Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I let the Kids use my PC, now I think I'm infected!


  • This topic is locked This topic is locked
13 replies to this topic

#1 stjpub

stjpub

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 16 February 2009 - 05:50 PM

Can anyone tell me what I need to do to fix my PC by looking at this log?

Sam


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:28 PM, on 2/16/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINNT\System32\regsvr32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stjpub.com/
O2 - BHO: (no name) - {4fb6c47d-daf3-4bc1-9efe-b51ea773c856} - C:\WINNT\system32\yenejesa.dll
O2 - BHO: {c2149766-c600-54b8-8614-e8cfc20833fb} - {bf33802c-fc8e-4168-8b45-006c6679412c} - C:\WINNT\system32\isxmwr.dll
O2 - BHO: C:\WINNT\system32\hs78344kjkfd.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINNT\system32\hs78344kjkfd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [oleaut32.dll] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ivwcxsohtwn] C:\WINNT\System32\regsvr32.exe /s "C:\WINNT\system32\ratodirwgqsyjfqr.dll"
O4 - HKLM\..\Run: [zojelurowi] Rundll32.exe "C:\WINNT\system32\gemomume.dll",s
O4 - HKLM\..\Run: [4ce28230] rundll32.exe "C:\WINNT\system32\vidimofu.dll",b
O4 - HKLM\..\Run: [CPM4fd1b1ac] Rundll32.exe "C:\WINNT\system32\fogiguzu.dll",a
O4 - HKCU\..\Run: [jzcmigqrafa351pm3gde9tli7tiormx6cmdmwjin3y] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\pe1yud0r15.exe
O4 - HKCU\..\Run: [npcbpo19x7dwjt0hb5uel] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\md4qq3d8xst.exe
O4 - HKCU\..\Run: [oqx4mevhlibhb5qyzdr2atz9wjck66mrw5knti4pyaitq] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\peiey87.exe
O4 - HKCU\..\Run: [wt5i78o8jq9cwcstaubkcc7qbv6bdvv4zv] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\b2tswiqz.exe
O4 - HKCU\..\Run: [acx37tzn27gr] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\oo90zkdlr6f.exe
O4 - HKCU\..\Run: [zajq8iti97840i7k3tji52nb3xbv9619hpw4kr6ozz4d0ad] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\kvh3bjo1bsq.exe
O4 - HKCU\..\Run: [zojelurowi] Rundll32.exe "C:\WINNT\system32\gemomume.dll",s
O4 - HKCU\..\Run: [ianbcnaybt] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\hedsorlp4un.exe
O4 - HKCU\..\Run: [cs806nwz344a50amo02exxc] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\od9uh3h.exe
O4 - HKCU\..\Run: [svgo2wqf8m7rvh2f4larz56kshpkzg8m7] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\rig6csqs.exe
O4 - HKCU\..\Run: [y7g11etwys11c6wmfirx76vpf2ue] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\lyfjrw.exe
O4 - HKCU\..\Run: [zyufrwhv4x4pdh31xwx3bl7y8ptj6qzbt3d9eh9fjpf] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\jxl1dpb7jyj.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Pop-Up Blocker Pro - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
O9 - Extra 'Tools' menuitem: &Pop-Up Blocker Pro - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
O16 - DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} (BiblioNetCtrl Class) - http://www.freehandmusic.com/Update/biblionet.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136402350109
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O20 - AppInit_DLLs: nmszkl.dll xvwwcf.dll C:\WINNT\system32\rovoyato.dll isxmwr.dll c:\winnt\system32\fogiguzu.dll
O20 - Winlogon Notify: mlJCRigd - mlJCRigd.dll (file missing)
O20 - Winlogon Notify: mlJDuusQ - mlJDuusQ.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\fogiguzu.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINNT\system32\hs78344kjkfd.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\fogiguzu.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7903 bytes

BC AdBot (Login to Remove)

 


#2 stjpub

stjpub
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 17 February 2009 - 11:26 AM

Still need help! Now I can't access the internet.

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 17 February 2009 - 11:47 AM

Please download Dr.Web CureIt to the Desktop:
  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)



NEXT


Download avz4.zip from HERE
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm to your next reply


Post these logs in your next reply..

1. Dr.Web CureIt
2. Attach virusinfo_syscheck.htm

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 stjpub

stjpub
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 18 February 2009 - 03:52 PM

I keep trying what you suggested...I downloaded Cureit and the Azv4 programs. When I double click the cureit icon on my desktop...it keeps giving me an error that setup.exe has generated erros and will have to be closed by windows. I have deleted it and re downloaded etc. and still the same message. What now?

Here is my latest Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:30 PM, on 2/18/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stjpub.com/
O2 - BHO: (no name) - {4fb6c47d-daf3-4bc1-9efe-b51ea773c856} - C:\WINNT\system32\yenejesa.dll (file missing)
O2 - BHO: C:\WINNT\system32\hs78344kjkfd.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINNT\system32\hs78344kjkfd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [oleaut32.dll] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [zojelurowi] Rundll32.exe "C:\WINNT\system32\gemomume.dll",s
O4 - HKLM\..\Run: [CPM4fd1b1ac] Rundll32.exe "c:\winnt\system32\nuzeroto.dll",a
O4 - HKCU\..\Run: [r9t9wp3x42u4mw30s3b3yf6hlhl] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\gt78iv8jxyix4.exe
O4 - HKCU\..\Run: [wac8lct09rn2hrem5gvfg3rx6mnpm7p7sfzlhuj] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\gez2uy54.exe
O4 - HKCU\..\Run: [yt0j7drz27bo5g9rdjudzv8] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\dwlx1zcy771rc.exe
O4 - HKCU\..\Run: [geg1wcmzp073eb0d5nxscfw7i17gic11eds362t9j] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\ackrg3xggyo.exe
O4 - HKCU\..\Run: [hycecri4u5li3fiskl6hvmu648jo3cavy29so26u] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\nejxsa2mh.exe
O4 - HKCU\..\Run: [rb72drdbhswqe69uqwecxaylukv8ygk5ykcbtqtqqllgr2l] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\dvs6o2tsv4.exe
O4 - HKCU\..\Run: [egjaxtc137koxajhqwevia8xn5n3p9] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\p8qpoctn4.exe
O4 - HKCU\..\Run: [lj48qykxxounvlw8n5hsmi2duhv71xgiomgp4nz037] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\z0la3mb5p.exe
O4 - HKCU\..\Run: [rtffp2iy9ogfz7b65] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\xor4029y77b.exe
O4 - HKCU\..\Run: [scr4l4lzmyh1jllsu5miwdvep4tkmy] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\fs33kxi7odz.exe
O4 - HKCU\..\Run: [u4xbou1kwhwve7ejrs] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\e6r0mr59.exe
O4 - HKCU\..\Run: [ja8y9b11w7giyr6oc43jw1iw] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\lj4i63w6072ya.exe
O4 - HKCU\..\Run: [lwxcczybex8pxe6a3qrjhy0xmy55hi] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\fm54odr.exe
O4 - HKCU\..\Run: [uzpbc6grkvpw7iovvac7rlsjr24iqnacp] C:\DOCUME~1\ADMINI~1.AU-\LOCALS~1\Temp\fn1cr2.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Pop-Up Blocker Pro - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
O9 - Extra 'Tools' menuitem: &Pop-Up Blocker Pro - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
O16 - DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} (BiblioNetCtrl Class) - http://www.freehandmusic.com/Update/biblionet.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136402350109
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O20 - AppInit_DLLs: C:\WINNT\system32\rovoyato.dll aaelzq.dll c:\winnt\system32\nuzeroto.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\nuzeroto.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINNT\system32\hs78344kjkfd.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\nuzeroto.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7537 bytes

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 February 2009 - 04:16 PM

skip above steps and do below...


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 stjpub

stjpub
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 18 February 2009 - 04:52 PM

Here is the Combofix log:

ComboFix 09-02-17.02 - Administrator 02/18/2009 16:36:56.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.158 [GMT -5:00]
Running from: c:\documents and settings\Administrator.AU-8685JKT5NN49\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1.AU-\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Administrator.AU-8685JKT5NN49\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GrandPack
c:\program files\GrandPack\GrandPack.dll
c:\winnt\IE4 Error Log.txt
c:\winnt\sysguard.exe
c:\winnt\system32\aaelzq.dll
c:\winnt\system32\ahuvubuv.ini
c:\winnt\system32\bazadoli.dll
c:\winnt\system32\BSZI.dll
c:\winnt\system32\bszip.dll
c:\winnt\system32\civmwwyx.ini
c:\winnt\system32\d3d8caps.dat
c:\winnt\system32\encapi32.dll
c:\winnt\system32\esokovuj.ini
c:\winnt\system32\fogiguzu.dll
c:\winnt\system32\fwahaqge.ini
c:\winnt\system32\gemomume.dll
c:\winnt\system32\gigiweme.dll
c:\winnt\system32\hs78344kjkfd.dll
c:\winnt\system32\isxmwr.dll
c:\winnt\system32\juqnxgpx.dll
c:\winnt\system32\juvokose.dll
c:\winnt\system32\Memman.vxd
c:\winnt\system32\mnovqivq.dll
c:\winnt\system32\msansspc.dll
c:\winnt\system32\nmszkl.dll
c:\winnt\system32\nuzeroto.dll
c:\winnt\system32\pikusuba.dll
c:\winnt\system32\rah3b8ffdnd.dll
c:\winnt\system32\ratodirwgqsyjfqr.dll
c:\winnt\system32\rovoyato.dll
c:\winnt\system32\rYbLoUvw.ini
c:\winnt\system32\rYbLoUvw.ini2
c:\winnt\system32\skinboxer43.dll
c:\winnt\system32\tasutope.dll
c:\winnt\system32\TtAHNXbc.ini
c:\winnt\system32\TtAHNXbc.ini2
c:\winnt\system32\tuaanffp.ini
c:\winnt\system32\ufomidiv.ini
c:\winnt\system32\vidimofu.dll
c:\winnt\system32\vroirk.dll
c:\winnt\system32\wpv361234555431.cpx
c:\winnt\system32\xHkUvGgh.ini
c:\winnt\system32\xHkUvGgh.ini2
c:\winnt\system32\xvwwcf.dll
c:\winnt\Web\default.htt
c:\winnt\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-16 19:41 . 09-02-17 21:34 925,466 ---h----- c:\winnt\ShellIconCache
2009-02-16 17:36 . 09-02-16 17:36 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 10:50 . 09-02-16 10:50 <DIR> d-------- C:\New Folder (2)
2009-02-15 21:17 . 09-02-15 21:17 1,968 --a------ c:\winnt\system32\xxyxUnLf.dll
2009-02-15 13:16 . 09-02-15 13:16 126,464 --a------ C:\ytprjxsv.exe
2009-02-15 13:16 . 09-02-15 13:16 19,968 --a------ C:\xyephkl.exe
2009-02-15 13:16 . 09-02-15 13:16 8,704 --a------ C:\jttgds.exe
2009-02-15 13:16 . 09-02-15 13:16 2 --a------ C:\1289912991
2009-02-15 13:15 . 09-02-15 13:15 72,704 --a------ c:\winnt\system32\rsvyrusj.dll
2009-02-15 13:15 . 09-02-15 13:15 40,448 --a------ C:\cwxwwgtl.exe
2009-02-15 13:12 . 09-02-15 13:12 302,592 --a------ c:\winnt\system32\cbXNHAtT.dll.vir
2009-02-15 13:06 . 09-02-15 13:06 1,968 --a------ c:\winnt\system32\nnnkLedA.dll
2009-02-15 13:05 . 09-02-15 13:05 36,352 --a------ c:\winnt\system32\hgGwXqQk.dll
2009-02-11 02:16 . 09-02-11 02:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScanSoft
2009-02-11 02:16 . 09-02-11 02:16 <DIR> d-------- c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\ScanSoft
2009-01-26 11:35 . 09-01-26 11:35 <DIR> d-------- c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Smith Micro
2009-01-26 11:31 . 09-01-26 11:31 <DIR> d-------- c:\program files\PANTECH
2009-01-26 11:31 . 06-11-01 17:21 319,456 --a------ c:\winnt\system32\DIFxAPI.dll
2009-01-26 11:31 . 08-05-16 23:46 77,824 --a------ c:\winnt\system32\PTDUwmcp.dll
2009-01-26 11:31 . 08-03-11 17:58 59,776 --a------ c:\winnt\system32\drivers\PTDUWWAN.sys
2009-01-26 11:31 . 08-03-11 17:58 41,344 --a------ c:\winnt\system32\drivers\PTDUMdm.sys
2009-01-26 11:31 . 08-03-11 17:58 39,936 --a------ c:\winnt\system32\drivers\PTDUVsp.sys
2009-01-26 11:31 . 08-03-11 17:58 29,824 --a------ c:\winnt\system32\drivers\PTDUBus.sys
2009-01-26 11:31 . 08-03-11 17:58 5,120 --a------ c:\winnt\system32\drivers\PTDUWFLT.sys
2009-01-21 09:18 . 09-01-21 09:24 <DIR> d-a------ c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Ascentive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 21:33 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-18 21:33 --------- d-----w c:\program files\Spyware Doctor
2009-02-12 18:34 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-02-11 09:31 --------- d-----w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Canon
2009-02-11 07:51 --------- d-----w c:\program files\MSWorks
2009-02-11 07:18 --------- d---a-w c:\documents and settings\All Users\Application Data\SSScanWizard
2009-02-11 07:18 --------- d---a-w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-02-09 14:01 --------- d-----w c:\program files\Ascentive
2009-01-11 00:26 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-11 00:18 --------- d-----w c:\program files\Cucusoft
2009-01-01 18:47 --------- d---a-w c:\documents and settings\All Users\Application Data\Ascentive
2009-01-01 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\WinRocket
2009-01-01 18:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 17:17 --------- d-----w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\InstallShield
2006-05-01 19:06 98 ----a-w c:\program files\Common Files\WS_FTP.LOG
2006-05-01 19:06 22,483 ----a-w c:\program files\Common Files\index.html
2003-12-24 16:59 271 ---h--w c:\program files\desktop.ini
2003-12-24 16:59 21,952 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [03-05-02 02:19 4640768]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [05-12-27 21:13 360448]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [02-06-12 23:50 167936]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [01-07-09 11:50 155648]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [03-05-08 11:00 49152]
"oleaut32.dll"="c:\program files\Spyware Doctor\pctsTray.exe" [08-08-25 12:36 1168264]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 c:\winnt\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 815104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudorat\EuShlExt.dll" [06-08-17 13:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

R1 crlscsi;crlscsi;c:\winnt\system32\drivers\crlscsi.sys [2006-01-02 6144]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\winnt\system32\drivers\Msikbd2k.sys [2005-12-27 6656]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [2008-09-14 160792]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2005-12-27 28672]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\winnt\system32\drivers\es1370mp.sys [2003-12-24 41328]
R3 IBMFE;IBM 10/100 Ethernet PCI Adapter NT Driver;c:\winnt\system32\drivers\ibmfent5.sys [2006-01-04 85776]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-07 24784]
R3 S3Inc;S3Inc;c:\winnt\system32\drivers\s3sav4m.sys [2003-12-24 65072]
S3 InCDFat;Ahead InCDFat File System Driver;c:\winnt\system32\drivers\InCDFat.sys [2006-01-03 134144]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\winnt\system32\drivers\PTDUBus.sys [2009-01-26 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\winnt\system32\drivers\PTDUMdm.sys [2009-01-26 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\winnt\system32\drivers\PTDUVsp.sys [2009-01-26 39936]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\winnt\system32\drivers\PTDUWFLT.sys [2009-01-26 5120]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\winnt\system32\drivers\PTDUWWAN.sys [2009-01-26 59776]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-14 356920]

--- Other Services/Drivers In Memory ---

*Deregistered* - InCDFatRec
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\winnt\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-07-25 c:\winnt\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{4fb6c47d-daf3-4bc1-9efe-b51ea773c856} - c:\winnt\system32\yenejesa.dll
HKLM-Run-RegistryMechanic - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.stjpub.com/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} - hxxp://www.freehandmusic.com/Update/biblionet.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 16:44:35
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

\WINNT\explorer.exe [1220] 0x8144FBC0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(244)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-02-18 16:47:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-18 21:47:45

Pre-Run: 208,601,088 bytes free
Post-Run: 1,286,279,168 bytes free

192 --- E O F --- 2008-11-13 13:31:18

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 19 February 2009 - 02:46 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\winnt\system32\xxyxUnLf.dll
C:\ytprjxsv.exe
C:\xyephkl.exe
C:\jttgds.exe
C:\1289912991
c:\winnt\system32\rsvyrusj.dll
C:\cwxwwgtl.exe
c:\winnt\system32\cbXNHAtT.dll.vir
c:\winnt\system32\nnnkLedA.dll
c:\winnt\system32\hgGwXqQk.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 stjpub

stjpub
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 20 February 2009 - 08:56 PM

Here they are...thank's again for all of your help!

Sam


ComboFix 09-02-17.02 - Administrator 02/20/2009 20:29:54.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.115 [GMT -5:00]
Running from: c:\documents and settings\Administrator.AU-8685JKT5NN49\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 01:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-20 14:17 --------- d-----w c:\program files\Spyware Doctor
2009-02-16 22:36 --------- d-----w c:\program files\Trend Micro
2009-02-16 02:17 1,968 ----a-w c:\winnt\system32\xxyxUnLf.dll
2009-02-15 18:16 8,704 ----a-w C:\jttgds.exe
2009-02-15 18:16 19,968 ----a-w C:\xyephkl.exe
2009-02-15 18:16 126,464 ----a-w C:\ytprjxsv.exe
2009-02-15 18:15 72,704 ----a-w c:\winnt\system32\rsvyrusj.dll
2009-02-15 18:15 40,448 ----a-w C:\cwxwwgtl.exe
2009-02-15 18:12 302,592 ----a-w c:\winnt\system32\cbXNHAtT.dll.vir
2009-02-15 18:06 1,968 ----a-w c:\winnt\system32\nnnkLedA.dll
2009-02-15 18:05 36,352 ----a-w c:\winnt\system32\hgGwXqQk.dll
2009-02-12 18:34 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-02-11 09:31 --------- d-----w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Canon
2009-02-11 07:51 --------- d-----w c:\program files\MSWorks
2009-02-11 07:18 --------- d---a-w c:\documents and settings\All Users\Application Data\SSScanWizard
2009-02-11 07:18 --------- d---a-w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-02-11 07:16 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
2009-02-11 07:16 --------- d-----w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\ScanSoft
2009-02-09 14:01 --------- d-----w c:\program files\Ascentive
2009-01-26 16:35 --------- d-----w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Smith Micro
2009-01-26 16:31 --------- d-----w c:\program files\PANTECH
2009-01-21 14:24 --------- d---a-w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Ascentive
2009-01-11 00:26 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-11 00:18 --------- d-----w c:\program files\Cucusoft
2009-01-01 18:47 --------- d---a-w c:\documents and settings\All Users\Application Data\Ascentive
2009-01-01 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\WinRocket
2009-01-01 18:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 17:17 --------- d-----w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\InstallShield
2008-11-24 13:32 129,024 ----a-w c:\winnt\system32\bppkfsnf.dll
2008-11-23 00:12 72,704 ----a-w c:\winnt\system32\xywwmvic.dll
2008-11-23 00:10 129,024 ----a-w c:\winnt\system32\wmirwy.dll
2008-11-23 00:10 129,024 ----a-w c:\winnt\system32\vknykqjb.dll
2008-11-22 22:26 25,600 ----a-w c:\winnt\system32\awtrQJCu.dll
2006-05-01 19:06 98 ----a-w c:\program files\Common Files\WS_FTP.LOG
2006-05-01 19:06 22,483 ----a-w c:\program files\Common Files\index.html
2003-12-24 16:59 271 ---h--w c:\program files\desktop.ini
2003-12-24 16:59 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [05/02/03 02:19a 4640768]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [12/27/05 09:13p 360448]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [06/12/02 11:50p 167936]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [07/09/01 11:50a 155648]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [05/08/03 11:00a 49152]
"oleaut32.dll"="c:\program files\Spyware Doctor\pctsTray.exe" [08/25/08 12:36p 1168264]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [08/25/08 12:36p 1168264]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p 111376 c:\winnt\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [07/14/03 10:53p 34880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 02:05p 186640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudorat\EuShlExt.dll" [08/17/06 01:57p 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

R1 crlscsi;crlscsi;c:\winnt\system32\drivers\crlscsi.sys [2006-01-02 6144]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\winnt\system32\drivers\Msikbd2k.sys [2005-12-27 6656]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [2008-09-14 160792]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2005-12-27 28672]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-14 356920]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\winnt\system32\drivers\es1370mp.sys [2003-12-24 41328]
R3 IBMFE;IBM 10/100 Ethernet PCI Adapter NT Driver;c:\winnt\system32\drivers\ibmfent5.sys [2006-01-04 85776]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-07 24784]
R3 S3Inc;S3Inc;c:\winnt\system32\drivers\s3sav4m.sys [2003-12-24 65072]
S3 InCDFat;Ahead InCDFat File System Driver;c:\winnt\system32\drivers\InCDFat.sys [2006-01-03 134144]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\winnt\system32\drivers\PTDUBus.sys [2009-01-26 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\winnt\system32\drivers\PTDUMdm.sys [2009-01-26 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\winnt\system32\drivers\PTDUVsp.sys [2009-01-26 39936]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\winnt\system32\drivers\PTDUWFLT.sys [2009-01-26 5120]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\winnt\system32\drivers\PTDUWWAN.sys [2009-01-26 59776]

--- Other Services/Drivers In Memory ---

*Deregistered* - InCDFatRec
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\winnt\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-07-25 c:\winnt\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.stjpub.com/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} - hxxp://www.freehandmusic.com/Update/biblionet.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 20:35:48
Windows 5.0.2195 Service Pack 4 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(240)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 02/20/2009 20:39:31
ComboFix-quarantined-files.txt 2009-02-21 01:39:16
ComboFix2.txt 2009-02-18 21:47:59

Pre-Run: 1,144,643,584 bytes free
Post-Run: 1,173,225,472 bytes free

137 --- E O F --- 2009-02-20 13:58:44



---------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:55 PM, on 2/20/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stjpub.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [oleaut32.dll] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Pop-Up Blocker Pro - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
O9 - Extra 'Tools' menuitem: &Pop-Up Blocker Pro - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
O16 - DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} (BiblioNetCtrl Class) - http://www.freehandmusic.com/Update/biblionet.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136402350109
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5682 bytes

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 21 February 2009 - 12:52 AM

Hello.. I think you did it wrongly.. Please pay attention to what I write below...


Copy/paste below script inside the codebox into Notepad >> Save it as CFScript >> drag the CFScript into the Combo-Fix icon as shown below >> Let it run and post the log here..

Posted Image

KillAll::

File::
c:\winnt\system32\xxyxUnLf.dll
C:\jttgds.exe
C:\xyephkl.exe
C:\ytprjxsv.exe
c:\winnt\system32\rsvyrusj.dll
C:\cwxwwgtl.exe
c:\winnt\system32\cbXNHAtT.dll.vir
c:\winnt\system32\nnnkLedA.dll
c:\winnt\system32\hgGwXqQk.dll
c:\winnt\system32\bppkfsnf.dll
c:\winnt\system32\xywwmvic.dll
c:\winnt\system32\wmirwy.dll
c:\winnt\system32\vknykqjb.dll
c:\winnt\system32\awtrQJCu.dll

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 stjpub

stjpub
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 21 February 2009 - 11:43 AM

I did what your earlier post stated...I copied and pasted the script into notepad, saved it and drug it onto Combo-Fix...it executed and produced the log. My computer then locked up and I had to reboot. I sent you the log after that. Also, when I rebooted...now I do not have combo-fix on my desktop anymore. I re-downloaded, saved it as combo-fix during download and now when I drag the script it starts to execute and I get the error "can't run combofix renamed combo-fix. Rename it with alphanumeric characters?

Sam

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 21 February 2009 - 01:36 PM

Delete your version of ComboFix, download a fresh one from below, do not rename it, just let it as it is, double click it to run, let it run and post the log here :thumbup2:


Link 1
Link 2
Link 3


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 stjpub

stjpub
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 25 February 2009 - 04:28 PM

Here's my latest log:

ComboFix 09-02-25.01 - Administrator 2009-02-25 4:18:44.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.108 [GMT -5:00]
Running from: c:\documents and settings\Administrator.AU-8685JKT5NN49\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-25 04:18 . 09-02-25 04:18 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_310.dat
2009-02-20 20:29 . 09-02-20 20:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_3a8.dat
2009-02-20 20:27 . 09-02-20 20:40 <DIR> d-------- C:\Combo-Fix
2009-02-16 19:41 . 09-02-23 07:35 926,216 ---h----- c:\winnt\ShellIconCache
2009-02-16 17:36 . 09-02-16 17:36 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 10:50 . 09-02-16 10:50 <DIR> d-------- C:\New Folder (2)
2009-02-15 21:17 . 09-02-15 21:17 1,968 --a------ c:\winnt\system32\xxyxUnLf.dll
2009-02-15 13:16 . 09-02-15 13:16 126,464 --a------ C:\ytprjxsv.exe
2009-02-15 13:16 . 09-02-15 13:16 19,968 --a------ C:\xyephkl.exe
2009-02-15 13:16 . 09-02-15 13:16 8,704 --a------ C:\jttgds.exe
2009-02-15 13:16 . 09-02-15 13:16 2 --a------ C:\1289912991
2009-02-15 13:15 . 09-02-15 13:15 72,704 --a------ c:\winnt\system32\rsvyrusj.dll
2009-02-15 13:15 . 09-02-15 13:15 40,448 --a------ C:\cwxwwgtl.exe
2009-02-15 13:12 . 09-02-15 13:12 302,592 --a------ c:\winnt\system32\cbXNHAtT.dll.vir
2009-02-15 13:06 . 09-02-15 13:06 1,968 --a------ c:\winnt\system32\nnnkLedA.dll
2009-02-15 13:05 . 09-02-15 13:05 36,352 --a------ c:\winnt\system32\hgGwXqQk.dll
2009-02-11 02:16 . 09-02-11 02:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScanSoft
2009-02-11 02:16 . 09-02-11 02:16 <DIR> d-------- c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\ScanSoft
2009-01-26 11:35 . 09-01-26 11:35 <DIR> d-------- c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Smith Micro
2009-01-26 11:31 . 09-01-26 11:31 <DIR> d-------- c:\program files\PANTECH
2009-01-26 11:31 . 06-11-01 17:21 319,456 --a------ c:\winnt\system32\DIFxAPI.dll
2009-01-26 11:31 . 08-05-16 23:46 77,824 --a------ c:\winnt\system32\PTDUwmcp.dll
2009-01-26 11:31 . 08-03-11 17:58 59,776 --a------ c:\winnt\system32\drivers\PTDUWWAN.sys
2009-01-26 11:31 . 08-03-11 17:58 41,344 --a------ c:\winnt\system32\drivers\PTDUMdm.sys
2009-01-26 11:31 . 08-03-11 17:58 39,936 --a------ c:\winnt\system32\drivers\PTDUVsp.sys
2009-01-26 11:31 . 08-03-11 17:58 29,824 --a------ c:\winnt\system32\drivers\PTDUBus.sys
2009-01-26 11:31 . 08-03-11 17:58 5,120 --a------ c:\winnt\system32\drivers\PTDUWFLT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 09:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 16:24 --------- d-----w c:\program files\Spyware Doctor
2009-02-12 18:34 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-02-11 09:31 --------- d-----w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Canon
2009-02-11 07:51 --------- d-----w c:\program files\MSWorks
2009-02-11 07:18 --------- d---a-w c:\documents and settings\All Users\Application Data\SSScanWizard
2009-02-11 07:18 --------- d---a-w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-02-09 14:01 --------- d-----w c:\program files\Ascentive
2009-01-21 14:24 --------- d---a-w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\Ascentive
2009-01-11 00:26 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-11 00:18 --------- d-----w c:\program files\Cucusoft
2009-01-01 18:47 --------- d---a-w c:\documents and settings\All Users\Application Data\Ascentive
2009-01-01 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\WinRocket
2009-01-01 18:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 17:17 --------- d-----w c:\documents and settings\Administrator.AU-8685JKT5NN49\Application Data\InstallShield
2006-05-01 19:06 98 ----a-w c:\program files\Common Files\WS_FTP.LOG
2006-05-01 19:06 22,483 ----a-w c:\program files\Common Files\index.html
2003-12-24 16:59 271 ---h--w c:\program files\desktop.ini
2003-12-24 16:59 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [03-05-02 02:19 4640768]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [05-12-27 21:13 360448]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [02-06-12 23:50 167936]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [01-07-09 11:50 155648]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [03-05-08 11:00 49152]
"oleaut32.dll"="c:\program files\Spyware Doctor\pctsTray.exe" [08-08-25 12:36 1168264]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 c:\winnt\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [03-07-14 22:53 34880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 815104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudorat\EuShlExt.dll" [06-08-17 13:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

R1 crlscsi;crlscsi;c:\winnt\system32\drivers\crlscsi.sys [2006-01-02 6144]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\winnt\system32\drivers\Msikbd2k.sys [2005-12-27 6656]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [2008-09-14 160792]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2005-12-27 28672]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\winnt\system32\drivers\es1370mp.sys [2003-12-24 41328]
R3 IBMFE;IBM 10/100 Ethernet PCI Adapter NT Driver;c:\winnt\system32\drivers\ibmfent5.sys [2006-01-04 85776]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-07 24784]
R3 S3Inc;S3Inc;c:\winnt\system32\drivers\s3sav4m.sys [2003-12-24 65072]
S3 InCDFat;Ahead InCDFat File System Driver;c:\winnt\system32\drivers\InCDFat.sys [2006-01-03 134144]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\winnt\system32\drivers\PTDUBus.sys [2009-01-26 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\winnt\system32\drivers\PTDUMdm.sys [2009-01-26 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\winnt\system32\drivers\PTDUVsp.sys [2009-01-26 39936]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\winnt\system32\drivers\PTDUWFLT.sys [2009-01-26 5120]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\winnt\system32\drivers\PTDUWWAN.sys [2009-01-26 59776]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-14 356920]

--- Other Services/Drivers In Memory ---

*Deregistered* - InCDFatRec
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\winnt\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-07-25 c:\winnt\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.stjpub.com/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Pop-Up Blocker Pro Full\Pop-UpBlockerProFull.exe
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} - hxxp://www.freehandmusic.com/Update/biblionet.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 04:21:38
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(240)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-02-25 4:23:58
ComboFix-quarantined-files.txt 2009-02-25 09:23:37
ComboFix2.txt 2009-02-21 01:39:34
ComboFix3.txt 2009-02-18 21:47:59

Pre-Run: 975,519,744 bytes free
Post-Run: 1,139,470,336 bytes free

145 --- E O F --- 2009-02-25 08:00:26

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 25 February 2009 - 05:34 PM

Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    
    :files
    c:\winnt\system32\xxyxUnLf.dll
    C:\ytprjxsv.exe
    C:\xyephkl.exe
    C:\jttgds.exe
    C:\1289912991
    c:\winnt\system32\rsvyrusj.dll
    C:\cwxwwgtl.exe
    c:\winnt\system32\cbXNHAtT.dll.vir
    c:\winnt\system32\nnnkLedA.dll
    c:\winnt\system32\hgGwXqQk.dll
    
    :reg
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Run ComboFix again.. Post these logs in your next reply..

1. OTMoveIt3
2. ComboFix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 04 March 2009 - 04:57 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users