Virtumode and Monder infection. I've tried everything! [CLOSED |
Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
  |
 Nov 26 2008, 10:17 PM
Post
#1
|
|
|
Member  Posts: 52 From: Long Island, NY, USA OS: windows XP Pro  |
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:06:33 PM, on 11/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Common Files\AOL\1111442191\ee\AOLSoftware.exe C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\wanmpsvc.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\SiGi - MyPhoneFiles.com Desktop Extension\mpfexet.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Brother\ControlCenter3\brccMCtl.exe C:\Program Files\iPod\bin\iPodService.exe c:\program files\common files\aol\1111442191\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe c:\program files\common files\aol\1111442191\ee\aolsoftware.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xaviergifts.com/ O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {0B0EA676-46DD-4526-AF03-6D8E4F261970} - (no file) O2 - BHO: (no name) - {1F4A462B-3365-4EBC-971A-169CB19FB6B0} - (no file) O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll O2 - BHO: (no name) - {c5e4ab47-4855-474d-9288-74fe64ab24ae} - C:\WINDOWS\system32\honomige.dll (file missing) O2 - BHO: (no name) - {F6BB0E4E-AC9D-496A-8984-74AE48321127} - (no file) O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1111442191\ee\AOLSoftware.exe O4 - HKLM\..\Run: [RCHotKey] C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe O4 - HKLM\..\Run: [Canyon3D2] RunDll32 essprops.cpl,TaskbarIconWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and Settings\PK\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [zinosuyeyu] Rundll32.exe "C:\WINDOWS\system32\rahuziti.dll",s O4 - HKCU\..\Run: [Send To Phone (myPhoneFiles.com)] C:\Program Files\SiGi - MyPhoneFiles.com Desktop Extension\mpfexet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe" O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [zinosuyeyu] Rundll32.exe "C:\WINDOWS\system32\rahuziti.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [zinosuyeyu] Rundll32.exe "C:\WINDOWS\system32\rahuziti.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Send to phone (myPhoneFiles.com) - C:\Program Files\SiGi - MyPhoneFiles.com Desktop Extension\mpfexe.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/...eAutoLaunch.ocx O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178643608949 O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.21/ttinst.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pmicoaching.webex.com/client/v_mywe...bex/ieatgpc.cab O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) - http://service.ringcentral.com/ActiveX/RCAXSetup.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\tayanage.dll c:\windows\system32\golorojo.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\golorojo.dll (file missing) O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 12674 bytes |
 |
 
|
|
Nov 26 2008, 11:19 PM
Post
#2
|
|
 Trusted Helper  Posts: 2,164 From: NE Victoria, Australia OS: WinXp SP3 |
Hi docgoblin,
I am sage5, and I will be helping you with this problem. Please post the text from the most recent report in Antivir.
|
|
|
|
|
Nov 27 2008, 09:39 AM
Post
#3
|
|
|
Member Posts: 52 From: Long Island, NY, USA OS: windows XP Pro |
Thanks for your help with this. Here is the AV scan report. There is a detection of the Monder.zzo in there. I quarantined it but it still seems to be in the system.
Avira AntiVir Personal Report file date: Thursday, November 27, 2008 08:36 Scanning for 1054678 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: PK-AL2SJAOY512M Version information: BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00 AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/26/2008 02:29:49 AVSCAN.DLL : 8.1.4.0 40705 Bytes 7/18/2008 10:45:39 LUKE.DLL : 8.1.4.5 164097 Bytes 7/18/2008 10:45:39 LUKERES.DLL : 8.1.4.0 12033 Bytes 7/18/2008 10:45:39 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 07:22:08 ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 07:14:30 ANTIVIR2.VDF : 7.1.0.124 376832 Bytes 11/23/2008 00:07:54 ANTIVIR3.VDF : 7.1.0.143 133120 Bytes 11/26/2008 02:19:18 Engineversion : 8.2.0.35 AEVDF.DLL : 8.1.0.6 102772 Bytes 10/25/2008 15:53:24 AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/12/2008 07:14:42 AESCN.DLL : 8.1.1.5 123251 Bytes 11/8/2008 07:11:39 AERDL.DLL : 8.1.1.3 438645 Bytes 11/6/2008 07:12:34 AEPACK.DLL : 8.1.3.4 393591 Bytes 11/12/2008 07:14:40 AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/8/2008 07:11:38 AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/8/2008 07:11:38 AEHELP.DLL : 8.1.2.0 119159 Bytes 11/19/2008 07:21:31 AEGEN.DLL : 8.1.1.5 323956 Bytes 11/25/2008 00:07:57 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/25/2008 15:53:12 AECORE.DLL : 8.1.5.1 172406 Bytes 11/25/2008 00:07:55 AEBB.DLL : 8.1.0.3 53618 Bytes 10/25/2008 15:53:10 AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/18/2008 10:45:39 AVPREF.DLL : 8.0.2.0 38657 Bytes 7/18/2008 10:45:39 AVREP.DLL : 8.0.0.2 98344 Bytes 8/1/2008 10:42:23 AVREG.DLL : 8.0.0.1 33537 Bytes 7/18/2008 10:45:39 AVARKT.DLL : 1.0.0.23 307457 Bytes 4/15/2008 03:24:50 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 7/18/2008 10:45:39 SQLITE3.DLL : 3.3.17.1 339968 Bytes 4/15/2008 03:24:50 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 7/18/2008 10:45:39 NETNT.DLL : 8.0.0.1 7937 Bytes 4/15/2008 03:24:50 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 7/18/2008 10:45:34 RCTEXT.DLL : 8.0.52.0 86273 Bytes 7/18/2008 10:45:34 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Thursday, November 27, 2008 08:36 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'firefox.exe' - '1' Module(s) have been scanned Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned Scan process 'AOLSP Scheduler.exe' - '1' Module(s) have been scanned Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned Scan process 'BrccMCtl.exe' - '1' Module(s) have been scanned Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned Scan process 'RCUI.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'mpfexet.exe' - '1' Module(s) have been scanned Scan process 'BJMYPRT.EXE' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'RCHotKey.exe' - '1' Module(s) have been scanned Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'AOLDial.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'mdm.exe' - '1' Module(s) have been scanned Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned Scan process 'SAgent2.exe' - '1' Module(s) have been scanned Scan process 'aoltpspd.exe' - '1' Module(s) have been scanned Scan process 'eEBSvc.exe' - '1' Module(s) have been scanned Scan process 'aoltsmon.exe' - '1' Module(s) have been scanned Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'nhksrv.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 49 processes with 49 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '58' files ). Starting the file scan: Begin scan in 'C:\' C:\pagefile.sys [WARNING] The file could not be opened! C:\WINDOWS\system32\gkbegomv.dll [DETECTION] Is the TR/Monder.zzo Trojan [NOTE] The file was moved to '4990bd3b.qua'! End of the scan: Thursday, November 27, 2008 10:34 Used time: 1:58:27 Hour(s) The scan has been done completely. 7443 Scanning directories 253538 Files were scanned 1 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 1 files were moved to quarantine 0 files were renamed 1 Files cannot be scanned 253536 Files not concerned 1619 Archives were scanned 1 Warnings 1 Notes |
|
|
|
|
Nov 27 2008, 03:49 PM
Post
#4
|
|
|
Trusted Helper Posts: 2,164 From: NE Victoria, Australia OS: WinXp SP3 |
Hi docgoblin,
Please download the following & save to your Desktop: ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:  Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the text from C:\ComboFix.txt in your next reply. |
|
|
|
|
Nov 27 2008, 09:42 PM
Post
#5
|
|
|
Member Posts: 52 From: Long Island, NY, USA OS: windows XP Pro |
Here's the combofix log:
ComboFix 08-11-27.03 - PK 2008-11-27 22:26:35.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.659 [GMT -5:00] Running from: c:\documents and settings\PK\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\lswmv.ini c:\program files\Common Files\uninstall information c:\windows\a3kebook.ini c:\windows\akebook.ini c:\windows\ANS2000.INI c:\windows\system32\ajyprs.dll c:\windows\system32\ecnacvud.dll c:\windows\system32\NLNP13.dll c:\windows\system32\pawehuhe.dll c:\windows\system32\q4ps0e77eh.dll c:\windows\system32\sahagent1003.exe c:\windows\system32\tayanage.dll c:\windows\system32\tifakapu.dll c:\windows\system32\twybityu.dll c:\windows\system32\upakafit.ini c:\windows\system32\wumomara.dll c:\windows\system32\Xcite.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_.NET_CONNECTION_SERVICE -------\Service_.NET Connection Service ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 ))))))))))))))))))))))))))))))) . 2008-11-25 21:36 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-11-25 20:49 . 2008-11-25 20:49 <DIR> d-------- c:\documents and settings\PK\Application Data\Malwarebytes 2008-11-25 20:49 . 2008-10-26 21:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-25 20:49 . 2008-10-26 21:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-25 20:48 . 2008-11-25 20:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-25 20:48 . 2008-11-25 20:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-24 20:55 . 2008-11-24 20:55 <DIR> d-------- C:\VundoFix Backups 2008-11-24 19:12 . 2008-11-24 19:12 <DIR> d-------- c:\temp\google 2008-11-23 18:06 . 2008-11-23 19:58 582 --a------ c:\windows\wininit.ini 2008-11-23 15:16 . 2008-11-23 15:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-23 14:00 . 2008-11-23 14:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-23 13:49 . 2008-11-23 13:54 <DIR> d-------- c:\program files\CCleaner 2008-11-22 23:30 . 2008-11-22 23:30 <DIR> d-------- c:\program files\Trend Micro 2008-11-22 23:18 . 2008-11-22 23:18 812,344 --a------ C:\HJTInstall.exe 2008-11-22 19:40 . 2008-11-22 19:40 2,098 ---hs---- c:\windows\system32\zutozube.exe 2008-11-21 22:07 . 2008-11-23 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-28 03:30 --------- d-----w c:\program files\SiGi - MyPhoneFiles.com Desktop Extension 2008-11-27 13:34 --------- d-----w c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition classic 2008-11-27 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-26 01:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-11-25 01:48 --------- d-----w c:\program files\Viewpoint 2008-11-25 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2008-11-23 19:01 --------- d-----w c:\program files\Lavasoft 2008-06-20 01:46 473 ----a-w c:\program files\Shortcut to ScanSoft.lnk 2008-05-15 13:34 59,128 -c--a-w c:\documents and settings\PK\Application Data\GDIPFONTCACHEV1.DAT 2006-01-16 00:47 557,056 ----a-w c:\documents and settings\PK\chatlnk.exe 2005-11-01 12:12 21 -c--a-w c:\program files\AVPersonalAVWIN.INI 2005-05-30 05:40 32 -c--a-r c:\documents and settings\All Users\hash.dat 2005-04-03 22:37 319,488 ----a-w c:\program files\Common Files\BCTUninstall.exe 2004-09-07 02:10 576 -c--a-w c:\program files\player.cfg 2004-09-07 02:10 357 -c--a-w c:\program files\tourn.cfg 2004-09-07 02:10 160 -c--a-w c:\program files\game.cfg 2004-02-23 01:28 985,659 ----a-w c:\documents and settings\PK\2020setup.exe 2003-12-15 01:12 397,857,244 ----a-w c:\program files\steaminstall_cs.exe 2000-09-01 18:06 114 -c--a-w c:\program files\RunMe.bat 2000-03-23 21:05 290 -c--a-w c:\program files\FILE_ID.DIZ 2000-03-16 20:20 1,433,600 ----a-w c:\program files\RISKII.EXE 2000-03-16 19:26 662 -c--a-w c:\program files\risk2.reg 2000-03-16 17:09 32,768 ----a-w c:\program files\TRAINER.EXE 2000-03-03 01:33 12,074 ----a-w c:\program files\mp3unpack.exe 2000-01-07 18:24 79,120 -c--a-w c:\program files\DSETUP32.DLL 2000-01-07 18:24 159,504 -c--a-w c:\program files\DSETUP.DLL 1999-02-24 04:00 282,896 -c--a-w c:\program files\SHLWAPI.DLL 1998-09-01 19:28 297,984 -c--a-w c:\program files\L3CODECP.ACM . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2007-10-09 380928] "RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2007-09-05 24512] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-06-24 278528] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975] "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216] "avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497] "HostManager"="c:\program files\Common Files\AOL\1111442191\ee\AOLSoftware.exe" [2006-09-25 50736] "RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2007-09-05 24512] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936] "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2000-10-12 185896] "Canyon3D2"="essprops.cpl" [2007-08-15 c:\windows\system32\essprops.cpl] "nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2000-10-12 136768] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-22 113664] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dcur.exe] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dcur.exe backup=c:\windows\pss\dcur.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini backup=c:\windows\pss\desktop.iniCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.2.6.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LimeWire 4.2.6.lnk backup=c:\windows\pss\LimeWire 4.2.6.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start] --a------ 2005-07-12 05:17 50776 c:\program files\America Online 9.0\aol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] -ra------ 2006-10-23 07:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px] --a------ 2002-08-20 10:29 40960 c:\windows\system32\ezSP_Px.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2006-09-25 19:52 14384 c:\program files\Common Files\AOL\1111442191\EE\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] --a------ 2007-01-29 20:10 46632 c:\program files\ScanSoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4] --a------ 2006-03-21 13:19 69632 c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] --a------ 2007-01-29 20:12 30248 c:\program files\ScanSoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] --a------ 2006-10-25 08:03 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Canyon3D2] --a------ 2007-08-15 07:20 300032 c:\windows\system32\essprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-08-11 23:43 1519616 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunesHelper.exe"= "c:\\Program Files\\Common Files\\AOL\\1111442191\\EE\\aolsoftware.exe"= R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2002-03-04 22336] R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2002-03-04 45376] R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\DRIVERS\msikbd2k.sys [2003-03-15 6656] R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2003-03-15 28672] R2 X4HS32;X4HS32;\??\c:\program files\EXEtender\X4HS32.Sys [2004-07-21 21627] R3 Canyon;ESS Canyon3D 2 Audio Driver (WDM);c:\windows\system32\drivers\es199x.sys [2007-08-15 482176] R3 USR7900;U.S. Robotics 10/100 PCI NIC TX;c:\windows\system32\DRIVERS\USR7900.SYS [2003-03-12 36096] S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;c:\windows\system32\DRIVERS\AN983.sys [2007-08-15 36224] S3 ati2mtaa;ati2mtaa;c:\windows\system32\DRIVERS\ati2mtaa.sys [2003-12-26 327040] S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;c:\windows\system32\Drivers\BrSerIf.sys [2008-04-15 52224] S3 BrUsbSer;Brother MFC USB Serial WDM Driver;c:\windows\system32\Drivers\BrUsbSer.sys [2008-04-15 11904] S3 cdiskdun;cdiskdun;\??\c:\docume~1\PK\LOCALS~1\Temp\cdiskdun.sys [] S4 hpt3xx;hpt3xx; [] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\40d1bc8b-30f4-4123-9f60-3777707b8537] c:\windows\system32\cqxdbaa.exe . Contents of the 'Scheduled Tasks' folder 2008-11-27 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04] . - - - - ORPHANS REMOVED - - - - BHO-{0B0EA676-46DD-4526-AF03-6D8E4F261970} - (no file) BHO-{1F4A462B-3365-4EBC-971A-169CB19FB6B0} - (no file) BHO-{c5e4ab47-4855-474d-9288-74fe64ab24ae} - c:\windows\system32\honomige.dll BHO-{F6BB0E4E-AC9D-496A-8984-74AE48321127} - (no file) HKCU-Run-Send To Phone (myPhoneFiles.com) - c:\program files\SiGi - MyPhoneFiles.com HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe HKLM-Run-zzz_ImInstaller_IncrediMail - c:\documents and settings\PK\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe HKLM-Run-zinosuyeyu - c:\windows\system32\rahuziti.dll ShellExecuteHooks-{F6BB0E4E-AC9D-496A-8984-74AE48321127} - (no file) Notify-WgaLogon - (no file) MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe MSConfigStartUp-ares - c:\program files\Ares\Ares.exe MSConfigStartUp-Desktop Search - c:\windows\isrvs\desktop.exe MSConfigStartUp-Dvx - c:\windows\system32\wsxsvc\wsxsvc.exe MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe MSConfigStartUp-eZWO - c:\progra~1\Web Offer\wo.exe MSConfigStartUp-ffis - c:\windows\isrvs\ffisearch.exe MSConfigStartUp-KavSvc - c:\windows\system32\rlaivz.exe MSConfigStartUp-MCAgentExe - c:\progra~1\McAfee.com\Agent\McAgent.exe MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe MSConfigStartUp-Nsv - c:\windows\system32\nsvsvc\nsvsvc.exe MSConfigStartUp-nsvcin - c:\documents and settings\PK\n20050308.exe MSConfigStartUp-picsvr - c:\windows\system32\picsvr\picsvr.exe MSConfigStartUp-PopUpStopperFreeEdition - c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe MSConfigStartUp-Registry Cleaner - c:\program files\Registry Cleaner Trial\Regclean.exe MSConfigStartUp-RunDLL - c:\windows\Downloaded Program Files\bridge.dll MSConfigStartUp-Spyware Nuker - c:\program files\Spyware Nuker 2004\swn2.exe MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe MSConfigStartUp-VBouncer - c:\progra~1\VBouncer\VirtualBouncer.exe MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe MSConfigStartUp-vmss - c:\windows\system32\vmss\vmss.exe MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe MSConfigStartUp-zinosuyeyu - c:\windows\system32\rahuziti.dll MSConfigStartUp-0s5W38S - cleb2res.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\PK\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://news.google.com/nwshp?hl=en&gl=us . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-27 22:30:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\AntiVir PersonalEdition Classic\sched.exe c:\program files\AntiVir PersonalEdition Classic\avguard.exe c:\program files\Common Files\AOL\ACS\AOLacsd.exe c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\windows\wanmpsvc.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\AOL\1111442191\EE\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe c:\windows\system32\msiexec.exe c:\program files\Google\Google Updater\GoogleUpdater.exe c:\program files\Google\Google Updater\GoogleUpdater.exe . ************************************************************************** . Completion time: 2008-11-27 22:38:12 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-28 03:36:54 Pre-Run: 14,922,248,192 bytes free Post-Run: 14,775,033,856 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 271 --- E O F --- 2008-11-28 03:37:48 |
|
|
|
|
Nov 28 2008, 06:48 PM
Post
#6
|
|
|
Trusted Helper Posts: 2,164 From: NE Victoria, Australia OS: WinXp SP3 |
Hi docgoblin,
Please download the following & save to your Desktop: OTMoveIt3 by OldTimer. OTListIt Run HijackThis.
O20 - AppInit_DLLs: C:\WINDOWS\system32\tayanage.dll c:\windows\system32\golorojo.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\golorojo.dll (file missing)
Run OTMoveIt3:
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Run OTListIt:
NOTE: These can be large files, and there is a limit to the number of characters that can be posted at once on this forum. It may require you to make 2 posts, to get all the information to me Please post me the text from the following as your next reply:
The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted. Cheers, sage5 |
|
|
|
|
Nov 28 2008, 07:28 PM
Post
#7
|
|
|
Member Posts: 52 From: Long Island, NY, USA OS: windows XP Pro |
========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== Service cdiskdun stopped successfully. Service cdiskdun deleted successfully. Service hpt3xx stopped successfully. Service hpt3xx deleted successfully. ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\40d1bc8b-30f4-4123-9f60-3777707b8537\\ deleted successfully. ========== FILES ========== c:\windows\system32\zutozube.exe moved successfully. File/Folder c:\windows\system32\cqxdbaa.exe not found. File/Folder c:\windows\system32\golorojo.dll not found. File/Folder C:\WINDOWS\system32\tayanage.dll not found. ========== COMMANDS ========== User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. Java cache emptied. File delete failed. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\Cache\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\Cache\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\Cache\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\XUL.mfl scheduled to be deleted on reboot. FireFox cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11282008_201833 Files moved on Reboot... File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\Cache\_CACHE_001_ moved successfully. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\Cache\_CACHE_002_ moved successfully. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\Cache\_CACHE_003_ moved successfully. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\Cache\_CACHE_MAP_ moved successfully. C:\Documents and Settings\PK\Local Settings\Application Data\Mozilla\Firefox\Profiles\4srmm5bl.default\XUL.mfl moved successfully. OTListIt logfile created on: 11/28/2008 8:24:21 PM - Run OTListIt by OldTimer - Version 1.0.12.0 Folder = C:\Documents and Settings\PK\Desktop Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1023.49 Mb Total Physical Memory | 541.50 Mb Available Physical Memory | 52.91% Memory free 1.28 Gb Paging File | 0.87 Gb Available in Paging File | 67.90% Paging File free Paging file location(s): c:\pagefile.sys 384 768; %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 37.26 Gb Total Space | 14.01 Gb Free Space | 37.59% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: PK-AL2SJAOY512M Current User Name: PK Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Whitelist: On File Age = 14 Days ========== Processes ========== [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2001/08/06 06:41:48 | 00,028,672 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2008/10/25 10:52:57 | 00,068,865 | ---- | M] (Avira GmbH) -- C:\Program Files\AntiVir PersonalEdition Classic\sched.exe [2008/10/25 10:52:54 | 00,151,297 | ---- | M] (Avira GmbH) -- C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe [2006/10/23 07:50:35 | 00,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [2004/10/15 15:54:14 | 00,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2002/01/29 13:33:14 | 00,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [2000/10/14 00:00:59 | 00,168,432 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2004/10/15 15:54:12 | 00,046,768 | ---- | M] (America Online Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe [2001/02/23 10:07:30 | 00,270,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2006/08/11 23:42:50 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe [2003/08/27 10:29:46 | 00,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe [2004/08/04 02:56:54 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe [2005/06/24 14:16:42 | 00,278,528 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe [2005/03/04 03:36:46 | 00,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe [2005/06/24 14:16:26 | 00,331,776 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe [2006/10/23 07:50:37 | 00,071,216 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [2008/07/18 05:45:39 | 00,266,497 | ---- | M] (Avira GmbH) -- C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe [2006/09/25 19:52:48 | 00,050,736 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\1111442191\EE\aolsoftware.exe [2007/09/05 16:46:28 | 00,024,512 | ---- | M] (RingCentral, Inc.) -- C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe [2004/08/04 02:56:55 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe [2008/01/11 22:16:38 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006/03/21 20:30:00 | 01,191,936 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE [2007/03/06 18:20:00 | 00,536,576 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe [2007/10/09 12:51:52 | 00,380,928 | ---- | M] (RingCentral, Inc.) -- C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe [2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2004/08/04 02:56:57 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe [2006/05/17 17:07:56 | 00,001,536 | ---- | M] () -- c:\Program Files\Common Files\AOL\1111442191\EE\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe [2006/09/25 19:52:48 | 00,050,736 | ---- | M] (America Online, Inc.) -- c:\Program Files\Common Files\AOL\1111442191\EE\aolsoftware.exe [2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe [2004/08/04 02:56:57 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe [2008/11/28 19:51:49 | 00,418,304 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\PK\Desktop\OTListIt.exe ========== (O23) Win32 Services ==========< |