamp\Plugins\gen_jumpex.dll

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7371040] spbv.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F737113C] spbv.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73710BE] spbv.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73717FC] spbv.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73716D2] spbv.sys
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\as0w5d37.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8596C1F8
Device \FileSystem\Fastfat \FatCdrom 84B1E1F8
Device \Driver\usbohci \Device\USBPDO-0 858711F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 859DA1F8
Device \Driver\dmio \Device\DmControl\DmConfig 859DA1F8
Device \Driver\dmio \Device\DmControl\DmPnP 859DA1F8
Device \Driver\dmio \Device\DmControl\DmInfo 859DA1F8
Device \Driver\usbehci \Device\USBPDO-1 857971F8
Device \Driver\PCI_PNP9010 \Device\00000046 spbv.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8596E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8596E1F8
Device \Driver\Cdrom \Device\CdRom0 8578B1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8596E1F8
Device \Driver\Cdrom \Device\CdRom1 8578B1F8
Device \Driver\USBSTOR \Device\00000080 854FA500
Device \Driver\USBSTOR \Device\00000081 854FA500
Device \Driver\NetBT \Device\NetBT_Tcpip_{2AFC1C9B-5C84-4867-80FB-8389B54B8495} 84B391F8
Device \Driver\USBSTOR \Device\00000082 854FA500
Device \Driver\NetBT \Device\NetBt_Wins_Export 84B391F8
Device \Driver\USBSTOR \Device\00000077 854FA500
Device \Driver\NetBT \Device\NetbiosSmb 84B391F8
Device \Driver\usbohci \Device\USBFDO-0 858711F8
Device \Driver\usbehci \Device\USBFDO-1 857971F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84B1F1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84B1F1F8
Device \Driver\sptd \Device\1210664010 spbv.sys
Device \Driver\Ftdisk \Device\FtControl 8596E1F8
Device \Driver\USBSTOR \Device\0000007f 854FA500
Device \Driver\as0w5d37 \Device\Scsi\as0w5d371 856D01F8
Device \Driver\as0w5d37 \Device\Scsi\as0w5d371Port6Path0Target0Lun0 856D01F8
Device \FileSystem\Fastfat \Fat 84B1E1F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 85524500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x33 0x4D 0x84 0xB6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDF 0x4E 0x9E 0x65 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDF 0x1E 0x17 0x3D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x33 0x4D 0x84 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDF 0x4E 0x9E 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDF 0x1E 0x17 0x3D ...
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0xED 0xC5 0xCE 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{657720ce-f0ff-424a-8f26-e06015eb749f}@Model 292
Reg HKLM\SOFTWARE\Classes\CLSID\{657720ce-f0ff-424a-8f26-e06015eb749f}@Therad 5

---- EOF - GMER 1.0.14 ----

and the attacht.txt is attached to the post

thx again for the help

#5 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:03:46 PM

Posted 28 December 2008 - 11:01 AM

Hi hybrid_101,

Step 1

Please go to Virus Total or VirSCAN and upload c:\windows\KEYLOGGER.EXE for scanning.

For Virus Total
  • Please copy and paste c:\windows\KEYLOGGER.EXE in the text box next to the Browse button.
  • Click on Send File.
For VirScan
  • Copy and paste c:\windows\KEYLOGGER.EXE into the text box next to the Browse... button.
  • Click on Upload.
  • The file will be uploaded and scanned. This will take some time. Please be patient.
  • When done, the page will be refreshed.
  • Please copy and paste the scan results of this file in your next reply.
Repeat for this file - c:\windows\NTDETECT.DLL

Step 2

Please download DirLook by jpshortstuff from one of the following links:

From 247fixes
From Malware Removal
From Security Cadets

Save it to your desktop.
  • Double click on DirLook.exe to run it.
  • Copy and paste in the following in the Code box into Notepad:

    c:\windows\system32\Remotes /s
    c:\windows\system32\Profiles /s
    c:\windows\system32\Media /s
  • Ensure that the Show hidden files/folders and BBCode Output boxes are checked.
  • Click on DirLook.
  • A log will be produced in a short while. Please post this log in your next reply.
In your next reply, please post:
  • Virus Total or VirScan results of the 2 files
  • DirLook report (C:\DirLook.txt)

Posted Image

Done your best? Really?


#6 hybrid_101

hybrid_101
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin Oh, USA
  • Local time:03:46 AM

Posted 28 December 2008 - 12:16 PM

Hi, ndmmxiaomayi

here is the KEYLOGGER.exe scan with Virus Total

File KEYLOGGER.EXE received on 12.28.2008 17:41:01 (CET)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.28 -
AhnLab-V3 2008.12.25.0 2008.12.27 Win-Trojan/Celofot.96256
AntiVir 7.9.0.45 2008.12.28 -
Authentium 5.1.0.4 2008.12.28 -
Avast 4.8.1281.0 2008.12.27 Win32:Trojan-gen {Other}
AVG 8.0.0.199 2008.12.28 -
BitDefender 7.2 2008.12.28 Backdoor.Celofot.D
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.28 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.28 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.28 -
F-Prot 4.4.4.56 2008.12.27 -
F-Secure 8.0.14332.0 2008.12.28 -
Fortinet 3.117.0.0 2008.12.28 -
GData 19 2008.12.28 Backdoor.Celofot.D
Ikarus T3.1.1.45.0 2008.12.28 -
K7AntiVirus 7.10.568 2008.12.27 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.12.28 -
McAfee 5477 2008.12.28 -
McAfee+Artemis 5477 2008.12.28 -
Microsoft 1.4205 2008.12.28 -
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.28 Suspicious file
PCTools 4.4.2.0 2008.12.28 -
Prevx1 V2 2008.12.28 Worm
Rising 21.09.62.00 2008.12.28 -
SecureWeb-Gateway 6.7.6 2008.12.28 -
Sophos 4.37.0 2008.12.28 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.28 -
TheHacker 6.3.1.4.200 2008.12.26 -
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.27 -
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.28 -
Additional information
File size: 99840 bytes
MD5...: 2ec9cf2539470addb3a17db8e7a3a6c4
SHA1..: a1ca580d5d5bd4d662834be7cdd576719d984602
SHA256: 7ef2d7310230092696a98602fc94f5224db4c4ace8447a5933beabc715677dc5
SHA512: ce95c72fcafcd72cc103b5d48fd48ec1b4b4318ec12bcfb100d7512646053a65
e79ff45df913495f1b8a581250493373bd25133d53368f49bea004fd5dae2028
ssdeep: 3072:P1of81SKPma76RJkGD2RrL2bYtY9opk7:9P1hsH4wo
PEiD..: -
TrID..: File type identification
Win32 Executable Borland Delphi 6 (92.2%)
Win32 Executable Generic (2.9%)
Win32 Dynamic Link Library (generic) (2.6%)
Win16/32 Executable Delphi generic (0.7%)
Generic Win/DOS Executable (0.7%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x414680
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x13c70 0x13e00 6.46 3024e94a6454d6776a26c4cbf54fc8cb
DATA 0x15000 0x59c 0x600 4.06 f28dbe474a0329dc363621275f762b5d
BSS 0x16000 0xa31 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x17000 0xd5c 0xe00 4.61 8549f7ff4de11f3d136ced4d8399e667
.tls 0x18000 0xc 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x19000 0x18 0x200 0.20 1fd24aba918542b4b6858f0921c45ee2
.reloc 0x1a000 0x18e8 0x1a00 6.57 2646f4a6c9d4d332df816bc5d07e46ac
.rsrc 0x1c000 0x1400 0x1400 1.58 65d8ec8a0d309ced1ae8d077cebfaa22

( 12 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> advapi32.dll: RegSetValueExA, RegDeleteKeyA, RegCreateKeyA, RegCloseKey
> kernel32.dll: WriteFile, WaitForSingleObject, VirtualQuery, SizeofResource, SetFilePointer, SetEvent, SetEndOfFile, ResetEvent, ReadFile, OpenProcess, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryA, GetVersionExA, GetThreadLocale, GetTempPathA, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCPInfo, GetACP, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, EnumResourceNamesA, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateProcessA, CreateMutexA, CreateFileA, CreateEventA, CompareStringA, CloseHandle
> user32.dll: TranslateMessage, SetTimer, MessageBoxA, LoadStringA, GetWindowThreadProcessId, GetSystemMetrics, GetMessageA, FindWindowA, DispatchMessageA, CharNextA, CharToOemA
> wsock32.dll: WSAStartup, socket, send, inet_addr, htons, connect, closesocket
> kernel32.dll: Sleep
> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
> secur32.dll: GetUserNameExA

( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=0374361400B5522B8624012AC50B05005E8F0CAA' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=0374361400B5522B8624012AC50B05005E8F0CAA</a>

and Here is the NTDETECT.DLL scan with Virus Total

File NTDETECT.DLL received on 12.28.2008 18:08:14 (CET)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.28 -
AhnLab-V3 2008.12.25.0 2008.12.27 -
AntiVir 7.9.0.45 2008.12.28 -
Authentium 5.1.0.4 2008.12.28 -
Avast 4.8.1281.0 2008.12.27 -
AVG 8.0.0.199 2008.12.28 -
BitDefender 7.2 2008.12.28 -
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.28 -
Comodo 834 2008.12.28 -
DrWeb 4.44.0.09170 2008.12.28 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.28 -
F-Prot 4.4.4.56 2008.12.27 -
F-Secure 8.0.14332.0 2008.12.28 -
Fortinet 3.117.0.0 2008.12.28 -
GData 19 2008.12.28 -
Ikarus T3.1.1.45.0 2008.12.28 -
K7AntiVirus 7.10.568 2008.12.27 -
Kaspersky 7.0.0.125 2008.12.28 -
McAfee 5477 2008.12.28 -
McAfee+Artemis 5477 2008.12.28 -
Microsoft 1.4205 2008.12.28 -
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.28 Suspicious file
PCTools 4.4.2.0 2008.12.28 -
Prevx1 V2 2008.12.28 -
Rising 21.09.62.00 2008.12.28 -
SecureWeb-Gateway 6.7.6 2008.12.28 -
Sophos 4.37.0 2008.12.28 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.28 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.27 -
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.28 -
Additional information
File size: 43008 bytes
MD5...: b8f19692623db7682cf321a5c1fc2102
SHA1..: bb6390fd630e178fa98bd0887aaa900d9df6c2a9
SHA256: e59f45dfbdb48b606881baaf562580cc4c9e8a710d7c66f90d841d95d267d1b8
SHA512: 972cbaadbd08406cc9c8f21ebb005401f8b8ecb10292020596797012125d4f68
bd4fa86f010679b553e0306789a841f64a78fecb98ff2a51c162515f3a3cf983
ssdeep: 768:TClq5QaS7wD9haPwJHg6Ku9L9fzjBtHG9oWo7BvrBtTAySzj8x:Wlq5QaSs4
Ytgeza5azNAjzQx
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x408894
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x78cc 0x7a00 6.42 31dfa02d2eda421e21d481d5330306ef
DATA 0x9000 0x410 0x600 2.95 6e6fa163fa20f248d43fd02291898c5c
BSS 0xa000 0x98d 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xb000 0x7ee 0x800 4.58 a61fcf997bcfd340c2e24b1225c6af4d
.edata 0xc000 0x62 0x200 0.98 9d088f7108a9ef7f0e41986c7ba151c9
.reloc 0xd000 0xc00 0xc00 6.54 65e603d25d9188fdc8c0830d715f1340
.rsrc 0xe000 0xe00 0xe00 3.18 e9f148d2c294dd42e147852eae92c6ad

( 7 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString
> kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
> kernel32.dll: WriteFile, VirtualQuery, GetVersionExA, GetThreadLocale, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetDiskFreeSpaceA, GetCPInfo, GetACP, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA
> user32.dll: UnhookWindowsHookEx, ToAscii, SetWindowsHookExA, MessageBoxA, LoadStringA, GetWindowTextLengthA, GetWindowTextA, GetSystemMetrics, GetKeyboardState, GetForegroundWindow, CallNextHookEx, CharNextA, CharToOemA

( 2 exports )
StartTheHook, StopTheHook
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=b8f19692623db7682cf321a5c1fc2102' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=b8f19692623db7682cf321a5c1fc2102</a>

and here is the DirLook Scan Log

DirLook.exe v2.0 by jpshortstuff
Log created at 12:12 on 28/12/2008
==================================
Contents of "c:\windows\system32\Remotes"

---FOLDERS---

(none found)

---FILES---

(none found)

==================================
Contents of "c:\windows\system32\Profiles"

---FOLDERS---

(none found)

---FILES---

(none found)

==================================
Contents of "c:\windows\system32\Media"

---FOLDERS---

Screen Shots (Created on 14/12/2008 at 14:42) d-----
Videos (Created on 14/12/2008 at 14:42) d-----

---FILES---

(none found)

---Sub-Directories---

c:\windows\system32\Media\Screen Shots


c:\windows\system32\Media\Videos


==================================
=EOF=

#7 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:03:46 PM

Posted 28 December 2008 - 12:52 PM

Hi hybrid_101,
  • Please download OTMoveIt3.exe from Geeks to Go and save it to your desktop.
  • Double click on OTMoveIt3.exe to run it.
  • Please copy and paste the following in the Code box into OTMoveIt3 (1).

    Warning: Do not type it out to prevent any typo errors and damaging your machine.

    :Services
    BW2NDIS5
    :Files
    c:\windows\delme.bat
    c:\windows\KEYLOGGER.EXE
    c:\windows\system32\Remotes
    c:\windows\system32\Profiles
    c:\windows\system32\Media
    C:\windows\NTDETECT.DLL
    c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    c:\windows\scvhost.exe
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
    "Shell"="Explorer.exe"
    "Userinit"="C:\\Windows\\system32\\userinit.exe,"
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "CTFMON"=-
    [-HKEY_CLASSES_ROOT\CLSID\{C7768536-96F8-4001-B1A2-90EE21279187}]
    [-HKEY_CLASSES_ROOT\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}]
    [-HKEY_CLASSES_ROOT\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
    [EmptyTemp]

    Please refer to this image to use OTMoveIt3.

    Posted Image

  • Click on MoveIt! (2)
  • Click Exit (3) when done.
  • a log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Please post this log in your next reply.

Posted Image

Done your best? Really?


#8 hybrid_101

hybrid_101
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin Oh, USA
  • Local time:03:46 AM

Posted 28 December 2008 - 01:08 PM

Hi, ndmmxiaomayi

Here is the Otmoveit Log

========== SERVICES/DRIVERS ==========
Service BW2NDIS5 stopped successfully.
Service BW2NDIS5 deleted successfully.
========== FILES ==========
c:\windows\delme.bat moved successfully.
c:\windows\KEYLOGGER.EXE moved successfully.
c:\windows\system32\Remotes moved successfully.
c:\windows\system32\Profiles moved successfully.
c:\windows\system32\Media\Videos moved successfully.
c:\windows\system32\Media\Screen Shots moved successfully.
c:\windows\system32\Media moved successfully.
DllUnregisterServer procedure not found in C:\windows\NTDETECT.DLL
C:\windows\NTDETECT.DLL NOT unregistered.
C:\windows\NTDETECT.DLL moved successfully.
c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86 moved successfully.
c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86 moved successfully.
c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} moved successfully.
File/Folder c:\windows\scvhost.exe not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell\\"Shell"|"Explorer.exe" /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell\\"Userinit"|"C:\\Windows\\system32\\userinit.exe," /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\\CTFMON deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{C7768536-96F8-4001-B1A2-90EE21279187}\\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\\ not found.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12282008_130614

#9 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:03:46 PM

Posted 28 December 2008 - 01:13 PM

Hi hybrid_101,

Remove old versions of Java Runtime Environment (JRE)

Older versions of JRE are vulnerable to exploits. To prevent such exploits, it would be in your best interest to remove them.
  • Click on Start > Control Panel and double click on Add/Remove Programs. Locate J2SE Runtime Environment 5.0 Update 5 and click on Change/Remove to uninstall it.
  • Repeat for this old version of JRE: Java™ 6 Update 7
  • Close Add/Remove Programs and Control Panel when done.
Run an online scan

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases


  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Posted Image

Done your best? Really?


#10 hybrid_101

hybrid_101
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin Oh, USA
  • Local time:03:46 AM

Posted 28 December 2008 - 04:46 PM

yeah i scanned and heres the log, (although it found nothing)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 17:01:18
Records in database: 1525092
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 95496
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:45:53

No malware has been detected. The scan area is clean.

The selected area was scanned.

Edited by hybrid_101, 28 December 2008 - 06:56 PM.


#11 ndmmxiaomayi

ndmmxiaomayi

    Ant


  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Location:Everywhere
  • Local time:03:46 PM

Posted 29 December 2008 - 08:37 AM

That looks good.

Any other issues?
Posted Image

Done your best? Really?


#12 hybrid_101

hybrid_101
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin Oh, USA
  • Local time:03:46 AM

Posted 29 December 2008 - 08:40 AM

yeah C:\Windows Still comes up on start up

#13 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 29 December 2008 - 12:30 PM

hybrid_101,

ndmmxiaomayi is having some computer issues of her own so I'm going to see if I can help you.

Can you explain what you mean by C:\Windows Still comes up on start up? Is it in a window of some sort?

Also, please post me a new HijackThis log.
Posted Image

#14 hybrid_101

hybrid_101
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dublin Oh, USA
  • Local time:03:46 AM

Posted 29 December 2008 - 12:50 PM

Hi, Tomk_

sorry to hear about ndmmxiaomayi's computer issue, i hope she can fix it

just to recap here is the problem
for some some reason after i erased (or i thought i erased a malware using spybot) The C:\WINDOWS folder started to open on start up. Also when i erased that trojan for some reason my Avira Anti Virus had a Virus alert

Any Way here is the new HijackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:13 PM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Fraps\fraps.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=66026
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66026
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Oturum Açma Yardim Araci - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1221428633968
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c95d216071fada) (gupdate1c95d216071fada) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10009 bytes

and thx for ur help

#15 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 29 December 2008 - 01:33 PM

hybrid_101,

i hope she can fix it

I think it is an ISP problem so she is at their mercy.

I believe I see the problem. Let's try this the easy way first.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Then

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users