Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need someone to look at HJT log and let me know of any problems


  • Please log in to reply
4 replies to this topic

#1 Breowolf

Breowolf

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 02 January 2009 - 06:56 AM

Hello everyone and thanks in advance for any help you can give me, its greatly appreciated.

Breowolf

/codebox
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:58 AM, on 1/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: milehighads - {cd5d6602-5fef-61f9-479f-44fcff69cc2f} - C:\WINDOWS\system32\nsy115.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\System32\winsys2.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ricky Vernon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204240759359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204240993984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7299 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:34 AM

Posted 03 January 2009 - 05:17 PM

Hello Breowolf and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Breowolf

Breowolf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 03 January 2009 - 06:43 PM

Thanks for the help, did as you said and here is the combofix log text

ComboFix 09-01-02.01 - Ricky Vernon 2009-01-03 18:35:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1520 [GMT -5:00]
Running from: c:\wowaddons\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ricky Vernon\Localdir
c:\documents and settings\Ricky Vernon\Localdir\Setup.zip
c:\documents and settings\Ricky Vernon\Localdir\winlogo.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 13:34 . 2009-01-02 13:34 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\Leadertech
2009-01-02 13:34 . 2009-01-02 21:26 183,112 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-02 13:34 . 2009-01-02 21:26 138,184 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-02 13:34 . 2009-01-02 21:26 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-02 08:06 . 2009-01-02 08:06 <DIR> d-------- c:\windows\kdefense
2009-01-02 08:06 . 2009-01-02 08:06 846,336 --a------ c:\windows\system32\kdfinj.dll
2009-01-02 08:06 . 2009-01-03 18:26 722,472 --a------ c:\windows\system32\kdfmgr.exe
2009-01-02 08:06 . 2009-01-03 18:26 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-01-02 08:06 . 2009-01-03 18:26 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-01-02 08:06 . 2009-01-03 18:26 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-01-02 07:58 . 2009-01-02 07:58 <DIR> d-------- c:\windows\LocalSSL
2009-01-02 07:57 . 2009-01-02 08:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-02 07:57 . 2009-01-02 07:52 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-02 07:57 . 2009-01-02 07:52 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-02 07:57 . 2009-01-02 07:52 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-02 07:52 . 2009-01-02 07:52 1,195,448 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-02 07:52 . 2009-01-02 07:52 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-01-02 07:52 . 2009-01-02 07:52 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-01-02 07:52 . 2009-01-02 07:52 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-02 07:52 . 2009-01-02 07:52 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-01-02 07:52 . 2009-01-02 07:52 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-02 07:47 . 2009-01-02 07:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-02 07:39 . 2009-01-02 07:39 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-01-02 06:37 . 2009-01-02 07:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 06:27 . 2009-01-02 06:27 147,456 --a------ c:\windows\system32\vbzip10.dll
2009-01-01 19:23 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-01-01 19:23 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-01-01 19:23 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-01-01 19:23 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-01-01 19:23 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-01-01 19:23 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-01-01 19:23 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-01-01 19:20 . 2009-01-01 19:20 5,120 --ahs---- c:\windows\Thumbs.db
2009-01-01 19:20 . 2009-01-01 22:21 4,608 --ahs---- c:\windows\system32\Thumbs.db
2008-12-30 16:05 . 2008-12-30 16:06 <DIR> d-------- c:\program files\Doom 3 Demo
2008-12-29 12:19 . 2008-12-29 12:19 <DIR> d-------- c:\program files\Google
2008-12-28 00:23 . 2008-12-28 00:23 <DIR> d-------- C:\Absolution
2008-12-27 19:01 . 2008-12-29 17:38 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\SPORE Creature Creator
2008-12-27 19:00 . 2008-12-27 19:00 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-12-27 18:59 . 2008-12-27 18:59 <DIR> d-------- C:\ProgramData
2008-12-27 18:59 . 2008-12-27 19:03 9,444 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-25 08:26 . 2008-12-25 08:26 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-25 05:54 . 2009-01-02 12:45 69 --a------ c:\windows\NeroDigital.ini
2008-12-24 19:54 . 2008-12-24 19:55 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\Nero
2008-12-24 19:39 . 2009-01-02 06:28 <DIR> d-------- C:\Incomplete
2008-12-24 19:37 . 2008-12-24 19:37 4,767 --a------ c:\windows\Irremote.ini
2008-12-24 19:23 . 2008-12-24 19:36 <DIR> d-------- c:\program files\Nero
2008-12-24 19:22 . 2008-12-24 19:50 <DIR> d-------- c:\program files\Common Files\Nero
2008-12-24 19:22 . 2008-12-24 19:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-24 12:25 . 2008-12-24 12:25 53,958 --a------ c:\windows\system32\cont_milehighads-remove.exe
2008-12-24 12:17 . 2009-01-02 09:18 <DIR> d-------- C:\LIMEWIRE
2008-12-24 12:16 . 2009-01-01 22:28 <DIR> d-------- c:\program files\LimeWire
2008-12-24 12:16 . 2009-01-02 06:30 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\LimeWire
2008-12-22 23:08 . 2008-12-22 23:15 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\IObit
2008-12-22 23:07 . 2008-12-22 23:08 <DIR> d-------- c:\program files\IObit
2008-12-22 08:47 . 2008-12-22 08:47 865 --a------ C:\18 Wheels of Steel Pedal to the Metal.lnk
2008-12-22 03:17 . 2008-12-22 09:34 <DIR> d-------- c:\program files\18 WoS Pedal to the Metal
2008-12-19 05:21 . 2008-12-22 20:14 <DIR> d-------- c:\program files\Valusoft
2008-12-19 05:21 . 2008-12-19 05:21 <DIR> d-------- c:\program files\Trymedia
2008-12-19 04:26 . 2008-12-20 05:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-12-19 04:24 . 2008-12-19 04:26 <DIR> d-------- c:\program files\18 Wheels of Steel American Long Haul
2008-12-19 00:59 . 2008-12-19 00:59 <DIR> d-------- C:\Westwood
2008-12-17 18:54 . 2008-12-17 18:54 <DIR> d-------- c:\windows\ie8updates
2008-12-13 02:40 . 2009-01-02 06:25 <DIR> d-------- c:\program files\UltimateZip
2008-12-13 02:40 . 2008-12-13 02:40 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\UltimateZip
2008-12-07 15:04 . 2008-12-07 15:05 <DIR> d-------- c:\program files\18 Wheels of Steel Convoy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 18:16 --------- d-----w c:\program files\EA Games
2009-01-02 12:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-02 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-02 12:42 --------- d-----w c:\program files\Norton 360
2009-01-02 03:28 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-02 03:28 --------- d-----w c:\program files\UltimateZip 2007
2009-01-02 03:28 --------- d-----w c:\program files\CDBurnerXP
2009-01-02 03:28 --------- d-----w c:\program files\AGEIA Technologies
2009-01-02 02:14 --------- d-----w c:\program files\Common Files\EasyInfo
2009-01-01 23:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 03:34 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\uTorrent
2008-12-30 00:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-27 23:59 --------- d-----w c:\program files\Electronic Arts
2008-12-23 04:13 --------- d-----w c:\program files\World of Warcraft
2008-12-23 04:13 --------- d-----w c:\program files\Warcraft III
2008-12-23 04:13 --------- d-----w c:\program files\Starcraft
2008-12-23 04:13 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\Ventrilo
2008-12-23 04:13 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\Turbine
2008-12-23 04:13 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\Software Informer
2008-12-23 04:13 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\iolo
2008-12-08 21:07 --------- d-----w c:\program files\ASUS
2008-12-02 03:18 --------- d-----w c:\program files\THQ
2008-12-01 15:23 673,792 ----a-w c:\windows\system32\nsy115.dll
2008-11-28 00:31 --------- d-----w c:\program files\MySpace
2008-11-26 23:37 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\Command & Conquer 3 Kane's Wrath
2008-11-22 20:21 --------- d-----w c:\program files\Square Soft, Inc
2008-10-24 12:20 2,829 ----a-w c:\windows\War3Unin.pif
2008-10-24 12:20 139,264 ----a-w c:\windows\War3Unin.exe
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-12-01 15:24 640,000 ----a-w c:\program files\mozilla firefox\components\nsmilehighads.dll
2008-06-06 22:30 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060620080607\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd5d6602-5fef-61f9-479f-44fcff69cc2f}]
2008-12-01 10:23 673792 --a------ c:\windows\system32\nsy115.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\Ricky Vernon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2008-12-12 202264]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-02 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"WinSys2"="c:\windows\System32\winsys2.exe" [2006-04-28 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-02 970808]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-02 497008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"C6501Sound"=RunDll32 c6501.cpl,CMICtrlWnd
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2008-02-28 1310720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-01-02 334352]
R4 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-12-05 935208]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-01-02 181584]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-02 49680]
R4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-02 492888]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-02 36368]
R4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-02 677128]

*Newly Created Service* - CATCHME
*Newly Created Service* - PNKBSTRA
*Newly Created Service* - PNKBSTRB
*Newly Created Service* - PNKBSTRK
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1844237615-839522115-1003.job
- c:\documents and settings\Ricky Vernon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 17:32]

2009-01-03 c:\windows\Tasks\User_Feed_Synchronization-{790AF47A-EE34-44E3-86F1-D83EBC8BD248}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 02:05]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: www.irs.gov
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FF - ProfilePath - c:\documents and settings\Ricky Vernon\Application Data\Mozilla\Firefox\Profiles\0luiy4nq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www5.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 18:37:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-01-03 18:40:41
ComboFix-quarantined-files.txt 2009-01-03 23:39:22

Pre-Run: 72,640,643,072 bytes free
Post-Run: 72,626,700,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

249 --- E O F --- 2008-12-25 13:26:13

#4 Breowolf

Breowolf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 03 January 2009 - 06:57 PM

Here is the combofix text, thanks for the help,

Breowolf



ComboFix 09-01-02.01 - Ricky Vernon 2009-01-03 18:35:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1520 [GMT -5:00]
Running from: c:\wowaddons\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ricky Vernon\Localdir
c:\documents and settings\Ricky Vernon\Localdir\Setup.zip
c:\documents and settings\Ricky Vernon\Localdir\winlogo.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 13:34 . 2009-01-02 13:34 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\Leadertech
2009-01-02 13:34 . 2009-01-02 21:26 183,112 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-02 13:34 . 2009-01-02 21:26 138,184 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-02 13:34 . 2009-01-02 21:26 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-02 08:06 . 2009-01-02 08:06 <DIR> d-------- c:\windows\kdefense
2009-01-02 08:06 . 2009-01-02 08:06 846,336 --a------ c:\windows\system32\kdfinj.dll
2009-01-02 08:06 . 2009-01-03 18:26 722,472 --a------ c:\windows\system32\kdfmgr.exe
2009-01-02 08:06 . 2009-01-03 18:26 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-01-02 08:06 . 2009-01-03 18:26 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-01-02 08:06 . 2009-01-03 18:26 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-01-02 07:58 . 2009-01-02 07:58 <DIR> d-------- c:\windows\LocalSSL
2009-01-02 07:57 . 2009-01-02 08:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-02 07:57 . 2009-01-02 07:52 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-02 07:57 . 2009-01-02 07:52 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-02 07:57 . 2009-01-02 07:52 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-02 07:52 . 2009-01-02 07:52 1,195,448 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-02 07:52 . 2009-01-02 07:52 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-01-02 07:52 . 2009-01-02 07:52 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-01-02 07:52 . 2009-01-02 07:52 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-02 07:52 . 2009-01-02 07:52 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-01-02 07:52 . 2009-01-02 07:52 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-02 07:47 . 2009-01-02 07:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-02 07:39 . 2009-01-02 07:39 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-01-02 06:37 . 2009-01-02 07:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 06:27 . 2009-01-02 06:27 147,456 --a------ c:\windows\system32\vbzip10.dll
2009-01-01 19:23 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-01-01 19:23 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-01-01 19:23 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-01-01 19:23 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-01-01 19:23 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-01-01 19:23 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-01-01 19:23 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-01-01 19:20 . 2009-01-01 19:20 5,120 --ahs---- c:\windows\Thumbs.db
2009-01-01 19:20 . 2009-01-01 22:21 4,608 --ahs---- c:\windows\system32\Thumbs.db
2008-12-30 16:05 . 2008-12-30 16:06 <DIR> d-------- c:\program files\Doom 3 Demo
2008-12-29 12:19 . 2008-12-29 12:19 <DIR> d-------- c:\program files\Google
2008-12-28 00:23 . 2008-12-28 00:23 <DIR> d-------- C:\Absolution
2008-12-27 19:01 . 2008-12-29 17:38 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\SPORE Creature Creator
2008-12-27 19:00 . 2008-12-27 19:00 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-12-27 18:59 . 2008-12-27 18:59 <DIR> d-------- C:\ProgramData
2008-12-27 18:59 . 2008-12-27 19:03 9,444 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-25 08:26 . 2008-12-25 08:26 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-25 05:54 . 2009-01-02 12:45 69 --a------ c:\windows\NeroDigital.ini
2008-12-24 19:54 . 2008-12-24 19:55 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\Nero
2008-12-24 19:39 . 2009-01-02 06:28 <DIR> d-------- C:\Incomplete
2008-12-24 19:37 . 2008-12-24 19:37 4,767 --a------ c:\windows\Irremote.ini
2008-12-24 19:23 . 2008-12-24 19:36 <DIR> d-------- c:\program files\Nero
2008-12-24 19:22 . 2008-12-24 19:50 <DIR> d-------- c:\program files\Common Files\Nero
2008-12-24 19:22 . 2008-12-24 19:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-24 12:25 . 2008-12-24 12:25 53,958 --a------ c:\windows\system32\cont_milehighads-remove.exe
2008-12-24 12:17 . 2009-01-02 09:18 <DIR> d-------- C:\LIMEWIRE
2008-12-24 12:16 . 2009-01-01 22:28 <DIR> d-------- c:\program files\LimeWire
2008-12-24 12:16 . 2009-01-02 06:30 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\LimeWire
2008-12-22 23:08 . 2008-12-22 23:15 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\IObit
2008-12-22 23:07 . 2008-12-22 23:08 <DIR> d-------- c:\program files\IObit
2008-12-22 08:47 . 2008-12-22 08:47 865 --a------ C:\18 Wheels of Steel Pedal to the Metal.lnk
2008-12-22 03:17 . 2008-12-22 09:34 <DIR> d-------- c:\program files\18 WoS Pedal to the Metal
2008-12-19 05:21 . 2008-12-22 20:14 <DIR> d-------- c:\program files\Valusoft
2008-12-19 05:21 . 2008-12-19 05:21 <DIR> d-------- c:\program files\Trymedia
2008-12-19 04:26 . 2008-12-20 05:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-12-19 04:24 . 2008-12-19 04:26 <DIR> d-------- c:\program files\18 Wheels of Steel American Long Haul
2008-12-19 00:59 . 2008-12-19 00:59 <DIR> d-------- C:\Westwood
2008-12-17 18:54 . 2008-12-17 18:54 <DIR> d-------- c:\windows\ie8updates
2008-12-13 02:40 . 2009-01-02 06:25 <DIR> d-------- c:\program files\UltimateZip
2008-12-13 02:40 . 2008-12-13 02:40 <DIR> d-------- c:\documents and settings\Ricky Vernon\Application Data\UltimateZip
2008-12-07 15:04 . 2008-12-07 15:05 <DIR> d-------- c:\program files\18 Wheels of Steel Convoy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 18:16 --------- d-----w c:\program files\EA Games
2009-01-02 12:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-02 12:46 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-02 12:42 --------- d-----w c:\program files\Norton 360
2009-01-02 03:28 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-02 03:28 --------- d-----w c:\program files\UltimateZip 2007
2009-01-02 03:28 --------- d-----w c:\program files\CDBurnerXP
2009-01-02 03:28 --------- d-----w c:\program files\AGEIA Technologies
2009-01-02 02:14 --------- d-----w c:\program files\Common Files\EasyInfo
2009-01-01 23:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 03:34 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\uTorrent
2008-12-30 00:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-27 23:59 --------- d-----w c:\program files\Electronic Arts
2008-12-23 04:13 --------- d-----w c:\program files\World of Warcraft
2008-12-23 04:13 --------- d-----w c:\program files\Warcraft III
2008-12-23 04:13 --------- d-----w c:\program files\Starcraft
2008-12-23 04:13 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\Ventrilo
2008-12-23 04:13 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\Turbine
2008-12-23 04:13 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\Software Informer
2008-12-23 04:13 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\iolo
2008-12-08 21:07 --------- d-----w c:\program files\ASUS
2008-12-02 03:18 --------- d-----w c:\program files\THQ
2008-12-01 15:23 673,792 ----a-w c:\windows\system32\nsy115.dll
2008-11-28 00:31 --------- d-----w c:\program files\MySpace
2008-11-26 23:37 --------- d-----w c:\documents and settings\Ricky Vernon\Application Data\Command & Conquer 3 Kane's Wrath
2008-11-22 20:21 --------- d-----w c:\program files\Square Soft, Inc
2008-10-24 12:20 2,829 ----a-w c:\windows\War3Unin.pif
2008-10-24 12:20 139,264 ----a-w c:\windows\War3Unin.exe
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-12-01 15:24 640,000 ----a-w c:\program files\mozilla firefox\components\nsmilehighads.dll
2008-06-06 22:30 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060620080607\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd5d6602-5fef-61f9-479f-44fcff69cc2f}]
2008-12-01 10:23 673792 --a------ c:\windows\system32\nsy115.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\Ricky Vernon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2008-12-12 202264]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-02 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"WinSys2"="c:\windows\System32\winsys2.exe" [2006-04-28 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-02 970808]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-02 497008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"C6501Sound"=RunDll32 c6501.cpl,CMICtrlWnd
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2008-02-28 1310720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-01-02 334352]
R4 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-12-05 935208]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-01-02 181584]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-02 49680]
R4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-02 492888]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-02 36368]
R4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-02 677128]

*Newly Created Service* - CATCHME
*Newly Created Service* - PNKBSTRA
*Newly Created Service* - PNKBSTRB
*Newly Created Service* - PNKBSTRK
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1844237615-839522115-1003.job
- c:\documents and settings\Ricky Vernon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 17:32]

2009-01-03 c:\windows\Tasks\User_Feed_Synchronization-{790AF47A-EE34-44E3-86F1-D83EBC8BD248}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 02:05]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: www.irs.gov
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FF - ProfilePath - c:\documents and settings\Ricky Vernon\Application Data\Mozilla\Firefox\Profiles\0luiy4nq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www5.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 18:37:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-01-03 18:40:41
ComboFix-quarantined-files.txt 2009-01-03 23:39:22

Pre-Run: 72,640,643,072 bytes free
Post-Run: 72,626,700,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

249 --- E O F --- 2008-12-25 13:26:13

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:34 AM

Posted 04 January 2009 - 02:48 PM

Hello Breowolf,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/191411/need-someone-to-look-at-hjt-log-and-let-me-know-of-any-problems/
Collect::[9]
c:\windows\system32\cont_milehighads-remove.exe

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file C:\QooBox\Quarantine\[9]-Submit_Date_Time.zip.

Open Mozilla Firefox.
Beside the address bar is the Search engine bar
Can you use the drop down arrow beside the search box, >>Select "Manage Search Engines"
If YOOG is listed, can you highlight it and remove it
Then highlight Google and Hit OK.
Don't close Firefox yet !!
In the url bar, type about:config, hit Enter en when asked confirm you'll be careful :thumbsup:
Now find the keyword.URL setting (halfway down the screen), double click it and
change the value to http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= (standard setting)
Close and restart Firefox, still getting redirected ?

Greetings,
Thunder

Edited by Thunder, 04 January 2009 - 02:49 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users