Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible malware/virus/backdoor


  • This topic is locked This topic is locked
4 replies to this topic

#1 NEo1986

NEo1986

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 10 December 2009 - 11:41 AM

Hi i'm new to this forum, but im glad i have found it as it seems to be very helpfull etc

i have read the guide and attached all the files in the post

My problem is that since couple days i have got problems with my PC, here are few major ones

- internet connection rly slows downs (not always)
- i got some weird pop-ups jumping out in my Firefox (always the same websites) removed all the cookies, did not help . [most common website is hxxp://www.massivecasinojackpots.com/slot-charo-ron.htm
- i cant shut down my PC by start ---> shut down , need to do it by power button \

///edit : + sometimes i do have some eror with dr.watson , never had a chance to see it cos it disappearing very quickly

i have run avast on my PC and it found some viruses and removed them, but i still have this issues - i have attached avast LOG as well

i run spyware doctor several times and that found some malware, but did not help as well

i have run out of ideas and decided to ask some pros for help

kind regards NEo



DDS (Ver_09-12-01.01) - NTFSx86
Run by NEo at 15:57:57,77 on 2009-12-10
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2047.1104 [GMT 0:00]

AV: avast! antivirus 4.8.1356 [VPS 091210-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\vsnp2uvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nowe Gadu-Gadu\gg.exe
C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\NEo\Moje dokumenty\Pobieranie\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.onet.pl
uInternet Connection Wizard,ShellNext = hxxp://www.xfire.com/xf/register.php
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: IEPluginBHO Class: {f5cc7f02-6f4e-4462-b5b1-394a57fd3e0d} - c:\documents and settings\neo\dane aplikacji\nowe gadu-gadu\_userdata\ggbho.1.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "c:\program files\common files\wise installation wizard\wisb83fc356b7c0441f8a4dd71e088e7974_9_09_0428.msi" transforms="c:\program files\common files\wise installation wizard\wisb83fc356b7c0441f8a4dd71e088e7974_9_09_0428.mst" wise_setup_exe_path="c:\nvidia\displaydriver\190.38\international\PhysX_9.09.0428_SystemSoftware.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\neo\menust~1\programy\autost~1\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\nowega~1.lnk - c:\program files\nowe gadu-gadu\gg.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: Antiwpa - antiwpa.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neo\daneap~1\mozilla\firefox\profiles\nyhvsp3p.default\
FF - plugin: c:\documents and settings\neo\dane aplikacji\nowe gadu-gadu\_userdata\npgg.1.dll
FF - plugin: c:\documents and settings\neo\ustawienia lokalne\dane aplikacji\dyyno browser plugins\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-8 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-1 138680]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-8 112592]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-1 10384]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-8 358600]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-8 1141200]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-1 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-1 352920]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-11-1 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]
S3 FXDrv32;FXDrv32;\??\f:\fxdrv32.sys --> f:\FXDrv32.sys [?]

=============== Created Last 30 ================

2009-12-08 20:06:20 0 d-----w- c:\windows\pss
2009-12-08 18:43:17 882 ----a-w- c:\windows\RegSDImport.xml
2009-12-08 18:43:17 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-08 18:43:17 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-08 18:43:17 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-08 18:43:17 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-12-08 18:43:17 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-08 18:43:17 131 ----a-w- c:\windows\IDB.zip
2009-12-08 18:43:17 1152470 ----a-w- c:\windows\UDB.zip
2009-12-08 18:31:23 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-08 18:31:23 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-08 18:31:20 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-08 18:31:20 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-08 18:31:20 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-08 18:31:20 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-08 18:31:17 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-08 18:31:17 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-08 18:31:11 0 d-----w- c:\program files\Spyware Doctor
2009-12-08 18:31:11 0 d-----w- c:\program files\common files\PC Tools
2009-12-08 18:31:11 0 d-----w- c:\docume~1\neo\daneap~1\PC Tools
2009-12-08 18:31:11 0 d-----w- c:\docume~1\alluse~1\daneap~1\PC Tools
2009-12-08 18:12:55 0 d-----w- c:\program files\Registry Clean Expert
2009-12-05 18:20:51 0 d-sh--w- c:\docume~1\neo\daneap~1\.#
2009-12-03 19:22:51 0 d-----w- c:\program files\mIRC
2009-12-02 15:16:10 0 d-s---w- c:\documents and settings\neo\UserData
2009-11-30 19:33:46 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-30 16:15:11 0 d-----w- c:\program files\AviSynth 2.5
2009-11-30 16:08:04 0 d-----w- c:\program files\megui
2009-11-25 23:27:06 0 d-----w- c:\program files\MSXML 6.0
2009-11-25 15:42:22 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-11-25 15:42:21 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-25 15:42:20 0 d-----w- c:\program files\ffdshow
2009-11-23 18:36:09 0 d-----w- c:\docume~1\neo\daneap~1\MathWorks
2009-11-21 11:38:15 0 d-----w- c:\windows\system32\appmgmt
2009-11-21 11:26:46 0 d-----w- c:\program files\Sony
2009-11-21 11:25:41 0 d-----w- c:\windows\SxsCaPendDel
2009-11-21 11:21:52 0 d-----w- c:\windows\system32\XPSViewer
2009-11-21 11:21:18 14048 ------w- c:\windows\system32\spmsg2.dll
2009-11-20 19:37:43 77 ----a-w- c:\windows\huffyuv.ini
2009-11-20 19:05:40 33280 ----a-w- c:\windows\system32\HUFFYUV.DLL
2009-11-13 14:04:40 209608 ----a-w- c:\windows\system32\tabctl32.ocx
2009-11-13 14:04:39 109248 ----a-w- c:\windows\system32\mswinsck.ocx
2009-11-13 14:04:38 2271152 ----a-w- c:\windows\system32\Codejock.CommandBars.Unicode.v12.1.1.ocx
2009-11-13 14:04:38 132880 ----a-w- c:\windows\system32\MSINET.OCX
2009-11-13 14:04:37 1779632 ----a-w- c:\windows\system32\Codejock.Controls.v12.1.1.ocx
2009-11-13 14:04:35 0 d-----w- c:\program files\CoD RconTool
2009-11-12 00:13:56 0 d-----w- c:\program files\common files\Onet.pl
2009-11-12 00:13:56 0 d-----w- c:\docume~1\neo\daneap~1\Kamerzysta
2009-11-12 00:13:56 0 d-----w- c:\docume~1\neo\daneap~1\AutoUpdate
2009-11-12 00:13:55 0 d-----w- c:\program files\Onet
2009-11-11 10:45:13 0 d-----w- c:\docume~1\neo\daneap~1\Octoshape

==================== Find3M ====================

2009-12-09 21:58:45 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-09 21:58:36 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-06 20:29:18 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-21 11:23:57 82230 ----a-w- c:\windows\system32\perfc015.dat
2009-11-21 11:23:57 484978 ----a-w- c:\windows\system32\perfh015.dat
2009-11-01 13:45:40 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2009-11-01 11:38:56 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-01 10:06:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-11-01 10:06:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-11-01 10:06:26 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-11-01 10:01:14 22328 ----a-w- c:\docume~1\neo\daneap~1\PnkBstrK.sys
2009-11-01 09:25:30 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-01 09:25:30 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-01 08:34:52 21856 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-29 05:48:21 664576 ----a-w- c:\windows\system32\SET2A.tmp
2009-10-29 05:48:21 625664 ----a-w- c:\windows\system32\SET2B.tmp
2009-10-29 05:48:20 3084288 ----a-w- c:\windows\system32\SET32.tmp
2009-10-29 05:48:20 1506304 ----a-w- c:\windows\system32\SET2D.tmp
2009-10-29 05:48:19 251392 ----a-w- c:\windows\system32\SET35.tmp
2009-10-29 05:48:18 1023488 ----a-w- c:\windows\system32\SET39.tmp
2009-10-28 00:43:26 370688 ----a-w- c:\windows\system32\SET3B.tmp
2009-10-21 06:03:25 75776 ----a-w- c:\windows\system32\SET80.tmp
2009-10-21 06:03:25 25088 ----a-w- c:\windows\system32\SET81.tmp
2009-10-20 14:58:48 263552 ----a-w- c:\windows\system32\drivers\SET82.tmp
2009-10-13 10:53:29 267776 ----a-w- c:\windows\system32\SET12.tmp
2009-10-12 13:54:13 69632 ----a-w- c:\windows\system32\SET76.tmp
2009-10-12 13:54:13 112640 ----a-w- c:\windows\system32\SET75.tmp
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 05:58:06 664576 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:58:03 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 15:59:09,50 ===============

Attached Files


Edited by Orange Blossom, 10 December 2009 - 11:15 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 NEo1986

NEo1986
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 13 December 2009 - 09:36 AM

am i done something wrong or it always take that long to get answered ?

regards NEo

#3 NEo1986

NEo1986
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 14 December 2009 - 12:23 PM

a new problem have appeared today, just after i turn on my PC, every 5 minutes i got AVAST warning for with some trojan

2009-12-14 16:22:46 SYSTEM 1736 Sign of "Win32:FakeAlert-FC [Trj]" has been found in "C:\WINDOWS\TEMP\ripy.tmp\svchost.exe" file.
2009-12-14 16:27:57 SYSTEM 1736 Sign of "Win32:FakeAlert-FC [Trj]" has been found in "C:\WINDOWS\TEMP\sege.tmp\svchost.exe" file.
2009-12-14 16:34:21 SYSTEM 1736 Sign of "Win32:FakeAlert-FC [Trj]" has been found in "C:\WINDOWS\TEMP\bvto.tmp\svchost.exe" file.
2009-12-14 16:39:36 SYSTEM 1736 Sign of "Win32:FakeAlert-FC [Trj]" has been found in "C:\WINDOWS\TEMP\xomk.tmp\svchost.exe" file.
2009-12-14 16:44:43 SYSTEM 1736 Sign of "Win32:FakeAlert-FC [Trj]" has been found in "C:\WINDOWS\TEMP\siwq.tmp\svchost.exe" file.

Malverbytes did not found anything :/

i will paste new DDS LOG cos this one will e more up to date imo.


DDS (Ver_09-12-01.01) - NTFSx86
Run by NEo at 17:22:26,23 on 2009-12-14
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.2047.1182 [GMT 0:00]

AV: avast! antivirus 4.8.1356 [VPS 091214-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vsnp2uvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nowe Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NEo\Moje dokumenty\Pobieranie\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.onet.pl
uInternet Connection Wizard,ShellNext = hxxp://www.xfire.com/xf/register.php
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: IEPluginBHO Class: {f5cc7f02-6f4e-4462-b5b1-394a57fd3e0d} - c:\documents and settings\neo\dane aplikacji\nowe gadu-gadu\_userdata\ggbho.1.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
uRunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "c:\program files\common files\wise installation wizard\wisb83fc356b7c0441f8a4dd71e088e7974_9_09_0428.msi" transforms="c:\program files\common files\wise installation wizard\wisb83fc356b7c0441f8a4dd71e088e7974_9_09_0428.mst" wise_setup_exe_path="c:\nvidia\displaydriver\190.38\international\PhysX_9.09.0428_SystemSoftware.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\neo\menust~1\programy\autost~1\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\nowega~1.lnk - c:\program files\nowe gadu-gadu\gg.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15110/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: Antiwpa - antiwpa.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neo\daneap~1\mozilla\firefox\profiles\nyhvsp3p.default\
FF - plugin: c:\documents and settings\neo\dane aplikacji\nowe gadu-gadu\_userdata\npgg.1.dll
FF - plugin: c:\documents and settings\neo\ustawienia lokalne\dane aplikacji\dyyno browser plugins\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-1 138680]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-1 10384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-1 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-1 352920]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-12 38224]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-12-11 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]
S3 FXDrv32;FXDrv32;\??\f:\fxdrv32.sys --> f:\FXDrv32.sys [?]

=============== Created Last 30 ================

2009-12-12 12:26:10 60416 ----a-w- c:\windows\system32\antiwpa.dll
2009-12-12 12:10:29 54016 ----a-w- c:\windows\system32\drivers\nvpgeh.sys
2009-12-12 11:52:08 0 d-----w- c:\docume~1\neo\daneap~1\Malwarebytes
2009-12-12 11:52:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 11:52:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 11:52:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 11:52:02 0 d-----w- c:\docume~1\alluse~1\daneap~1\Malwarebytes
2009-12-11 18:56:57 788 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000005-002C1102}.rfx
2009-12-11 18:56:57 54928 ----a-w- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000005-002C1102}.rfx
2009-12-11 18:56:57 54928 ----a-w- c:\windows\system32\BMXState-{00000005-00000000-00000002-00001102-00000005-002C1102}.rfx
2009-12-11 18:55:55 0 d-----w- c:\program files\common files\Creative Labs Shared
2009-12-11 18:55:27 102400 ----a-w- c:\windows\system32\cttele32.dll
2009-12-11 17:48:31 647872 ------w- c:\windows\system32\Mscomct2.ocx
2009-12-11 17:48:30 41984 ------w- c:\windows\Ctregrun.exe
2009-12-11 17:48:04 90112 ------w- c:\windows\Updreg.EXE
2009-12-11 17:46:39 10240 ----a-w- c:\windows\CTDCRES.DLL
2009-12-11 17:45:52 7572224 ------w- c:\windows\system32\CT8MGM.SF2
2009-12-11 17:45:51 4174814 ------w- c:\windows\system32\CT4MGM.SF2
2009-12-11 17:45:45 29705938 ------w- c:\windows\system32\28MBGM.sf2
2009-12-08 20:06:20 0 d-----w- c:\windows\pss
2009-12-08 18:31:11 0 d-----w- c:\program files\Spyware Doctor
2009-12-08 18:12:55 0 d-----w- c:\program files\Registry Clean Expert
2009-12-05 18:20:51 0 d-sh--w- c:\docume~1\neo\daneap~1\.#
2009-12-03 19:22:51 0 d-----w- c:\program files\mIRC
2009-12-02 15:16:10 0 d-s---w- c:\documents and settings\neo\UserData
2009-11-30 19:33:46 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-30 16:15:11 0 d-----w- c:\program files\AviSynth 2.5
2009-11-30 16:08:04 0 d-----w- c:\program files\megui
2009-11-25 23:27:06 0 d-----w- c:\program files\MSXML 6.0
2009-11-25 15:42:22 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-11-25 15:42:21 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-25 15:42:20 0 d-----w- c:\program files\ffdshow
2009-11-23 18:36:09 0 d-----w- c:\docume~1\neo\daneap~1\MathWorks
2009-11-21 11:38:15 0 d-----w- c:\windows\system32\appmgmt
2009-11-21 11:26:46 0 d-----w- c:\program files\Sony
2009-11-21 11:25:41 0 d-----w- c:\windows\SxsCaPendDel
2009-11-21 11:21:52 0 d-----w- c:\windows\system32\XPSViewer
2009-11-21 11:21:18 14048 ------w- c:\windows\system32\spmsg2.dll
2009-11-20 19:37:43 77 ----a-w- c:\windows\huffyuv.ini
2009-11-20 19:05:40 33280 ----a-w- c:\windows\system32\HUFFYUV.DLL

==================== Find3M ====================

2009-12-13 22:50:50 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-13 22:50:41 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-12 15:56:20 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-11 18:55:19 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-11 18:55:19 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-21 11:23:57 82230 ----a-w- c:\windows\system32\perfc015.dat
2009-11-21 11:23:57 484978 ----a-w- c:\windows\system32\perfh015.dat
2009-11-01 13:45:40 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2009-11-01 11:38:56 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-01 10:06:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-11-01 10:06:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-11-01 10:06:26 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-11-01 10:01:14 22328 ----a-w- c:\docume~1\neo\daneap~1\PnkBstrK.sys
2009-11-01 08:34:52 21856 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-29 05:48:21 664576 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:03:25 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:03:25 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58:48 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53:29 267776 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:13 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:13 112640 ----a-w- c:\windows\system32\rastls.dll
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 05:58:03 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 17:22:55,35 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 21 December 2009 - 11:04 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 26 December 2009 - 09:40 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users