Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon Notify: Awtrrom.dll


  • Please log in to reply
2 replies to this topic

#1 landondonnofan

landondonnofan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 18 March 2007 - 07:00 PM

I recently suffered an attack. I have been able to clean out all of the files I believe to be infected except for c:\windows\system32\awtrrom.dll. The attack seems to have changed my port settings and I now get prompted to connect to the internet every 15 minutes or so. Any help would be much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 4:44:04 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Cnswspg] C:\WINDOWS\system32\?ecurity\lsass.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 19 March 2007 - 03:32 AM

Welcome to the BleepingComputer HijackThis forum landondonnofan :thumbsup:

First of all you've no virus protection installed on your pc.
Download\install one of the following,update its virus definitions and run a full system virus scan:

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Active Virus Shield
There's a nice setup tutorial Here:
http://www.activevirusshield.com/antivirus/freeav/

********************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

********************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply,along with the C:\vundofix.txt and a new Hijackthis log please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#3 landondonnofan

landondonnofan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 19 March 2007 - 09:09 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:02:38 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Cnswspg] C:\WINDOWS\system32\?ecurity\lsass.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O20 - Winlogon Notify: awtrrom - awtrrom.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

**********************************************

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 6:36:01 PM 3/19/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

**********************************************

"M-Diddy" - 07-03-19 18:48:54 Service Pack 2
ComboFix 07-03-20 - Running from: "C:\Documents and Settings\M-Diddy\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))



No infected Qoologic files found. Reg entries were fixed


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\M-Diddy\APPLIC~1\microsoft\internet explorer\quick launch\esplora.lnk
C:\DOCUME~1\M-Diddy\FAVORI~1\esplora.lnk
C:\WINDOWS\system32\icon_mediamotor.exe
C:\Program Files\Common Files\{188DB~2
C:\Program Files\Common Files\{388DB~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\M-Diddy
C:\qoobox\purity\DOCUME~1\M-Diddy\APPLIC~1
C:\qoobox\purity\DOCUME~1\M-Diddy\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\M-Diddy\APPLIC~1\YSTEM3~1
C:\qoobox\purity\DOCUME~1\M-Diddy\APPLIC~1\YSTEM3~1\explorer.exe
C:\qoobox\purity\DOCUME~1\M-Diddy\APPLIC~1\YSTEM3~1\YSTEM3~1
C:\qoobox\purity\WINDOWS\system32\ECURIT~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-19 to 2007-03-19 ))))))))))))))))))))))))))))))))))


2007-03-19 18:36 <DIR> d-------- C:\VundoFix Backups
2007-03-12 15:08 <DIR> d-------- C:\Program Files\Fifa Master
2007-03-12 15:07 <DIR> d-------- C:\WINDOWS\CreationCentre 2007
2007-03-12 15:07 <DIR> d-------- C:\Program Files\CreationCentre 2007
2007-03-07 20:46 <DIR> d-------- C:\ff
2007-03-02 19:27 <DIR> d-------- C:\dddddddd
2007-02-19 20:44 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-02-19 20:44 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-02-19 20:44 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-02-19 20:43 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-02-19 20:43 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-02-19 20:43 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-02-19 20:43 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-02-19 20:43 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-02-19 20:43 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-02-19 20:41 <DIR> d-------- C:\dx'


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-18 18:52 -------- d-------- C:\Program Files\ea sports
2007-03-12 15:08 -------- d-------- C:\Program Files\fifa master
2007-03-12 15:07 -------- d-------- C:\Program Files\creationcentre 2007
2007-02-10 23:13 -------- d-------- C:\Program Files\ricochet lost worlds
2007-02-08 13:51 -------- d-------- C:\Program Files\klear
2007-02-08 13:43 -------- d-------- C:\Program Files\reflexivearcade
2007-01-28 00:03 -------- d-------- C:\Program Files\symantec
2007-01-24 15:27 255848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-01-20 00:44 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-19 20:41 -------- d-------- C:\Program Files\full tilt poker
2007-01-08 15:30 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-12-29 22:01 2560 --a------ C:\WINDOWS\system32\bitcometres.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Cnswspg"="C:\\WINDOWS\\system32\\?ecurity\\lsass.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"i32btm2.exe"=""
"RunNarrator"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
"backup"="C:\\WINDOWS\\pss\\Office Startup.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office\\OSA.EXE -b"
"item"="Office Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ovbri.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ovbri.exe"
"backup"="C:\\WINDOWS\\pss\\ovbri.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ovbri.exe"
"item"="ovbri"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^M-Diddy^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler V3.exeStartup"
"location"="Startup"
"item"="PowerReg Scheduler V3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^M-Diddy^Start Menu^Programs^Startup^Z_Start.lnk]
"path"="C:\\Documents and Settings\\M-Diddy\\Start Menu\\Programs\\Startup\\Z_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\Z_Start.lnkStartup"
"location"="Startup"
"command"="C:\\DOCUME~1\\M-Diddy\\LOCALS~1\\Temp\\stdrun8.exe SKY001"
"item"="Z_Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvmoj"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvmoj.dll,startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gbwhqfd.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gbwhqfd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\gbwhqfd.dll,oymljaf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hyrqvqeA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hyrqvqeA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\hyrqvqeA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IndexSearch"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsasss"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\netrap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="netrap"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~1"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nrkzacet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nrkzacet"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\nrkzacet.exe nrkzacet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pptd40nt"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDream]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDream"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSDream\\PSDream.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quqimiji]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="quqimiji"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\provisioning\\quqimiji.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdakd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vooqcd"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\vooqcd.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys01119396364]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys01119396364"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys01119396364.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kernels88"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\kernels88.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tclock_install"
"hkey"="HKCU"
"command"="C:\\Program Files\\TClock\\tclock_install.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vgsicb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vooqcd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\vooqcd.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0500"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCSetup.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WPCSET~1"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wve442e7]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE wve442e72c.dll,n 007442e000000020"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoxnRjZ8S]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipnotify"
"hkey"="HKCU"
"command"="ipnotify.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{188DB334-04AC-1033-0516-030605020001}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\{188DB334-04AC-1033-0516-030605020001}\\Update.exe\" mc-110-12-0000272"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{DB-B3-33-34-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dwdsregt"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\dwdsregt.exe SKY001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ISEXEng"=dword:00000002
"IDriverT"=dword:00000003
"apiwin"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Logical Disk Manage"=dword:00000002
"Windows Overlay Components"=dword:00000002
"COM+ Messages"=dword:00000002
"TCP and UDP Supp0rt"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9476B23E-74F5-4A22-B701-5D19562301FB}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AntiVirus Update"="AntiVirus.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\Program Files\\Common Files\\svchost.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\Windows Media Player\xune.html

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrrom

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a05cf7b-8723-11db-b9b7-000f1f16103e}]
Shell\AutoRun\command E:\Madden07.exe



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070317-220150-379
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070122-131308-746
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070122-131308-344
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
backup-20070122-125402-722
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070122-125402-835
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
backup-20070121-232425-186
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\BitComet\BitComet.exe/AddAllLink.htm
backup-20070121-232425-406
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\BitComet\BitComet.exe/AddVideo.htm
backup-20070121-232425-630
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\BitComet\BitComet.exe/AddLink.htm
backup-20070121-230348-724
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070121-230349-892
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20070121-230348-977
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
backup-20070121-230348-549
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sysmon.exe
backup-20070121-001558-355
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070121-001557-359
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
backup-20070121-001557-236
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
backup-20070121-001557-964
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
backup-20070121-001557-834
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
backup-20070120-230636-354
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
backup-20070120-230635-875
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\M-Diddy\APPLIC~1\YSTEM3~1\explorer.exe" -vt yazb
backup-20070120-230635-700
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20070120-230635-480
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20070120-230635-190
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
backup-20070120-211532-314
O20 - Winlogon Notify: winqad32 - winqad32.dll (file missing)
backup-20070120-211532-714
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
backup-20070120-211532-274
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070120-211532-244
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
backup-20070120-205151-526
O20 - Winlogon Notify: winqad32 - winqad32.dll (file missing)
backup-20070120-205151-260
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
backup-20070120-205151-973
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070120-205151-276
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
backup-20070120-145722-199
O20 - Winlogon Notify: winqad32 - C:\WINDOWS\SYSTEM32\winqad32.dll
backup-20070120-145722-147
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
backup-20070120-145721-705
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070120-145720-237
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070120-145720-322
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070120-145720-649
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
backup-20070120-145720-893
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\BitComet\tools\BitCometBHO.dll (file missing)
backup-20070120-145720-582
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070120-140327-971
O21 - SSODL: knZECMvafr - {188DB335-B227-199F-5DB1-6B7A55DCDC6C} - C:\WINDOWS\system32\jn.dll
backup-20070120-140327-821
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
backup-20070120-140327-778
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070120-140315-166
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070120-140315-123
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070120-140315-267
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070120-140133-869
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Ngldlj32.dll (file missing)
backup-20070120-140133-654
O20 - Winlogon Notify: winqad32 - C:\WINDOWS\SYSTEM32\winqad32.dll
backup-20070120-140133-461
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
backup-20070120-140132-254
O20 - Winlogon Notify: awtrrom - C:\WINDOWS\SYSTEM32\awtrrom.dll
backup-20070120-140116-538
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098408814699
backup-20070120-140115-327
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
backup-20070120-140115-715
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20070120-140115-741
O15 - Trusted Zone: www.contentdiscount.info
backup-20070120-140115-320
O15 - Trusted Zone: www.archiviosex.net
backup-20070120-140115-214
O15 - Trusted Zone: www.extremeaccess.info
backup-20070120-140114-389
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20070120-140114-807
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20070120-140114-373
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{388DB~2\Bar888.dll (file missing)
backup-20070120-140114-102
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20070120-140114-679
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels88.exe
backup-20070120-140114-119
O2 - BHO: 0 - {EDFA5F92-6087-4F2D-49B6-29925703EBB3} - C:\Program Files\Windows Media Player\tefa.dll (file missing)
backup-20070120-140114-612
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{388DB~2\Bar888.dll (file missing)
backup-20070120-140114-181
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070120-140114-450
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070120-140114-402
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
backup-20070120-140114-394
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
backup-20070120-140114-878
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\awtrrom.dll
backup-20070120-140114-387
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)
backup-20070120-140114-725
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
backup-20070120-140114-141
O2 - BHO: (no name) - {54383F3C-A4D0-1F00-87FA-026FAFDBDAE0} - C:\WINDOWS\system32\yvrysbi.dll (file missing)
backup-20070120-140114-323
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xtmymid.exe
backup-20070120-140114-419
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070120-140114-492
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
backup-20070120-140114-233
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mxfvc.exe
backup-20070120-140114-713
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20070120-140114-671
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.extremeaccess.info/?rid=2
backup-20060822-010620-399
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20060814-020011-844
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20060727-013333-185
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\r4p8le7u1h.dll (file missing)
backup-20060727-005936-954
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060727-005936-139
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
backup-20060225-162420-144
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\czyyp.dll/sp.html#28129
backup-20060222-174749-269
O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe
backup-20060222-174749-983
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20060220-185514-950
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
backup-20060220-185514-882
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20060220-185514-103
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
backup-20060220-185514-185
O4 - HKLM\..\Run: [imsik] C:\WINDOWS\Bppqp.exe

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-19 18:58:09




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users