Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlog variation i think


  • This topic is locked This topic is locked
46 replies to this topic

#1 kelumhi

kelumhi

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 17 April 2009 - 09:24 PM

A few weeks ago I got a virus that redirected me to different sites, disabled me from going to certain anti virus sights like safer-networking and downloading things from Microsoft.com as well as activating a program called "Antivirus 2009" which seems to be a scam to get me to pay for nothing. (There is a possibility this virus has also made it so i don't have any sound, but there is a chance that that is not the case so i'm OK with ignoring that.)

I have taken care of me getting redirected by disabling a proxy the virus (which i believe to be Zlog) but i still have the problem of the program running itself and me not being able to load certain websites. what apears in firefox when i try to load "http://www.safer-networking.org/" is the fallowing message:

Address Not Found

Firefox can't find the server at www.safer-networking.org.

The browser could not find the host server for the provided address.

* Did you make a mistake when typing the domain? (e.g. "ww.mozilla.org" instead of "www.mozilla.org")
* Are you certain this domain address exists? Its registration may have expired.
* Are you unable to browse other sites? Check your network connection and DNS server settings.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.


i find the the problem of downloading things don't only pertain to my browser to. if i activate any program that needs to communicate with any blocked website, that program is blocked as well. (and typeing into cmd: 'ping "www.safer-networking.org" comes up with a message saying "Ping request could not find host www.safer-networking.org. Please check the name and try again."

what i know about the "Antivirus 2009" program (which is what i referenced to identify the virus as Zlog) is only that runs on startup, can open new firefox windows, and runs from a program in C:\WINDOWS called "sysguard" with the description of "Блокнот".

my computer is:

legit copy of windows XP
media center addition
service pack 2
eMachines t6542


if requested i can post a "dxdiag"


DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Owner at 18:29:37.17 on Fri 04/17/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1489 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner.MAIN2\Desktop\HijackThis.exe
C:\Documents and Settings\Owner.MAIN2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6542
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6542
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3d0c0b0f-0920-4a86-acfe-ad00f6a3b2bd} - c:\windows\system32\efcDVpnO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [system tool] c:\windows\sysguard.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208149143234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: opnooPjH - opnooPjH.dll
AppInit_DLLs: phrhbw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcDVpnO

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.mai\applic~1\mozilla\firefox\profiles\yt14ji4v.default\
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {40909916-35C6-4349-9098-8ED014AD5282} - c:\documents and settings\owner.main2\local settings\application data\{40909916-35C6-4349-9098-8ED014AD5282}

============= SERVICES / DRIVERS ===============

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-6-18 23856]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\docume~1\owner~1.mai\locals~1\temp\everestdriver.sys --> c:\docume~1\owner~1.mai\locals~1\temp\EverestDriver.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-7-20 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-7-20 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-7-20 23680]

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2009-04-17 16:44 10,752 a------- c:\windows\system32\iehelper.dll
2009-04-17 16:34 290,320 a------- c:\windows\sysguard.exe
2009-04-02 14:39 <DIR> --d----- c:\program files\Age of Wonders Shadow Magic
2009-04-02 14:06 <DIR> --d----- c:\program files\Age of Wonders II
2009-04-01 16:45 <DIR> --d----- c:\docume~1\owner~1.mai\applic~1\Malwarebytes
2009-04-01 16:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 16:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 16:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 16:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-31 15:48 <DIR> --d----- c:\program files\AskBarDis
2009-03-30 18:00 176,128 -------- c:\windows\system32\nvuide.exe
2009-03-30 18:00 1,570 -------- c:\windows\system32\nvide.nvu
2009-03-30 17:48 176,128 a------- c:\windows\system32\nvusmb.exe
2009-03-30 17:48 1,864 a------- c:\windows\system32\nvsmb.nvu
2009-03-30 17:47 290,304 a------- c:\windows\system32\idecoiins.dll
2009-03-30 17:47 290,304 a------- c:\windows\system32\idecoi.dll
2009-03-30 17:47 99,584 a------- c:\windows\system32\drivers\nvata.sys
2009-03-30 17:47 35,840 a------- c:\windows\system32\NVCOI.DLL
2009-03-21 10:59 88,566 a------- c:\windows\system32\nvapps.xml
2009-03-21 10:59 208,896 a------- c:\windows\system32\nvudisp.exe
2009-03-21 10:59 17,056 a------- c:\windows\system32\nvdisp.nvu
2009-03-21 10:58 208,896 a------- c:\windows\system32\NVUNINST.EXE
2009-03-21 10:58 <DIR> --d----- C:\NVIDIA
2009-03-20 22:41 244 a---h--- C:\sqmnoopt16.sqm
2009-03-20 22:41 232 a---h--- C:\sqmdata16.sqm
2009-03-20 22:06 135,168 a------- c:\windows\system32\RtlCPAPI.dll
2009-03-20 22:04 69,632 a------- c:\windows\Alcmtr.exe
2009-03-20 21:53 <DIR> --d----- c:\program files\Driver Sweeper
2009-03-20 19:15 <DIR> --d----- c:\docume~1\owner~1.mai\applic~1\Spore

==================== Find3M ====================

2009-04-14 16:09 10,066 a------- c:\docume~1\owner~1.mai\applic~1\wklnhst.dat
2009-03-07 15:33 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-03-04 23:21 32,463 a------- c:\windows\system32\ForceBindIP-Uninstaller.exe
2009-03-04 23:14 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-02-25 17:22 743,621 a------- c:\windows\system32\RPUpdates.zip
2009-02-18 16:05 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-17 04:56 57,810 a--sh--- c:\windows\system32\OnpVDcfe.ini2
2009-02-16 23:47 8,704 a------- c:\windows\system32\userinit.exe
2008-12-09 00:53 48,704 a------- c:\docume~1\owner~1.mai\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 18:30:15.95 ===============



thankyou for your help. if you find anything missing, i will try to the best of my ability to help you.

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 17 April 2009 - 10:09 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 kelumhi

kelumhi
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 17 April 2009 - 11:46 PM

all immediate signs of the virus seem to be gone, all that seems to be left is the collateral damage (sound and my desktop appearance). here are the logs as requested.



Combofixes log:

ComboFix 09-04-18.01 - Owner 04/17/2009 21:06.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1637 [GMT -7:00]
Running from: c:\documents and settings\Owner.MAIN2\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner.MAIN2\Application Data\Adobe\crc.dat
C:\install.exe
c:\windows\sysguard.exe
c:\windows\system32\drivers\gaopdxqkkjonkx.sys
c:\windows\system32\drivers\gaopdxxouqfwkp.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxrjpkhaeh.dll
c:\windows\system32\gmruprqp.ini
c:\windows\system32\iehelper.dll
c:\windows\system32\mbiqpsih.ini
c:\windows\system32\OnpVDcfe.ini
c:\windows\system32\OnpVDcfe.ini2
c:\windows\system32\qbxgysaa.ini
c:\windows\system32\tbrthvay.ini
c:\windows\Tasks\fdpnjart.job
D:\Autorun.inf
d:\recycler\S-3-5-50-100025554-100005039-100006940-2215.com
d:\recycler\S-5-4-50-100030089-100009424-100027840-5881.com
d:\recycler\S-5-5-17-100025122-100007794-100031214-1816.com
d:\recycler\S-5-5-26-100013067-100009745-100003210-6053.com

----- BITS: Possible infected sites -----

hxxp://end-extra.com
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\stu2.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-02 21:39 . 2009-04-10 23:09 -------- d-----w c:\program files\Age of Wonders Shadow Magic
2009-04-02 21:06 . 2009-04-02 22:36 -------- d-----w c:\program files\Age of Wonders II
2009-04-01 23:45 . 2009-04-01 23:45 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\Malwarebytes
2009-04-01 23:45 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 23:45 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 23:45 . 2009-04-01 23:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 23:45 . 2009-04-01 23:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 23:00 . 2009-03-31 23:00 -------- d-----w c:\documents and settings\Owner.MAIN2\Local Settings\Application Data\{40909916-35C6-4349-9098-8ED014AD5282}
2009-03-31 22:48 . 2009-03-31 22:48 -------- d-----w c:\program files\AskBarDis
2009-03-31 01:00 . 2006-10-26 23:44 176128 ------w c:\windows\system32\nvuide.exe
2009-03-31 01:00 . 2006-10-26 23:44 1570 ------w c:\windows\system32\nvide.nvu
2009-03-31 00:48 . 2006-10-26 23:44 1864 ----a-w c:\windows\system32\nvsmb.nvu
2009-03-31 00:48 . 2006-10-26 23:44 176128 ----a-w c:\windows\system32\nvusmb.exe
2009-03-31 00:47 . 2006-10-26 23:44 99584 ----a-w c:\windows\system32\drivers\nvata.sys
2009-03-31 00:47 . 2006-10-26 23:44 35840 ----a-w c:\windows\system32\NVCOI.DLL
2009-03-31 00:47 . 2006-10-26 23:44 290304 ----a-w c:\windows\system32\idecoiins.dll
2009-03-31 00:47 . 2006-10-26 23:44 290304 ----a-w c:\windows\system32\idecoi.dll
2009-03-21 17:59 . 2009-04-18 04:17 88566 ----a-w c:\windows\system32\nvapps.xml
2009-03-21 17:59 . 2006-10-22 19:22 208896 ----a-w c:\windows\system32\nvudisp.exe
2009-03-21 17:59 . 2006-10-22 19:22 17056 ----a-w c:\windows\system32\nvdisp.nvu
2009-03-21 17:58 . 2006-10-22 22:06 208896 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-21 17:58 . 2009-03-21 17:58 -------- d-----w C:\NVIDIA
2009-03-21 05:41 . 2009-03-21 05:41 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-21 05:41 . 2009-03-21 05:41 232 ---ha-w C:\sqmdata16.sqm
2009-03-21 05:06 . 2006-10-26 23:50 135168 ----a-w c:\windows\system32\RtlCPAPI.dll
2009-03-21 05:04 . 2006-10-26 23:49 69632 ----a-w c:\windows\Alcmtr.exe
2009-03-21 04:53 . 2009-03-21 04:53 -------- d-----w c:\program files\Driver Sweeper
2009-03-21 02:15 . 2009-03-21 02:15 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\Spore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 23:09 . 2006-12-12 23:23 10066 ----a-w c:\documents and settings\Owner.MAIN2\Application Data\wklnhst.dat
2009-04-01 23:06 . 2006-11-25 07:35 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\Xfire
2009-04-01 08:31 . 2006-06-19 04:25 39896 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 07:58 . 2008-11-25 07:56 -------- d-----w c:\program files\Maple 12
2009-03-31 22:55 . 2007-10-02 06:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-21 05:04 . 2003-01-01 09:36 -------- d-----w c:\program files\Realtek
2009-03-21 02:27 . 2007-08-14 15:06 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\uTorrent
2009-03-13 00:19 . 2003-01-01 09:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 01:55 . 2006-12-23 03:37 -------- d-----w c:\program files\directx
2009-03-08 01:01 . 2009-03-08 01:01 -------- d-----w c:\program files\Nortel Networks
2009-03-08 01:01 . 2009-03-08 01:01 -------- d-----w c:\program files\SETOOLS
2009-03-08 01:01 . 2009-03-08 01:01 -------- d-----w c:\program files\InstLogs
2009-03-07 22:33 . 2009-03-07 22:33 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-03-05 06:59 . 2009-03-05 06:15 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\Hamachi
2009-03-05 06:21 . 2009-03-05 06:21 32463 ----a-w c:\windows\system32\ForceBindIP-Uninstaller.exe
2009-03-05 06:14 . 2009-03-05 06:14 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-03-04 06:16 . 2009-02-17 07:41 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-02 07:06 . 2008-02-18 09:44 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\SystemRequirementsLab
2009-03-02 05:24 . 2009-03-02 05:24 -------- d-----w c:\program files\Datapol
2009-02-26 03:00 . 2009-02-26 03:00 268 ---ha-w C:\sqmdata15.sqm
2009-02-26 03:00 . 2009-02-26 03:00 244 ---ha-w C:\sqmnoopt15.sqm
2009-02-26 02:47 . 2009-02-18 19:48 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 02:43 . 2009-02-26 00:21 -------- d-----w c:\program files\RegistryPatrol3.0
2009-02-26 01:18 . 2008-03-21 23:41 -------- d-----w c:\program files\Lavasoft
2009-02-26 01:18 . 2008-03-21 23:41 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-26 01:15 . 2009-02-17 19:17 9758 ----a-w C:\aaw7boot.log
2009-02-26 00:22 . 2009-02-26 00:22 743621 ----a-w c:\windows\system32\RPUpdates.zip
2009-02-25 23:07 . 2007-08-30 03:12 -------- d-----w c:\program files\PowerISO
2009-02-24 09:59 . 2007-05-30 22:26 -------- d-----w c:\program files\DivX
2009-02-22 21:02 . 2007-10-02 03:38 -------- d--h--w c:\program files\Replay Converter
2009-02-22 10:18 . 2009-01-23 05:45 -------- d-----w c:\program files\iPod
2009-02-18 23:05 . 2009-02-18 23:06 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-09 07:53 . 2007-06-01 04:30 48704 ----a-w c:\documents and settings\Owner.MAIN2\Application Data\GDIPFONTCACHEV1.DAT
2006-06-19 04:25 . 2006-11-25 04:46 13104 ----a-w c:\documents and settings\Owner.MAIN2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 22:20 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-24 185896]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=phrhbw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 19:00 15360 ----a-w c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-09-18 14:16 171464 ----a-w c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 03:56 64512 ----a-w c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 21:06 290088 ----a-w c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-01-19 20:54 5674352 ----a-w c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-06 00:18 413696 ----a-w c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 02:44 139264 ----a-w c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42 212992 ----a-w c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 02:24 966656 ----a-w c:\windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27 144784 ----a-w c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-02-24 04:44 185896 ----a-w c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-31 00:45 313472 ----a-r c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2008-12-16 17:07 3528440 ----a-w c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2006-10-26 23:49 69632 ----a-w c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 00:19 77312 ----a-w c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-26 23:50 15473664 ----a-w c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Games\\Worms Armageddon - New Edition\\WA.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"7070:TCP"= 7070:TCP:nfr

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-10-09 23856]
R3 EverestDriver;Lavalys EVEREST Kernel Driver; [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{879336a5-1d69-11d7-aea9-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{3D0C0B0F-0920-4A86-ACFE-AD00F6A3B2BD} - c:\windows\system32\efcDVpnO.dll
BHO-{ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - c:\windows\system32\iehelper.dll
HKCU-Run-system tool - c:\windows\sysguard.exe
Notify-opnooPjH - opnooPjH.dll
MSConfigStartUp-403cff8c - c:\windows\system32\pqrpurmg.dll
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-Lsazujofuloho - c:\windows\Pbuxiwitatux.dll
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SpyHunter Security Suite - c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
MSConfigStartUp-sysguard - c:\windows\sysguard.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6542
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\Paltalk Messenger\Paltalk.exe
FF - ProfilePath - c:\documents and settings\Owner.MAIN2\Application Data\Mozilla\Firefox\Profiles\yt14ji4v.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1308)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Real\RealPlayer\realplay.exe
.
**************************************************************************
.
Completion time: 2009-04-18 21:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 04:23

Pre-Run: 16,235,839,488 bytes free
Post-Run: 18,215,895,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

261 --- E O F --- 2009-02-11 11:14


hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:47 PM, on 4/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.MAIN2\Desktop\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T6542
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208149143234
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: phrhbw.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)

--
End of file - 5457 bytes


also, combofix asked me to save these two addresses for "future use" so ill post them here as well.

combofix has detected the presence of rootkit activity and needs to reboot the machine. kindly note down on paper the name of each filr. we may need it later

c:\windows\system32\drivers\gaopdxqkkjonkx.sys
c:\windows\system32\gaopdxrjpkhaeh.dll



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 18 April 2009 - 03:37 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{879336a5-1d69-11d7-aea9-806d6172696f}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 kelumhi

kelumhi
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 18 April 2009 - 01:50 PM

Combofix

ComboFix 09-04-19.01 - Owner 04/18/2009 11:23.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1573 [GMT -7:00]
Running from: c:\documents and settings\Owner.MAIN2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.MAIN2\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-18 04:53 . 2009-04-18 04:53 -------- dc----w c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-04-02 21:39 . 2009-04-10 23:09 -------- d-----w c:\program files\Age of Wonders Shadow Magic
2009-04-02 21:06 . 2009-04-02 22:36 -------- d-----w c:\program files\Age of Wonders II
2009-04-01 23:45 . 2009-04-01 23:45 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\Malwarebytes
2009-04-01 23:45 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 23:45 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 23:45 . 2009-04-01 23:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 23:45 . 2009-04-01 23:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 23:00 . 2009-03-31 23:00 -------- d-----w c:\documents and settings\Owner.MAIN2\Local Settings\Application Data\{40909916-35C6-4349-9098-8ED014AD5282}
2009-03-31 22:48 . 2009-03-31 22:48 -------- d-----w c:\program files\AskBarDis
2009-03-31 01:00 . 2006-10-26 23:44 176128 ------w c:\windows\system32\nvuide.exe
2009-03-31 01:00 . 2006-10-26 23:44 1570 ------w c:\windows\system32\nvide.nvu
2009-03-31 00:48 . 2006-10-26 23:44 1864 ----a-w c:\windows\system32\nvsmb.nvu
2009-03-31 00:48 . 2006-10-26 23:44 176128 ----a-w c:\windows\system32\nvusmb.exe
2009-03-31 00:47 . 2006-10-26 23:44 99584 ----a-w c:\windows\system32\drivers\nvata.sys
2009-03-31 00:47 . 2006-10-26 23:44 35840 ----a-w c:\windows\system32\NVCOI.DLL
2009-03-31 00:47 . 2006-10-26 23:44 290304 ----a-w c:\windows\system32\idecoiins.dll
2009-03-31 00:47 . 2006-10-26 23:44 290304 ----a-w c:\windows\system32\idecoi.dll
2009-03-21 17:59 . 2009-04-18 07:51 88566 ----a-w c:\windows\system32\nvapps.xml
2009-03-21 17:59 . 2006-10-22 19:22 208896 ----a-w c:\windows\system32\nvudisp.exe
2009-03-21 17:59 . 2006-10-22 19:22 17056 ----a-w c:\windows\system32\nvdisp.nvu
2009-03-21 17:58 . 2006-10-22 22:06 208896 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-21 17:58 . 2009-03-21 17:58 -------- d-----w C:\NVIDIA
2009-03-21 05:41 . 2009-03-21 05:41 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-21 05:41 . 2009-03-21 05:41 232 ---ha-w C:\sqmdata16.sqm
2009-03-21 05:06 . 2006-10-26 23:50 135168 ----a-w c:\windows\system32\RtlCPAPI.dll
2009-03-21 05:04 . 2006-10-26 23:49 69632 ----a-w c:\windows\Alcmtr.exe
2009-03-21 04:53 . 2009-03-21 04:53 -------- d-----w c:\program files\Driver Sweeper
2009-03-21 02:15 . 2009-03-21 02:15 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\Spore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 23:09 . 2006-12-12 23:23 10066 ----a-w c:\documents and settings\Owner.MAIN2\Application Data\wklnhst.dat
2009-04-01 23:06 . 2006-11-25 07:35 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\Xfire
2009-04-01 08:31 . 2006-06-19 04:25 39896 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 07:58 . 2008-11-25 07:56 -------- d-----w c:\program files\Maple 12
2009-03-31 22:55 . 2007-10-02 06:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-21 05:04 . 2003-01-01 09:36 -------- d-----w c:\program files\Realtek
2009-03-21 02:27 . 2007-08-14 15:06 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\uTorrent
2009-03-16 21:18 . 2009-04-18 04:39 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-18 04:39 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-18 04:39 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-18 04:39 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-13 00:19 . 2003-01-01 09:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 22:27 . 2009-04-18 04:39 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-04-18 04:39 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 22:27 . 2009-04-18 04:39 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-08 01:55 . 2006-12-23 03:37 -------- d-----w c:\program files\directx
2009-03-08 01:01 . 2009-03-08 01:01 -------- d-----w c:\program files\Nortel Networks
2009-03-08 01:01 . 2009-03-08 01:01 -------- d-----w c:\program files\SETOOLS
2009-03-08 01:01 . 2009-03-08 01:01 -------- d-----w c:\program files\InstLogs
2009-03-07 22:33 . 2009-03-07 22:33 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-03-05 06:59 . 2009-03-05 06:15 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\Hamachi
2009-03-05 06:21 . 2009-03-05 06:21 32463 ----a-w c:\windows\system32\ForceBindIP-Uninstaller.exe
2009-03-05 06:14 . 2009-03-05 06:14 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-03-04 06:16 . 2009-02-17 07:41 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-02 07:06 . 2008-02-18 09:44 -------- d-----w c:\documents and settings\Owner.MAIN2\Application Data\SystemRequirementsLab
2009-03-02 05:24 . 2009-03-02 05:24 -------- d-----w c:\program files\Datapol
2009-02-26 03:00 . 2009-02-26 03:00 268 ---ha-w C:\sqmdata15.sqm
2009-02-26 03:00 . 2009-02-26 03:00 244 ---ha-w C:\sqmnoopt15.sqm
2009-02-26 02:47 . 2009-02-18 19:48 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 02:43 . 2009-02-26 00:21 -------- d-----w c:\program files\RegistryPatrol3.0
2009-02-26 01:18 . 2008-03-21 23:41 -------- d-----w c:\program files\Lavasoft
2009-02-26 01:18 . 2008-03-21 23:41 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-26 01:15 . 2009-02-17 19:17 9758 ----a-w C:\aaw7boot.log
2009-02-26 00:22 . 2009-02-26 00:22 743621 ----a-w c:\windows\system32\RPUpdates.zip
2009-02-25 23:07 . 2007-08-30 03:12 -------- d-----w c:\program files\PowerISO
2009-02-24 09:59 . 2007-05-30 22:26 -------- d-----w c:\program files\DivX
2009-02-22 21:02 . 2007-10-02 03:38 -------- d--h--w c:\program files\Replay Converter
2009-02-22 10:18 . 2009-01-23 05:45 -------- d-----w c:\program files\iPod
2009-02-18 23:05 . 2009-02-18 23:06 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-09 07:53 . 2007-06-01 04:30 48704 ----a-w c:\documents and settings\Owner.MAIN2\Application Data\GDIPFONTCACHEV1.DAT
2006-06-19 04:25 . 2006-11-25 04:46 13104 ----a-w c:\documents and settings\Owner.MAIN2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_04.17.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 04:39 . 2008-10-27 17:04 70992 c:\windows\system32\XAPOFX1_2.dll
+ 2009-04-18 04:39 . 2008-10-27 17:04 23376 c:\windows\system32\X3DAudio1_5.dll
+ 2009-04-18 04:39 . 2008-10-27 17:04 514384 c:\windows\system32\XAudio2_3.dll
+ 2009-04-18 04:39 . 2008-10-27 17:04 235856 c:\windows\system32\xactengine3_3.dll
+ 2009-04-18 04:39 . 2008-10-10 11:52 452440 c:\windows\system32\d3dx10_40.dll
+ 2006-02-14 23:20 . 2009-02-06 19:35 1486208 c:\windows\system32\LegitCheckControl.DLL
+ 2009-04-18 04:39 . 2008-10-10 11:52 4379984 c:\windows\system32\D3DX9_40.dll
+ 2009-04-18 04:39 . 2008-10-10 11:52 2036576 c:\windows\system32\D3DCompiler_40.dll
+ 2009-04-18 04:36 . 2008-03-21 01:06 1480232 c:\windows\LastGood\system32\LegitCheckControl.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 22:20 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-12-16 3528440]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-24 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-26 15473664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Games\\Worms Armageddon - New Edition\\WA.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"7070:TCP"= 7070:TCP:nfr

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-10-09 23856]
R3 EverestDriver;Lavalys EVEREST Kernel Driver; [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6542
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner.MAIN2\Application Data\Mozilla\Firefox\Profiles\yt14ji4v.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 11:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1164)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Real\RealPlayer\realplay.exe
c:\program files\MSN Messenger\livecall.exe
.
**************************************************************************
.
Completion time: 2009-04-18 11:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 18:36
ComboFix2.txt 2009-04-18 04:24

Pre-Run: 18,111,094,784 bytes free
Post-Run: 18,097,029,120 bytes free

192 --- E O F --- 2009-02-11 11:14


Hijack this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:28 AM, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.MAIN2\Desktop\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T6542
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Power2GoExpress] NA
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208149143234
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)

--
End of file - 5922 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 18 April 2009 - 02:03 PM

Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


How's the computer now? Still got problem with sound and Desktop? Please elaborate more.. :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 kelumhi

kelumhi
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 19 April 2009 - 02:09 AM

I am not sure exactly what my problem is with my desktop to I'm a little sketchy asking for help but here is what I have so far:

My sound, for the most part, doesn't work. I cannot hear any kiind of sound through my speakers besides that in which are sent directly from a program that comes with my drivers. what i have tested to try to hear sound (to no avail) on this computer are multiple games, realplayer, itunes, windows media player, and several flash based items (browser games/youtube). T program that i can hear sound on is called "real tech HD sound manager" and by using the feature to test the speakers connection, I can get noise out of them. To rephrase, when i hit a button, i have a complex noise come out of my speakers. Another thing that i have noticed is that under Control Panel--->sound and audio devices--> "volume" tab, it state "no audio device, with the volume and mute button are grayed out (I don't have the option of moving them)

I am 99% sure that my problem with my sound is software based but im not sure if the problem is caused by the virus, so I am a little hesitant to ask for help on this issue yet. In my personal opinion it is most likely to be caused by my messed up desktop.

Specifically what is wrong with my desktop is that it has the appearance and close to the functionality of Safe mode. Everything looks like the old 95/98/2000 desktop with the gray taskbar, when i try to use several features in xp i get "error 1084: this service cannot be started in safe mode". I am positive that I am not in safemode for the single reason that I do not have the word safemode in all 4 corners of my screen (which i would if i started in safe mode), furthermore I do not get the prompt i normally do when i start in safemode as well.

How I came to this point with my desktop is that within the first 24 hours that i got the "ZLOB" virus, I went into Safemode by hitting the correct F# (F8?) command and then using Run-->"msconfig"-->boot.ini tab--> safemode w\ networking. I then downloaded Ad-Aware antivirus and a few products like it to get rid of my virus but none of them worked. After that I went back to Run-->"msconfig"-->"General" tab and told it to go back to doing the normal startup. But by that point my desktop was messed up in normal mode as described above.


But again, I'm not exactly sure what caused any of this be it maleware, me trying to get rid of the maleware, or just a normal bug in XP, so im not sure if its appropriate or not to ask for help about this on a anti-maleware/trojan forum.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, April 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, April 18, 2009 19:03:47
Records in database: 2058857
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 260427
Threat name: 18
Infected objects: 45
Suspicious objects: 0
Duration of the scan: 05:56:23


File name / Threat name / Threats count
C:\Documents and Settings\ath1557\My Documents\keepers\desktop_backup\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 1
C:\Documents and Settings\ath1557\My Documents\keepers\desktop_backup\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.g 1
C:\Documents and Settings\ath1557\My Documents\keepers\desktop_backup\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel 1
C:\Documents and Settings\ath1557\My Documents\keepers\desktop_backup\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
C:\Documents and Settings\ath1557\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 1
C:\Documents and Settings\ath1557\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.g 1
C:\Documents and Settings\ath1557\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel 1
C:\Documents and Settings\ath1557\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
C:\Documents and Settings\Owner.MAIN2\.housecall6.6\Quarantine\79_003.exe.bac_a00332 Infected: Trojan.Win32.Agent.abzm 1
C:\Documents and Settings\Owner.MAIN2\.housecall6.6\Quarantine\7h4vs4um.exe.bac_a00332 Infected: Trojan-Downloader.Win32.Zlob.krg 1
C:\Documents and Settings\Owner.MAIN2\.housecall6.6\Quarantine\iehelper.dll.bac_a00332 Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.eo 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-1218168c Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\6.0\29\775d249d-46808e63 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-79cb1272 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-6bdf5a04 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-213f2909 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-64b4fa93.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-543191ff.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-59bdeb0c.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-7fa5d1a1.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner.MAIN2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-4d7ee79d.zip Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaopdxrjpkhaeh.dll.vir Infected: Rootkit.Win32.TDSS.gxu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.mm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Downloader.Win32.Agent.bhhd 1
D:\i386\Apps\App17981\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0001027.com Infected: Packed.Win32.Tdss.c 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0001028.com Infected: Packed.Win32.Tdss.c 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0001029.com Infected: Packed.Win32.Tdss.c 1
D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0001030.com Infected: Packed.Win32.Tdss.c 1
F:\Documents and Settings\ath1557\Local Settings\Temp\smo5.tmp Infected: not-a-virus:AdWare.Win32.Beginto.i 1
F:\Documents and Settings\ath1557\My Documents\keepers\desktop_backup\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 1
F:\Documents and Settings\ath1557\My Documents\keepers\desktop_backup\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.g 1
F:\Documents and Settings\ath1557\My Documents\keepers\desktop_backup\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel 1
F:\Documents and Settings\ath1557\My Documents\keepers\desktop_backup\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
F:\Documents and Settings\ath1557\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 1
F:\Documents and Settings\ath1557\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.g 1
F:\Documents and Settings\ath1557\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel 1
F:\Documents and Settings\ath1557\My Documents\_Restored-C\Documents and Settings\ath1557\install\cd burner\burn4free_setup.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 1
F:\Documents and Settings\Guest\Local Settings\Temp\smo13.tmp Infected: not-a-virus:AdWare.Win32.Beginto.i 1
F:\Documents and Settings\Owner\Local Settings\Temp\180C4D.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
F:\Documents and Settings\Owner\Local Settings\Temp\smo9E.tmp Infected: not-a-virus:AdWare.Win32.Beginto.i 1
F:\Program Files\AdVantage\AdVantage.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.s 1
F:\Program Files\AdVantage\TR.dll Infected: not-a-virus:WebToolbar.Win32.WhenU.r 1
F:\WINDOWS\system32\SearchEnhancer\nsx9C.dll Infected: not-a-virus:AdWare.Win32.Beginto.k 1
F:\WINDOWS\system32\SearchEnhancer\SearchEnhancer.dll Infected: not-a-virus:AdWare.Win32.Beginto.i 1

The selected area was scanned.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 19 April 2009 - 05:40 AM

Run-->"msconfig"-->boot.ini tab--> safemode w\ networking.


You really shouldn't do that in the first place :thumbup2:

I think I have some idea of what you saying, but can you post me a screenshot of your Desktop?.. I just want to see how bad it is (I mean the appearance)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 kelumhi

kelumhi
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 19 April 2009 - 10:25 PM

Run-->"msconfig"-->boot.ini tab--> safemode w\ networking.


You really shouldn't do that in the first place :thumbup2:


that might have been what did it then. i thought that was just a basic userfreindly way of me not hitting F8...

PIC of my computer in normal mode right now:

Posted Image

PIC of my computer in safemode right now:

Posted Image



sorry for the late reply btw.

Edited by kelumhi, 19 April 2009 - 10:26 PM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 19 April 2009 - 10:44 PM

can you go into msconfig and undo the changes you made before back to its default setting?.. after that, just reboot your computer and tell me how it goes.. also, show hidden files and folders and go find the C:\boot.ini file and post its content here..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 kelumhi

kelumhi
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 19 April 2009 - 11:19 PM

i went into msconfig but after making sure everything was correct (checked them against 2 computers that should have never had msconfig open and are working perfectly) nothing seems different. i let it restart my computer anyway when it requested to.

boot.ini is as fallows and remains unchanged until ordered

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 20 April 2009 - 01:29 AM

That's look normal to me.. Do you use AMD?

Well, currently I'm seeking advices from the experts regarding your issue and waiting for their replies.. I'll post here when I got something.. :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 20 April 2009 - 07:55 AM

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    userinit.exe
    stu2.exe
    
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

Edited by fenzodahl512, 20 April 2009 - 12:04 PM.
edit code

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 20 April 2009 - 12:04 PM

Hello, please take note I just change my script above. :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 kelumhi

kelumhi
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 20 April 2009 - 03:40 PM

my processor is an AMD 64 made by e-machines.

SystemLook v1.0 by jpshortstuff (14.04.09)
Log created at 13:37 on 20/04/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "userinit.exe"
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe --a--- 26112 bytes [02:30 30/08/2008] [00:12 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89
C:\WINDOWS\system32\userinit.exe --a--- 24576 bytes [09:23 17/06/2006] [19:00 10/08/2004] 39B1FFB03C2296323832ACBAE50D2AFF

Searching for "stu2.exe"
C:\WINDOWS\system32\stu2.exe ------ 24576 bytes [06:48 17/02/2009] [19:00 10/08/2004] 39B1FFB03C2296323832ACBAE50D2AFF

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
"OptionValue"= 0x00000002 (2)


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"CLASSPATH"=".;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip"
"ComSpec"="%SystemRoot%\system32\cmd.exe"
"FP_NO_HOST_CHECK"="NO"
"NUMBER_OF_PROCESSORS"="1"
"OS"="Windows_NT"
"Path"="%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem"
"PATHEXT"=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH"
"PROCESSOR_ARCHITECTURE"="x86"
"PROCESSOR_IDENTIFIER"="x86 Family 15 Model 95 Stepping 2, AuthenticAMD"
"PROCESSOR_LEVEL"="15"
"PROCESSOR_REVISION"="5f02"
"QTJAVA"="C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip"
"SAFEBOOT_OPTION"="NETWORK"
"TEMP"="%SystemRoot%\TEMP"
"TMP"="%SystemRoot%\TEMP"
"windir"="%SystemRoot%"


-=End Of File=-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users