Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Spyware (Hijackthis)


  • This topic is locked This topic is locked
81 replies to this topic

#1 chicouk

chicouk

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 04 June 2009 - 02:54 PM

Hey all, everytime i click on a search result it redirects me to some random sites... i have tried searching for this problem on google and it seems to be quite common... anyway here is my hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:55, on 04/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20978)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Aaron Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Spotify\spotify.exe
D:\Games\Sports Interactive\Football Manager 2009\fm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Aaron Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [zirm] C:\PROGRA~1\COMMON~1\zirm\zirmm.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [luwibekake] Rundll32.exe "C:\WINDOWS\system32\rikojine.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: QQŲʹ - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\ rjdlfg.dll C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ODBC Administration Service (odbcasvc) - Unknown owner - C:\WINDOWS\SYSTEM32\odbcasvc.EXE (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11743 bytes


Thanks!!!

Aaron

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:16 AM

Posted 15 June 2009 - 03:54 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 chicouk

chicouk
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 18 June 2009 - 05:15 AM

Hiya sorry for the late reply,

here is the DDS log u have requested n a new hijack log, i am experiencing another big problem now, i only can boot in to safe mode. When i try to boot normally the windows xp logo doesnt show up and it just shows a black blank screen

also msconfig doesnt work as well, when i try to run is it end task it and gives me an error report

Thanks AGain!

Aaron

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 PM

Posted 18 June 2009 - 04:43 PM

Hi chicouk,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

We are going to run ComboFix. Please note that it is important the recovery should be installed. You run ComboFix while you are still in Safe Mode but when it reboots the computer let it reboot to Normal Mode, even if it needed to use the reset button a few times to turn of the computer.
  • Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode with Networking menu item.
    • Press the Enter key.
    • Log to your usual account. And click Yes to the prompt.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 chicouk

chicouk
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 18 June 2009 - 06:38 PM

We are going to run ComboFix. Please note that it is important the recovery should be installed. You run ComboFix while you are still in Safe Mode but when it reboots the computer let it reboot to Normal Mode, even if it needed to use the reset button a few times to turn of the computer.



Hiya, thanks for helping farbar really really appreciate it

unfortunatley i dont understand this bit of the procedure. THe problem about my pc is that it doesnt want to boot in to normal mode WATSOEVER, when it try to boot to the main logo screen with the loading bar, the screen just goes blank and my pc loading light just turns off

will this affect my procedure?!?

thanks!

Aaron

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 PM

Posted 18 June 2009 - 06:49 PM

That is why:

You run ComboFix while you are still in Safe Mode


And then at least try this:

but when it reboots the computer let it reboot to Normal Mode, even if it needed to use the reset button a few times to turn of the computer.


In case the reboot didn't get you to normal mode after using the reset button a few times to turn of the computer, let me know.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 PM

Posted 18 June 2009 - 07:09 PM

Please let me know if you understand the procedure.

Once more: Please read and follow the procedure, it has two steps and I need your attention to do it as it is instructed before.

The above procedure requires you to do these steps:

1. Getting to Safe Mode with Networking.
2. Downloading and running ComboFix.
3. Letting it install Recovery Console.
4. Letting it scan the Computer.
5. When it reboot TRY a few times to reboot to normal mode. I believe AFTER running ComboFix you might be able to boot normally.

#8 chicouk

chicouk
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 18 June 2009 - 07:28 PM

Hi!!!

i have run combofix, it didnt download the restore thing but it carried on the scan

the scan is complete and it has rebooted but it still not booting into normal mode, it is still showing the blank screen when the xp logo should be showing

My pc is still on, shall i reset it??!?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 PM

Posted 18 June 2009 - 07:33 PM

Yes please use the reset button just once. If it still didn't boot normally, boot to Safe Mode with Networking. See if the log opens. If not see if there is the log here: C:\Combofix.txt

Please copy and paste the log to your reply.

#10 chicouk

chicouk
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 18 June 2009 - 07:48 PM

Here is the log, can you please answer this question first before checking my log since i want to go to bed soon lol, i have work tomorow

Can i turn my pc off?

Thanks!

Aaron

ComboFix 09-06-18.02 - Aaron Man 19/06/2009 1:19.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3278 [GMT 1:00]
Running from: c:\documents and settings\Aaron Man\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Aaron Man\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\patchw32.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\uniq.tll
D:\install.exe

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\system volume information\_restore{CFD61F34-5511-456E-87D5-CF8442A8CABC}\RP411\A0112001.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ODBCASVC
-------\Service_odbcasvc


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 00:25 . 2004-08-04 12:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-17 12:25 . 2009-06-17 12:25 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-06-17 12:25 . 2009-06-17 12:25 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-06-17 12:25 . 2009-06-17 12:25 168208 ----a-w- c:\windows\system32\guard32.dll
2009-06-17 12:25 . 2009-06-17 12:25 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-06-17 11:55 . 2009-06-17 12:00 -------- d-----w- c:\program files\Startup Manager
2009-06-17 11:55 . 2009-06-17 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Startup Manager
2009-06-02 15:32 . 2009-06-02 15:32 -------- d-----w- c:\program files\Trend Micro
2009-05-28 13:57 . 2009-06-11 00:56 389120 ----a-w- c:\documents and settings\Aaron Man\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-28 13:49 . 2009-06-02 17:23 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\Sports Interactive
2009-05-28 13:49 . 2009-05-28 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-05-28 13:45 . 2009-05-28 13:46 -------- d--h--w- c:\program files\Zero G Registry
2009-05-28 13:43 . 2009-05-28 13:43 -------- d--h--w- c:\documents and settings\Aaron Man\InstallAnywhere
2009-05-25 21:55 . 2009-06-17 20:04 159744 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\FlashGot.exe
2009-05-25 19:01 . 2009-05-25 19:01 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-05-25 14:18 . 2009-05-25 14:18 -------- d-----w- c:\program files\Ventrilo
2009-05-23 00:21 . 2008-09-05 00:22 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-05-23 00:21 . 2009-05-23 00:21 10134 ----a-r- c:\documents and settings\Aaron Man\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-23 00:21 . 2009-05-23 00:21 -------- d-----w- c:\program files\Microsoft WSE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 10:14 . 2008-09-26 17:42 -------- d-----w- c:\program files\PowerArchiver
2009-06-17 20:08 . 2007-10-13 21:53 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-17 20:01 . 2009-04-04 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-06-15 21:20 . 2008-08-29 10:18 86016 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-15 21:20 . 2004-08-04 12:00 87040 -c--a-w- c:\windows\system32\dpvsetup.exe
2009-06-15 21:20 . 2004-08-04 12:00 61952 -c--a-w- c:\windows\system32\driverquery.exe
2009-06-15 21:20 . 2004-08-04 12:00 33792 -c--a-w- c:\windows\system32\dplaysvr.exe
2009-06-15 21:20 . 2004-08-04 12:00 22016 -c--a-w- c:\windows\system32\dpnsvr.exe
2009-06-15 21:20 . 2004-08-04 12:00 19456 -c--a-w- c:\windows\system32\dmremote.exe
2009-06-15 21:20 . 2004-08-04 12:00 14848 -c--a-w- c:\windows\system32\doskey.exe
2009-06-15 21:20 . 2004-08-04 12:00 8704 -c--a-w- c:\windows\system32\dllhst3g.exe
2009-06-15 21:20 . 2004-08-04 12:00 228864 ----a-w- c:\windows\system32\dmadmin.exe
2009-06-15 21:18 . 2007-07-22 11:55 14336 -c--a-w- c:\windows\hh.exe
2009-06-15 21:18 . 2004-08-04 12:00 380928 -c--a-w- c:\windows\Help\Tours\mmTour\tour.exe
2009-06-15 21:12 . 2008-07-04 13:35 53248 ----a-w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
2009-06-15 21:12 . 2009-04-06 23:45 57344 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-15 21:12 . 2008-12-15 02:08 73728 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.0.2.20\SetupAdmin.exe
2009-06-15 21:08 . 2007-10-17 18:37 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\Skype
2009-06-15 19:45 . 2007-10-14 14:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-15 16:08 . 2009-01-15 23:22 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\skypePM
2009-06-11 00:57 . 2009-02-14 16:19 1044992 ----a-w- c:\documents and settings\Aaron Man\Application Data\Thinstall\Adobe Dreamweaver CS3\1000000ff00002i\explorer.exe
2009-06-11 00:57 . 2009-02-14 16:15 1253888 ----a-w- c:\documents and settings\Aaron Man\Application Data\Thinstall\Adobe Dreamweaver CS3\40000013200002i\ahv.exe
2009-06-11 00:57 . 2009-02-14 15:08 2388480 ----a-w- c:\documents and settings\Aaron Man\Application Data\Thinstall\Adobe Dreamweaver CS3\40000024700002i\SAFlashPlayer.exe
2009-06-11 00:57 . 2009-02-14 15:07 315904 ----a-w- c:\documents and settings\Aaron Man\Application Data\Thinstall\Adobe Dreamweaver CS3\4000004d00002i\firefox.exe
2009-06-11 00:57 . 2009-02-14 15:04 676352 ----a-w- c:\documents and settings\Aaron Man\Application Data\Thinstall\Adobe Dreamweaver CS3\400000a500003i\FNPLicensingService.exe
2009-06-11 00:57 . 2005-08-27 14:26 1585152 ----a-w- c:\documents and settings\Aaron Man\Application Data\Thinstall\Adobe Dreamweaver CS3\%ProgramFilesDir%\Macromedia\Flash 8\Players\SAFlashPlayer.exe
2009-06-11 00:57 . 2008-09-01 18:30 159744 ----a-w- c:\documents and settings\Aaron Man\Application Data\Thinstall\Adobe Dreamweaver CS3\%AppData%\Mozilla\Firefox\Profiles\lewwi8jg.default\FlashGot.exe
2009-06-11 00:56 . 2009-05-16 15:58 970752 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-06-11 00:56 . 2009-05-16 15:58 348160 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-06-11 00:56 . 2008-04-17 22:47 68608 ----a-w- c:\documents and settings\Aaron Man\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-11 00:56 . 2008-02-24 10:54 335872 ----a-w- c:\documents and settings\Aaron Man\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe
2009-06-07 22:32 . 2009-03-13 16:27 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\Spotify
2009-06-05 02:22 . 2009-02-07 16:50 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\FileZilla
2009-06-01 13:57 . 2009-03-24 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 13:28 . 2009-02-16 00:53 -------- d-----w- c:\program files\Common Files\Nero
2009-05-26 12:20 . 2009-03-31 20:18 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2009-03-31 20:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 19:05 . 2007-10-11 10:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-25 18:23 . 2007-10-14 18:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-25 18:23 . 2007-10-14 18:40 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-11 19:06 . 2008-10-27 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-11 10:28 . 2007-10-11 22:51 26432 ----a-w- c:\documents and settings\Aaron Man\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 20:48 . 2007-10-14 12:59 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-10 20:33 . 2009-05-10 20:23 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\Download Manager
2009-05-10 18:09 . 2008-04-17 23:41 16 ----a-w- c:\windows\msocreg32.dat
2009-05-08 23:08 . 2008-04-18 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
2009-05-08 20:52 . 2009-05-08 20:52 -------- d-----w- c:\program files\Common Files\Skype
2009-05-08 20:52 . 2007-10-17 18:37 -------- d-----r- c:\program files\Skype
2009-05-08 20:52 . 2007-10-17 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-08 11:19 . 2007-11-15 23:55 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\mIRC
2009-05-08 11:17 . 2007-11-15 23:55 -------- d-----w- c:\program files\mIRC
2009-05-01 13:41 . 2009-04-24 12:33 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-04-30 23:30 . 2009-04-30 23:30 331776 ----a-w- c:\windows\system32\nvrshe.dll
2009-04-30 21:02 . 2009-04-30 21:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-04-30 21:02 . 2009-04-30 21:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-04-30 21:02 . 2009-04-30 21:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-04-30 21:02 . 2008-10-07 13:33 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-04-30 21:02 . 2007-02-23 03:25 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-04-30 21:02 . 2007-02-23 03:25 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-04-30 21:02 . 2007-02-23 03:25 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 21:02 . 2007-02-23 03:25 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-30 21:02 . 2007-02-23 03:25 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-04-30 21:02 . 2007-02-23 03:25 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-04-27 15:59 . 2008-07-04 23:38 -------- d-----w- c:\program files\Windows Live Safety Center
2009-04-25 22:35 . 2009-04-25 22:35 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\VSSaver
2009-04-24 12:37 . 2009-04-24 12:36 -------- d-----w- c:\documents and settings\Aaron Man\Application Data\Nikon
2009-04-24 12:37 . 2009-04-24 12:34 -------- d-----w- c:\program files\Common Files\Nikon
2009-04-24 12:35 . 2009-04-24 12:35 49152 ----a-r- c:\documents and settings\Aaron Man\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-04-24 12:35 . 2009-04-24 12:35 335872 ----a-r- c:\documents and settings\Aaron Man\Application Data\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2009-04-24 12:34 . 2009-04-24 12:34 57344 ----a-r- c:\documents and settings\Aaron Man\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-04-24 12:34 . 2009-04-24 12:34 -------- d-----w- c:\program files\Nikon
2009-04-24 12:33 . 2009-04-24 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Ultima_T15
2009-04-24 12:33 . 2009-04-24 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Screen Savers
2009-04-24 12:33 . 2009-04-24 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\EnterNHelp
2009-04-17 15:58 . 2009-05-16 15:58 103424 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-04-17 15:58 . 2009-05-16 15:58 1161626 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\libs\avcodec-51.dll
2009-04-17 15:58 . 2009-05-16 15:58 71652 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\libs\avutil-49.dll
2009-04-17 15:58 . 2009-05-16 15:58 65536 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-04-17 15:58 . 2009-05-16 15:58 4579328 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\libs\cooliris18.dll
2009-04-17 15:58 . 2009-05-16 15:58 4534272 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-04-17 15:58 . 2009-05-16 15:58 131868 ----a-w- c:\documents and settings\Aaron Man\Application Data\Mozilla\Firefox\Profiles\526fjy1v.Aaron\extensions\piclens@cooliris.com\libs\avformat-52.dll
2009-04-05 22:45 . 2009-04-05 22:26 613 ----a-w- c:\windows\eReg.dat
2009-04-03 11:39 . 2009-04-03 11:39 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-03-23 00:00 . 2007-10-21 22:48 140216 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-22 23:59 . 2007-10-20 14:41 201352 ----a-w- c:\windows\system32\PnkBstrB.exe
.

------- Sigcheck -------

[-] 2009-06-15 21:18 2069760 CEA325EE8144363DB6A09F3E50881222 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2009-06-15 21:18 2069760 FDC9E6ED14CE1C15E58488466986C106 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2009-06-15 21:18 2020864 2D364044C57658728AC653C6327E31EA c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2009-06-15 21:18 2066560 B41A61EF30EB11EB4F92EF15D1D3F1CB c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-06-15 21:19 2069504 64BDC68B97DC81D9C64090BEE609FC60 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
[-] 2009-06-17 12:03 2024448 2421CA9CE97BF25BBAD0E5DFD9691FBD c:\windows\system32\ntkrnlpa.exe
[-] 2009-06-15 21:20 2066560 B41A61EF30EB11EB4F92EF15D1D3F1CB c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2009-06-15 21:19 114688 5BC65F91E0DE963EF920FF554EFA99FC c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wuauclt.exe
[-] 2009-06-17 12:03 47616 5E1FF3154E6572A40B92A9F6144D6390 c:\windows\system32\wuauclt.exe
[-] 2009-06-15 21:20 47616 5E1FF3154E6572A40B92A9F6144D6390 c:\windows\system32\dllcache\wuauclt.exe

[-] 2009-06-15 21:19 29696 31FAD34D72B9DFF68AC8D5D16CE7479D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2009-06-17 12:03 28160 713E1562915C9D0D6AAE9E41322FB4EC c:\windows\system32\userinit.exe
[-] 2009-06-15 21:20 28160 713E1562915C9D0D6AAE9E41322FB4EC c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 206184]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Aaron Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-15 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-08-14 352256]
"SW24"="c:\windows\system32\sw24.exe" [2006-12-15 69632]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2009-06-15 367104]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-06-15 37888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-27 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-06-15 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-06-15 110592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-06-15 35328]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-06-15 638976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-06-17 1794320]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-11 16267776]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-17 1654784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 81920]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Games\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"d:\\Games\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Games\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Games\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"d:\\Games\\Fuel Of War\\Binaries\\FFOW.exe"=
"d:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Games\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"d:\\Games\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"d:\\Games\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"d:\\Games\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"d:\\Games\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"d:\\Games\\Steam\\steamapps\\common\\empire total war demo\\Empire.exe"=
"d:\\Games\\EA Games\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"d:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Games\\Steam\\steamapps\\common\\company of heroes\\help.htm"=
"d:\\Games\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"d:\\Games\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"34447:TCP"= 34447:TCP:rfactor
"34397:UDP"= 34397:UDP:rfactor race event

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [17/06/2009 13:25 24096]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [19/11/2007 22:01 33792]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [17/06/2009 13:25 132640]
S3 cpuz130;cpuz130;\??\c:\docume~1\AARONM~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\AARONM~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 CrystalSysInfo;CrystalSysInfo;c:\windows\system32\sysinfo.sys [11/10/2007 23:48 8192]
S3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\L6TPortB.sys [13/10/2007 12:32 521472]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [06/04/2009 00:30 33792]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys --> c:\program files\Tencent\QQ\npkycryp.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\CChat25.inf,PerUserAdd.NT
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:13]

2009-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1417001333-682003330-1003.job
- c:\documents and settings\Aaron Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-01 21:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-zirm - c:\progra~1\COMMON~1\zirm\zirmm.exe
HKLM-Run-SW20 - c:\windows\system32\sw20.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Add to QQ Customized Emoticons - c:\program files\Tencent\QQ\AddEmotion.htm
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Send Picture with QQ MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
IE: {{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - {39732CE5-0EE6-401A-A0B2-27F46B755C5B} -
Trusted Zone: line6.net
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 01:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1417001333-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6a,ea,98,0e,b9,08,ea,1a,79,37,2f,70,df,e7,bf,02,2a,57,1c,ed,e4,8a,21,
16,76,7a,f9,af,13,e1,09,ad,2f,91,99,61,06,a0,93,19,7b,8b,d3,c3,7f,c5,c3,2a,\
"??"=hex:31,ce,1a,7b,7e,32,48,20,3a,38,ca,22,e4,72,b8,c3

[HKEY_USERS\S-1-5-21-1801674531-1417001333-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:d6,44,00,35,b0,4b,44,66,65,44,17,34,b7,17,de,1e,e7,fd,a1,e8,5c,
c2,e0,15,7e,76,6e,22,9b,31,b3,4d,87,67,1a,97,9b,cf,43,f6,ba,4d,8a,5d,76,d3,\
"rkeysecu"=hex:c1,81,64,c6,2f,39,7b,ff,49,da,06,55,a0,08,28,30

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:00,b3,1e,fc,0e,e7,58,75,d9,af,bb,f1,4e,50,50,53,5f,21,71,e9,6c,
83,51,2a,79,f3,01,33,b9,44,14,42,75,0f,6c,b5,7a,c0,c2,ba,e3,83,f6,e5,69,08,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\*|;|A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:00,b3,1e,fc,0e,e7,58,75,d9,af,bb,f1,4e,50,50,53,5f,21,71,e9,6c,
83,51,2a,79,f3,01,33,b9,44,14,42,75,0f,6c,b5,7a,c0,c2,ba,e3,83,f6,e5,69,08,\
.
Completion time: 2009-06-19 1:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 00:43

Pre-Run: 23,240,871,936 bytes free
Post-Run: 23,962,238,976 bytes free

305 --- E O F --- 2009-03-15 01:50

Attached Files

  • Attached File  log.txt   25.59KB   10 downloads

Edited by farbar, 18 June 2009 - 07:50 PM.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 PM

Posted 18 June 2009 - 07:52 PM

I edited the your post to copy and paste the log for easy reading.

You may turn off your computer. Good night.

#12 chicouk

chicouk
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 18 June 2009 - 07:55 PM

Hi, thanks again mate, u dont know how much i appreciate this....!!

I will donate some money to you guys in the near future

thanks!

Aaron

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 PM

Posted 18 June 2009 - 08:32 PM

You are welcome Aaron.

We need to install the Recovery Console and run ComboFix once more.
  • Please boot to Safe Mode with Networking again.

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.



    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'Yes' to run the full ComboFix scan.

      Posted Image
    • When the tool is finished, it will reboot. Try again to boot to normal mode. If you couldn't, boot again to Safe Mode with Networking and copy and paste the log (c:\ComboFix.txt)


  • Please tell me if you have a Windows installation CD.


#14 chicouk

chicouk
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 19 June 2009 - 02:57 AM

hiya i am giong to try this out tonight, my internet is complety disable and i cant use it even in safe mode. I think this virus disables my internet straight after i boot my pc up. Would it be possible to download the setup from my laptop and move it to my pc via external harddisc (this is how i upload the hijack, combo logs to you)

Safe issue with combo fix, it does the scan but it just cant go on the internet which is really really annoying, i give it a try again tonight, hopefully the first scan would sort the internet out.

AND YES i do have a copy of the windows installation CD (if i can find it), is this very important?

Thank

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 PM

Posted 19 June 2009 - 04:43 AM

Would it be possible to download the setup from my laptop and move it to my pc via external harddisc (this is how i upload the hijack, combo logs to you)

Of course it is possible.

my internet is complete disable and i cant use it even in safe mode.

Thanks for telling me, I didn't know.

AND YES i do have a copy of the windows installation CD (if i can find it), is this very important?

We might need it. Some system files are patched by the malware and we need to replace them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users