Downloader+W32BackdoorIRC endless popups audio ads [RESOLVED] |
Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.
  |
 Aug 27 2008, 09:32 PM
Post
#1
|
|
|
Member  Posts: 10 OS: XP pro  |
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:14:55 PM, on 8/27/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\afisicx.exe C:\WINDOWS\system32\Drivers\bwcsrv.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe C:\WINDOWS\system32\nisvcloc.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\noxtcyr.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\roxtctm.exe C:\WINDOWS\system32\sotpeca.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wsldoekd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\JMRaidTool.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\MsgSys.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\ABIT\uGuru\uGuru.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/itttechlibrary/...s/ebraryRdr.cab O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1219797676031 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab O23 - Service: afisicx Corporation (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: noxtcyr Manages messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: roxtctm Event propagation service (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe O23 - Service: sotpeca Settings storage service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: wsldoekd Manages messages (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe -- End of file - 8926 bytes |
 |
 
|
|
Aug 28 2008, 06:52 AM
Post
#2
|
|
 Malware Monger  Posts: 2,722 OS: XP Professional SP3 |
Hi there
 You have a lot of nasties there. Please follow the instructions in the order they are given A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
Then go to add or remove programs (start > control panel) and uninstall: Viewpoint Then, Please download the OTMoveIt2 by OldTimer.
*********** Now in c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.zip) you should find a zipped folder of moved files. Please upload it to a hosting website like Rapidshare and PM me the download link or PM me and attach the file to the PM. *********** And finally,
This post has been edited by Mike: Aug 28 2008, 06:53 AM |
|
|
|
|
Aug 28 2008, 04:50 PM
Post
#3
|
|
|
Member Posts: 10 OS: XP pro |
OK... first here is my OTmoveIT log contents:
Explorer killed successfully afisicx service deleted successfully. noxtcyr service deleted successfully. roxtctm service deleted successfully. sotpeca service deleted successfully. wsldoekd service deleted successfully. C:\WINDOWS\system32\afisicx.exe moved successfully. C:\WINDOWS\system32\noxtcyr.exe moved successfully. C:\WINDOWS\system32\roxtctm.exe moved successfully. C:\WINDOWS\system32\sotpeca.exe moved successfully. C:\WINDOWS\system32\wsldoekd.exe moved successfully. DllUnregisterServer procedure not found in c:\windows\system32\mmchost.dll c:\windows\system32\mmchost.dll NOT unregistered. c:\windows\system32\mmchost.dll moved successfully. < emptytemp > File delete failed. C:\DOCUME~1\Wade\LOCALS~1\Temp\etilqs_5IsaBj82uZ1fMcjFcu6V scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Wade\LOCALS~1\Temp\~DF3CC9.tmp scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta33152.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta55029.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta55971.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta59849.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta64789.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta77231.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta97656.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mtaw65556.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_f18.dat scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. < purity > Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08282008_172822 Files moved on Reboot... File C:\DOCUME~1\Wade\LOCALS~1\Temp\etilqs_5IsaBj82uZ1fMcjFcu6V not found! C:\DOCUME~1\Wade\LOCALS~1\Temp\~DF3CC9.tmp moved successfully. File C:\WINDOWS\temp\mta33152.dll not found! C:\WINDOWS\temp\mta55029.dll unregistered successfully. C:\WINDOWS\temp\mta55029.dll moved successfully. C:\WINDOWS\temp\mta55971.dll unregistered successfully. C:\WINDOWS\temp\mta55971.dll moved successfully. C:\WINDOWS\temp\mta59849.dll unregistered successfully. C:\WINDOWS\temp\mta59849.dll moved successfully. C:\WINDOWS\temp\mta64789.dll unregistered successfully. C:\WINDOWS\temp\mta64789.dll moved successfully. C:\WINDOWS\temp\mta77231.dll unregistered successfully. C:\WINDOWS\temp\mta77231.dll moved successfully. File C:\WINDOWS\temp\mta97656.dll not found! C:\WINDOWS\temp\mtaw65556.dll unregistered successfully. C:\WINDOWS\temp\mtaw65556.dll moved successfully. File C:\WINDOWS\temp\Perflib_Perfdata_f18.dat not found! I attempted to DL the RSIT program.. it said my current settings don't allow me to download it.. i tried to disable all security for IE just to get this file; with no luck. And.. thank you very much for the help thus far.. i know this may just be the tip of the iceberg.. by YOU saying I have a LOT of nasties. Here is the link to my OTmoveIT zip file: Removed link, thanks for uploading them for me This post has been edited by Mike: Aug 29 2008, 02:28 AM
Reason for edit: Removed link so others won't download it, thank you
|
|
|
|
|
Aug 29 2008, 02:30 AM
Post
#4
|
|
|
Malware Monger Posts: 2,722 OS: XP Professional SP3 |
Hi there
Thanks for the files. Something that might help you a bit if you are having problems browsing in IE is to download FireFox. See if you can get RSIT with that. Otherwise please do this for me so we make some progress Download OTViewIt to your desktop.
This post has been edited by Mike: Aug 29 2008, 03:04 AM |
|
|
|
|
Aug 29 2008, 07:02 AM
Post
#5
|
|
|
Member Posts: 10 OS: XP pro |
Any download (at least OTviewer and RSIT) will not download due to my Security Zone Policy settings. I just got firefox and have been using it since my first post on the site. HJT log as of now:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:07:36 AM, on 8/29/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Drivers\bwcsrv.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\WINDOWS\system32\macidwe.exe C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe C:\WINDOWS\system32\nisvcloc.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\tdxdowkc.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\JMRaidTool.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\ABIT\uGuru\uGuru.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\noxtcyr.exe C:\WINDOWS\system32\wsldoekd.exe C:\WINDOWS\system32\afisicx.exe C:\WINDOWS\system32\roxtctm.exe C:\WINDOWS\system32\sotpeca.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/itttechlibrary/...s/ebraryRdr.cab O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1219797676031 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab O23 - Service: afisicx Portable Media Serial Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: macidwe Manages messages (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: noxtcyr Event propagation service (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: roxtctm Manages messages (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe O23 - Service: sotpeca Manages messages (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe O23 - Service: tdxdowkc Co. Ltd. (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe O23 - Service: wsldoekd Settings storage service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe -- End of file - 8542 bytes This post has been edited by Q6600isabeast: Aug 29 2008, 07:09 AM |
|
|
|
|
Aug 29 2008, 09:58 AM
Post
#6
|
|
|
Malware Monger Posts: 2,722 OS: XP Professional SP3 |
Hi there, sorry for the delay in replying.
Firefox 3 takes over the security settings present in IE. Open internet Explorer, go to Tools, Internet Options then Security. Make sure that the the little slide bar under 'Security level for this zone' is not set to high. If it is slide it down to medium. If you still cant download from the infected PC, see if you can transfer the tools from another one via USB or CD. Now all the bad guys are back so please do this for me. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows:
When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. |
|
|
|
|
Aug 29 2008, 11:54 AM
Post
#7
|
|
|
Member Posts: 10 OS: XP pro |
OMG i'm about to rip my bleeping hair out!!!!!!!!!!!!!!
I am working on my other computer in attempt to get those files. Every single link you gave me is not responding on this other computer.. could this be something to do with my router? I was able to find ComboFix.exe from another site... but the XP SP2 Pro Bootdisk ENU i cannot find anywhere else, which means no recovery console for me. I have misplaced my XP pro disk at the moment but will work on getting that some time this weekend. So aggrivating... it shows that it has started these downloads but then it will sit there transfering a 4.4MB file forever with no transfer rate or estimated time for finish. WHEW problem fixed with other PC. Rebooted after some Auto updates were through, and the files were able to be downloaded then. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:25:53 PM, on 8/29/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Drivers\bwcsrv.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe C:\WINDOWS\system32\nisvcloc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\JMRaidTool.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://www.geekstogo.com O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/itttechlibrary/...s/ebraryRdr.cab O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1219797676031 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7154 bytes ComboFix 08-08-28.06 - Wade 2008-08-29 13:14:44.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1600 [GMT -5:00] Running from: C:\Downloads\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Wade\Application Data\inst.exe C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\#SharedObjects\N9658NA4\bin.clearspring.com C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\#SharedObjects\N9658NA4\bin.clearspring.com\clearspring.sol C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\#SharedObjects\N9658NA4\interclick.com C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\#SharedObjects\N9658NA4\interclick.com\ud.sol C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Wade\new.txt C:\test.txt C:\WINDOWS\Install.txt C:\WINDOWS\system32\launcher.exe C:\WINDOWS\system32\macidwe.exe C:\WINDOWS\system32\mywfhit.ini C:\WINDOWS\system32\mywfhit.ini.tmp C:\WINDOWS\system32\oduxftw.sys C:\WINDOWS\system32\rtl60.bpl C:\WINDOWS\system32\syspilog.pil C:\WINDOWS\system32\tdxdowkc.exe C:\WINDOWS\tawisys.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_AFISICX -------\Legacy_MACIDWE -------\Legacy_NOXTCYR -------\Legacy_PANDRV -------\Legacy_ROXTCTM -------\Legacy_SEUICTOL -------\Legacy_SOBICYT -------\Legacy_SOTPECA -------\Legacy_TDXDOWKC -------\Legacy_WSLDOEKD -------\Service_6to4 -------\Service_macidwe -------\Service_Pandrv -------\Service_seuictol -------\Service_tdxdowkc ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 ))))))))))))))))))))))))))))))) . 2008-08-28 17:28 . 2008-08-28 17:28 <DIR> d-------- C:\_OTMoveIt 2008-08-27 21:58 . 2008-08-27 21:58 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-27 20:19 . 2008-08-27 20:19 0 --a------ C:\WINDOWS\nsreg.dat 2008-08-27 20:08 . 2008-08-27 20:08 <DIR> d-------- C:\WINDOWS\system32\URTTEMP 2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Documents and Settings\Wade\Application Data\Malwarebytes 2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-27 19:50 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-27 19:50 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-27 19:48 . 2008-08-27 19:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-08-27 19:44 . 2008-08-27 19:45 <DIR> d-------- C:\Program Files\ERUNT 2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\en 2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\bits 2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-26 19:30 . 2008-08-26 19:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-08-26 19:10 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll 2008-08-26 18:55 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-26 18:53 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2008-08-26 11:40 . 2008-08-27 19:58 <DIR> d-------- C:\WINDOWS\system32\inf 2008-08-26 11:40 . 2008-08-27 20:00 14,848 --a------ C:\WINDOWS\system32\zordisa.dll 2008-08-16 12:51 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll 2008-08-16 12:49 . 2008-08-16 12:49 <DIR> d-------- C:\WINDOWS\Logs 2008-08-16 10:57 . 2008-08-29 08:57 <DIR> d-------- C:\Program Files\ShotOnline International 2008-08-14 19:11 . 2003-07-16 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd 2008-08-14 19:11 . 2004-12-31 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys 2008-08-14 19:10 . 2008-08-14 19:10 <DIR> d-------- C:\Program Files\Common Files\INCA Shared . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-29 18:18 --------- d-----w C:\Program Files\lg_fwupdate 2008-08-28 23:04 --------- d-----w C:\Program Files\PokerStars 2008-08-28 22:26 --------- d-----w C:\Program Files\Viewpoint 2008-08-28 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-08-28 02:45 --------- d-----w C:\Program Files\BFG 2008-08-27 01:14 --------- d-----w C:\Program Files\NavNT 2008-08-23 21:38 --------- d-----w C:\Documents and Settings\Wade\Application Data\Vso 2008-07-01 23:19 --------- d-----w C:\Program Files\Common Files\Motive 2008-07-01 23:19 --------- d-----w C:\Program Files\ATT 2008-07-01 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive 2008-04-26 13:09 47,360 ----a-w C:\Documents and Settings\Wade\Application Data\pcouffin.sys 2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2007-02-08 15:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ABIT uGuruIII"="C:\Program Files\ABIT\uGuru\uGuru.exe" [2006-03-23 11:41 417792] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480] "vptray"="C:\Program Files\NavNT\vptray.exe" [2001-10-31 11:59 73728] "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 03:00 1397760] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648] "LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-05 03:46 249856] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 11:47 151552] "JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-24 21:52 385024] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920] "nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-05-10 18:08 16342528 C:\WINDOWS\RTHDCPL.exe] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"= "C:\\Program Files\\Xfire\\xfire.exe"= "C:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"= "C:\\Program Files\\Ares\\Ares.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\ShotOnline International\\ShotOnline.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3680:TCP"= 3680:TCP:*:Disabled:Ares "27158:TCP"= 27158:TCP:*:Disabled:BitComet 27158 TCP "27158:UDP"= 27158:UDP:*:Disabled:BitComet 27158 UDP "16180:TCP"= 16180:TCP:*:Disabled:BitComet 16180 TCP "16180:UDP"= 16180:UDP:*:Disabled:BitComet 16180 UDP R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 13:46] R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.sys [2003-12-21 03:21] R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 10:00] S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-08-25 15:00] S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-07-11 00:46] S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 19:49] . - - - - ORPHANS REMOVED - - - - HKCU-Run-PowerBar - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\wdcos58e.default\ FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-29 13:18:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\NavLogon.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\drivers\BWCSRV.EXE C:\Program Files\NavNT\defwatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\lkcitdl.exe C:\WINDOWS\system32\lkads.exe C:\WINDOWS\system32\lktsrv.exe C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe C:\WINDOWS\system32\nisvcloc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe . ************************************************************************** . Completion time: 2008-08-29 13:19:49 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-29 18:19:46 Pre-Run: 259,319,922,688 bytes free Post-Run: 259,346,857,984 bytes free 190 --- E O F --- 2008-08-29 12:54:48 Yes i do use PokerStars This post has been edited by Q6600isabeast: Aug 29 2008, 04:06 PM |
|
|
|
|
Aug 29 2008, 03:10 PM
Post
#8
|
|
|
Malware Monger Posts: 2,722 OS: XP Professional SP3 |
Hi again Did you install PokerStars? Please click Start then Run, in the window appears type in Notepad.exe. Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window: CODE Folder:: C:\Program Files\Viewpoint C:\Documents and Settings\All Users\Application Data\Viewpoint Registry:: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll," Now in Notepad, go to File and in the menu that drops down click on Save As... Save the file as CFScript.txt Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.  After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply. Then, Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application.
|