Edited by abcd916, 08 July 2007 - 09:46 PM.
Help..Laptop infected and don't know how to fix
#1
Posted 05 July 2007 - 04:52 PM
#2
Posted 08 July 2007 - 09:48 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:27:04 PM, on 7/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\download\jhan91683\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.128126.cn/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\explorer.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP TV Now] C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe /RK
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1159332216\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A284661A64DB7C8F0287E55E246220D9E728F80D6664366DB7D5175E744AB97
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\alxbqfbx.dll",realset
O4 - HKLM\..\Run: [RAV009F] C:\WINDOWS\System32\RAV009F.exe
O4 - HKLM\..\Run: [Microsoft Autorun10] C:\WINDOWS\System32\nwizwmgjs.exe
O4 - HKLM\..\Run: [whqvts87] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\whqvts87.dll",Start
O4 - HKLM\..\Run: [pblama15] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\pblama15.dll",Start
O4 - HKLM\..\Run: [hhifjr61] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\hhifjr61.dll",DllCanUnloadNow
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mssql.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msapi.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O20 - AppInit_DLLs: qhbpri.dll
O23 - Service: DomainService - - C:\WINDOWS\System32\gsuqktgm.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBM Software - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: DNS Cache (SOCEESe) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE (file missing)
#3
Posted 09 July 2007 - 12:55 AM
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply .
#4
Posted 09 July 2007 - 12:25 PM
"Owner" - 2007-07-09 13:06:14 - ComboFix 07-07-09.3 - Service Pack 1
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\efcdbbx.dll
C:\WINDOWS\system32\evmwdvvb.dll
C:\WINDOWS\system32\gdpvyehd.dll
C:\WINDOWS\system32\gktkojps.dll
C:\WINDOWS\system32\ochekhtw.dll
C:\WINDOWS\system32\pmklj.dll
C:\WINDOWS\system32\qlrnmysn.dll
C:\WINDOWS\system32\ruuvyobv.dll
C:\WINDOWS\system32\sleixsis.dll
C:\WINDOWS\system32\tcktwerk.dll
C:\WINDOWS\system32\vwxhtyfw.exe
C:\WINDOWS\system32\lakdfoxh.exe
C:\WINDOWS\system32\gebcbyv.dll
C:\WINDOWS\system32\jkkhghh.dll
C:\WINDOWS\system32\ljjghfc.dll
C:\WINDOWS\system32\bvvdwmve.ini
C:\WINDOWS\system32\dheyvpdg.ini
C:\WINDOWS\system32\spjoktkg.ini
C:\WINDOWS\system32\jlkmp.ini
C:\WINDOWS\system32\vboyvuur.ini
C:\WINDOWS\system32\sisxiels.ini
C:\WINDOWS\system32\krewtkct.ini
C:\WINDOWS\system32\efcbaxv.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~2\ALLUSE~1\APPLIC~1.\microsoft\pctools
C:\DOCUME~2\ALLUSE~1\APPLIC~1.\microsoft\pctools\pctools.dll
C:\DOCUME~2\Owner\APPLIC~1.\cuckoo
C:\DOCUME~2\Owner\APPLIC~1.\cuckoo\Host.dat
C:\DOCUME~2\Owner\APPLIC~1.\cuckoo\windows2.log
C:\DOCUME~2\Owner\APPLIC~1.\curity~1
C:\DOCUME~2\Owner\APPLIC~1\Sskdmns.dll
C:\DOCUME~2\Owner\MYDOCU~1.\fnts~1
C:\DOCUME~2\Owner\MYDOCU~1.\fnts~2
C:\Program Files\asks~1
C:\Program Files\Common Files\microsoft shared\msinfo\newinfo.bmt
C:\Program Files\Common Files\microsoft shared\msinfo\SysInfo.yer
C:\Program Files\Common Files\Microsoft Shared\MSInfo\system.2dt
C:\Program Files\Common Files\system\updaterun.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp
C:\Program Files\Internet Explorer\plugins\System64.Sys
C:\Program Files\Internet Explorer\vikoj.html
C:\Program Files\NetMeeting\nipybalov83122.dll
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\IA
C:\WINDOWS\KB998013.log
C:\WINDOWS\netdde32.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\rising432.exe
C:\WINDOWS\rising448.exe
C:\WINDOWS\rising913.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\20328.exe
C:\WINDOWS\system32\699F99B4.dat
C:\WINDOWS\system32\ad_2236.exe
C:\WINDOWS\system32\AD22875E.EXE
C:\WINDOWS\system32\adinfo.bin
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\aeuhsigw.exe
C:\WINDOWS\system32\ahjfb.dll
C:\WINDOWS\system32\bhirgnca.exe
C:\WINDOWS\system32\bind_50099.exe
C:\WINDOWS\system32\bind_50201.exe
C:\WINDOWS\system32\cydxuswj.exe
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\dllhost32.exe
C:\WINDOWS\system32\dodolook133.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\hhifjr61.sys
C:\WINDOWS\system32\drivers\pblama15.sys
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\drivers\webhelp.drv
C:\WINDOWS\system32\drivers\webshow.drv
C:\WINDOWS\system32\drivers\whqvts87.sys
C:\WINDOWS\system32\equkjnal.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\fd012.exe
C:\WINDOWS\system32\fmxrboqj.exe
C:\WINDOWS\system32\fquwyjlm.exe
C:\WINDOWS\system32\gsuqktgm.exe
C:\WINDOWS\system32\hhifjr61.dll
C:\WINDOWS\system32\hhifjr61.ini
C:\WINDOWS\system32\ijgrmjxc.exe
C:\WINDOWS\system32\juypjxes.exe
C:\WINDOWS\system32\kjromoym.exe
C:\WINDOWS\system32\lnafxfci.exe
C:\WINDOWS\system32\mosou.dll
C:\WINDOWS\system32\mosou.exe
C:\WINDOWS\system32\Msf3sf.sys
C:\WINDOWS\system32\netdde32.exe
C:\WINDOWS\system32\npyuxhyl.exe
C:\WINDOWS\system32\nwizzhuxians.dll
C:\WINDOWS\system32\nwizzhuxians.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\ohrqsjhu.exe
C:\WINDOWS\system32\pblama15.dll
C:\WINDOWS\system32\pnyebv64
C:\WINDOWS\system32\pnyebv64\a.sys
C:\WINDOWS\system32\pnyebv64\pnyebv64.exe
C:\WINDOWS\system32\pnyebv64\staA.dll
C:\WINDOWS\system32\pnyebv64\winA.dll
C:\WINDOWS\system32\prddvnub.exe
C:\WINDOWS\system32\redmcpeh.exe
C:\WINDOWS\system32\remotedbg.dll
C:\WINDOWS\system32\rldsregk.exe
C:\WINDOWS\system32\score.txt
C:\WINDOWS\system32\SysProFile.dll
C:\WINDOWS\system32\SysProFiles.dll
C:\WINDOWS\system32\tgfdxdie.exe
C:\WINDOWS\system32\twaig.dll
C:\WINDOWS\system32\wbem\jtwvl.dll
C:\WINDOWS\system32\wbem\mxkwq.dll
C:\WINDOWS\system32\webhelp.exe
C:\WINDOWS\system32\webshow.dll
C:\WINDOWS\system32\whqvts87.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winama15.bin
C:\WINDOWS\system32\winama15.dll
C:\WINDOWS\system32\winup
C:\WINDOWS\system32\winup\hhifjr61.dll
C:\WINDOWS\system32\winvts87.bin
C:\WINDOWS\system32\winvts87.dll
C:\WINDOWS\system32\winybb49.bin
C:\WINDOWS\system32\wyrhhjuw.exe
C:\WINDOWS\system32\yvravgsi.exe
C:\WINDOWS\system32\zxjybb49
C:\WINDOWS\system32\zxjybb49\winybb49.bin
C:\WINDOWS\system32\zxjybb49\winybb49.dll
C:\WINDOWS\system32\zxjybb49\zxjybb49.dll
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_ACPIDISK
-------\LEGACY_CELINDRV
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_HHIFJR61
-------\LEGACY_INVESTOR
-------\LEGACY_NET_AGENT
-------\LEGACY_PBLAMA15
-------\LEGACY_REMOTEDBG
-------\LEGACY_SOCEESE
-------\LEGACY_WHQVTS87
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\DomainService
-------\hhifjr61
-------\Investor
-------\Net Agent
-------\pblama15
-------\RemoteDbg
-------\SOCEESe
-------\whqvts87
((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))
2007-07-09 13:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 12:24 8,508 --a------ C:\WINDOWS\system32\RAV009F.exe
2007-07-05 12:24 8,396 --a------ C:\WINDOWS\system32\nwizwmgjs.exe
2007-07-05 12:24 65,536 --ah----- C:\WINDOWS\system32\msapi.dll
2007-07-05 12:24 5,058 --a------ C:\WINDOWS\system32\RAV009F.DAT
2007-07-05 12:24 11,264 --a------ C:\WINDOWS\system32\nwizwmgjs.dll
2007-07-05 12:22 9,844 --a------ C:\WINDOWS\system32\RAV008C.exe
2007-07-05 12:22 9,044 --a------ C:\WINDOWS\system32\RAV00AE.exe
2007-07-05 12:22 6,377 --a------ C:\WINDOWS\system32\RAV008C.DAT
2007-07-05 12:22 5,888 --ah----- C:\WINDOWS\system32\mssock.sys
2007-07-05 12:22 5,600 --a------ C:\WINDOWS\system32\RAV00AE.DAT
2007-07-05 12:22 32,912 --ah----- C:\WINDOWS\system32\mssql.dll
2007-07-05 12:22 19,968 --a------ C:\WINDOWS\system32\nwizwlwzs.exe
2007-07-05 12:22 16,896 --a------ C:\WINDOWS\system32\nwizqjsj.dll
2007-07-05 12:22 11,776 --a------ C:\WINDOWS\system32\nwizwlwzs.dll
2007-07-05 12:22 11,508 --a------ C:\WINDOWS\system32\nwizqjsj.exe
2007-07-05 12:21 13,312 --a------ C:\WINDOWS\system32\mh104.dll
2007-07-05 12:11 8,704 --a------ C:\WINDOWS\system32\Ravasktao.dll
2007-07-05 12:11 7,584 --a------ C:\WINDOWS\system32\Ravasktao.exe
2007-07-05 12:11 11,897 --a------ C:\WINDOWS\TIMHost.exe
2007-07-05 12:11 11,264 --a------ C:\WINDOWS\system32\TIMHost.dll
2007-07-05 02:07 33 --a------ C:\WINDOWS\system32\1u8e00Lgg.dll
2007-07-05 02:06 14,777 --a------ C:\WINDOWS\system32\77DB258C.DLL
2007-07-04 22:29 <DIR> d-------- C:\WINDOWS\pss
2007-07-03 22:48 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinTouch
2007-07-03 22:40 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-03 09:42 22,016 --a------ C:\WINDOWS\b138.exe
2007-07-03 00:55 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-07-03 00:31 97,280 --a-s---- C:\WINDOWS\system32\reginia_sc.exe
2007-07-03 00:29 22,592 --a------ C:\WINDOWS\system32\64Nw3r2k.exe
2007-07-02 23:39 <DIR> d-------- C:\WINDOWS\system32\zslfiles
2007-07-02 23:38 <DIR> d-------- C:\WINDOWS\system32\ZeroSpyware Limited Edition
2007-07-02 23:37 <DIR> d-------- C:\Program Files\FBM Software
2007-07-02 22:53 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinPatrol
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F9
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F5
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F4
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F3
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F2
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F1
2007-06-27 04:36 113,901 --a------ C:\WINDOWS\system32\d03.exe
2007-06-19 00:54 <DIR> d-------- C:\Downloads
2007-06-19 00:54 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\GetRightToGo
2007-06-19 00:46 <DIR> d-------- C:\DOCUME~2\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-19 00:14 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-18 11:33 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-09 18:02:30 45,056 ----a-w C:\WINDOWS\system32\dab1.dll
2007-07-03 05:30:13 -------- d-----w C:\Program Files\Winamp
2007-07-03 04:38:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-03 04:38:01 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 03:06:02 -------- d-----w C:\DOCUME~2\Owner\APPLIC~1\PandoraTV
2007-06-17 03:05:48 808,720 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-06-17 03:05:48 210,704 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-06-17 03:05:48 206,608 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-06-17 03:05:48 153,360 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-06-17 03:05:48 1,097,488 ----a-w C:\WINDOWS\system32\pavc.dll
2007-05-22 03:57:09 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-22 03:57:09 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-22 03:57:09 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-22 03:57:09 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-22 03:57:09 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-05-19 01:44:12 385,024 ----a-w C:\WINDOWS\DownUpdater.exe
2007-05-14 07:02:40 901,120 ----a-w C:\WINDOWS\system32\OIBox.dll
2007-05-06 01:50:48 132,896 ----a-w C:\WINDOWS\pdrinst2.dll
2007-04-13 10:06:40 159,744 ----a-r C:\WINDOWS\system32\fscagent.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 15:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1338688F-F138-F1E8-1A14-F98DBA2DD5EF}]
C:\WINDOWS\System32\jicpfdu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4607707f-70fd-490e-83bc-8bd1632f52dd}]
C:\WINDOWS\System32\xqhscyi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-03 00:55 126976 --a------ C:\WINDOWS\xhelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EssSpkPhone"="essspk.exe" [2001-09-25 19:47 C:\WINDOWS\essspk.exe]
"S3TRAY2"="S3tray2.exe" [2002-02-21 10:38 C:\WINDOWS\system32\S3tray2.exe]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-03-14 15:12]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-03-07 20:57]
"CP4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-02-22 14:17]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 06:24]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 10:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-04 00:47]
"HostManager"="C:\Program Files\Common Files\AOL\1159332216\ee\AOLSoftware.exe" [2006-05-09 19:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 19:24]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\vikoj.html
FriendlyName=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26368135-64FA-BC34-DA32-DCF4FD431C92}"="C:\WINDOWS\System32\qhbpri.dll" [2004-08-04 12:22]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=qhbpri.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rewardnet dùœ xùœ üþ
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
grdq
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
C:\WINDOWS\System32\nwizzhuxians.exe
Contents of the 'Scheduled Tasks' folder
2007-07-05 05:00:32 C:\WINDOWS\tasks\At1.job
2007-07-03 05:29:45 C:\WINDOWS\tasks\At10.job
2007-07-03 05:29:49 C:\WINDOWS\tasks\At11.job
2007-07-03 05:29:50 C:\WINDOWS\tasks\At12.job
2007-07-05 17:01:37 C:\WINDOWS\tasks\At13.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At14.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At15.job
2007-07-03 05:29:53 C:\WINDOWS\tasks\At16.job
2007-07-04 21:00:30 C:\WINDOWS\tasks\At17.job
2007-07-03 05:29:59 C:\WINDOWS\tasks\At18.job
2007-07-03 05:30:00 C:\WINDOWS\tasks\At19.job
2007-07-05 06:00:32 C:\WINDOWS\tasks\At2.job
2007-07-05 00:00:40 C:\WINDOWS\tasks\At20.job
2007-07-05 01:00:40 C:\WINDOWS\tasks\At21.job
2007-07-03 05:30:10 C:\WINDOWS\tasks\At22.job
2007-07-03 05:30:11 C:\WINDOWS\tasks\At23.job
2007-07-05 04:00:31 C:\WINDOWS\tasks\At24.job
2007-07-05 07:00:31 C:\WINDOWS\tasks\At3.job
2007-07-04 08:00:30 C:\WINDOWS\tasks\At4.job
2007-07-04 09:00:31 C:\WINDOWS\tasks\At5.job
2007-07-03 05:29:42 C:\WINDOWS\tasks\At6.job
2007-07-03 05:29:43 C:\WINDOWS\tasks\At7.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At8.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At9.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 13:16:37
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-09 13:18:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-09 13:18
--- E O F ---
#5
Posted 09 July 2007 - 04:32 PM
Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to C:\SDFix
Please then reboot your computer in Safe Mode (without Networking) by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the C:\SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back here along with a fresh Combofix log..
#6
Posted 09 July 2007 - 05:21 PM
SDFix: Version 1.90
Run by Owner on Mon 07/09/2007 at 05:57 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\EUW.DLL - Deleted
C:\WINDOWS\b138.exe - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
C:\WINDOWS\system32\msapi.dll
C:\WINDOWS\system32\mssql.dll
C:\Program Files\Common Files\Microsoft Shared\MSInfo\system42.rar
C:\WINDOWS\system32\mssock.sys
C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
C:\WINDOWS\system32\config\SYSTEM.tmp.LOG
Finished
Here's the New ComboFix log.
"Owner" - 2007-07-09 18:10:53 - ComboFix 07-07-09.3 - Service Pack 1
((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))
2007-07-09 17:56 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-09 13:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 12:24 8,508 --a------ C:\WINDOWS\system32\RAV009F.exe
2007-07-05 12:24 8,396 --a------ C:\WINDOWS\system32\nwizwmgjs.exe
2007-07-05 12:24 65,536 --ah----- C:\WINDOWS\system32\msapi.dll
2007-07-05 12:24 5,058 --a------ C:\WINDOWS\system32\RAV009F.DAT
2007-07-05 12:24 11,264 --a------ C:\WINDOWS\system32\nwizwmgjs.dll
2007-07-05 12:22 9,844 --a------ C:\WINDOWS\system32\RAV008C.exe
2007-07-05 12:22 9,044 --a------ C:\WINDOWS\system32\RAV00AE.exe
2007-07-05 12:22 6,377 --a------ C:\WINDOWS\system32\RAV008C.DAT
2007-07-05 12:22 5,888 --ah----- C:\WINDOWS\system32\mssock.sys
2007-07-05 12:22 5,600 --a------ C:\WINDOWS\system32\RAV00AE.DAT
2007-07-05 12:22 32,912 --ah----- C:\WINDOWS\system32\mssql.dll
2007-07-05 12:22 19,968 --a------ C:\WINDOWS\system32\nwizwlwzs.exe
2007-07-05 12:22 16,896 --a------ C:\WINDOWS\system32\nwizqjsj.dll
2007-07-05 12:22 11,776 --a------ C:\WINDOWS\system32\nwizwlwzs.dll
2007-07-05 12:22 11,508 --a------ C:\WINDOWS\system32\nwizqjsj.exe
2007-07-05 12:21 13,312 --a------ C:\WINDOWS\system32\mh104.dll
2007-07-05 12:11 8,704 --a------ C:\WINDOWS\system32\Ravasktao.dll
2007-07-05 12:11 7,584 --a------ C:\WINDOWS\system32\Ravasktao.exe
2007-07-05 12:11 11,897 --a------ C:\WINDOWS\TIMHost.exe
2007-07-05 12:11 11,264 --a------ C:\WINDOWS\system32\TIMHost.dll
2007-07-05 02:07 33 --a------ C:\WINDOWS\system32\1u8e00Lgg.dll
2007-07-05 02:06 14,777 --a------ C:\WINDOWS\system32\77DB258C.DLL
2007-07-04 22:29 <DIR> d-------- C:\WINDOWS\pss
2007-07-03 22:48 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinTouch
2007-07-03 22:40 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-03 00:55 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-07-03 00:31 97,280 --a-s---- C:\WINDOWS\system32\reginia_sc.exe
2007-07-03 00:29 22,592 --a------ C:\WINDOWS\system32\64Nw3r2k.exe
2007-07-02 23:39 <DIR> d-------- C:\WINDOWS\system32\zslfiles
2007-07-02 23:38 <DIR> d-------- C:\WINDOWS\system32\ZeroSpyware Limited Edition
2007-07-02 23:37 <DIR> d-------- C:\Program Files\FBM Software
2007-07-02 22:53 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinPatrol
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F9
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F5
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F4
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F3
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F2
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F1
2007-06-27 04:36 113,901 --a------ C:\WINDOWS\system32\d03.exe
2007-06-19 00:54 <DIR> d-------- C:\Downloads
2007-06-19 00:54 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\GetRightToGo
2007-06-19 00:46 <DIR> d-------- C:\DOCUME~2\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-19 00:14 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-18 11:33 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-09 18:02:30 45,056 ----a-w C:\WINDOWS\system32\dab1.dll
2007-07-03 05:30:13 -------- d-----w C:\Program Files\Winamp
2007-07-03 04:38:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-03 04:38:01 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 03:06:02 -------- d-----w C:\DOCUME~2\Owner\APPLIC~1\PandoraTV
2007-06-17 03:05:48 808,720 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-06-17 03:05:48 210,704 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-06-17 03:05:48 206,608 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-06-17 03:05:48 153,360 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-06-17 03:05:48 1,097,488 ----a-w C:\WINDOWS\system32\pavc.dll
2007-05-22 03:57:09 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-22 03:57:09 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-22 03:57:09 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-22 03:57:09 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-22 03:57:09 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-05-19 01:44:12 385,024 ----a-w C:\WINDOWS\DownUpdater.exe
2007-05-14 07:02:40 901,120 ----a-w C:\WINDOWS\system32\OIBox.dll
2007-05-06 01:50:48 132,896 ----a-w C:\WINDOWS\pdrinst2.dll
2007-04-13 10:06:40 159,744 ----a-r C:\WINDOWS\system32\fscagent.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 15:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1338688F-F138-F1E8-1A14-F98DBA2DD5EF}]
C:\WINDOWS\System32\jicpfdu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4607707f-70fd-490e-83bc-8bd1632f52dd}]
C:\WINDOWS\System32\xqhscyi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-03 00:55 126976 --a------ C:\WINDOWS\xhelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EssSpkPhone"="essspk.exe" [2001-09-25 19:47 C:\WINDOWS\essspk.exe]
"S3TRAY2"="S3tray2.exe" [2002-02-21 10:38 C:\WINDOWS\system32\S3tray2.exe]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-03-14 15:12]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-03-07 20:57]
"CP4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-02-22 14:17]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 06:24]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 10:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-04 00:47]
"HostManager"="C:\Program Files\Common Files\AOL\1159332216\ee\AOLSoftware.exe" [2006-05-09 19:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 19:24]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 10:47]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\vikoj.html
FriendlyName=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26368135-64FA-BC34-DA32-DCF4FD431C92}"="C:\WINDOWS\System32\qhbpri.dll" [2004-08-04 12:22]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=qhbpri.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rewardnet dùœ xùœ üþ
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
grdq
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
C:\WINDOWS\System32\nwizzhuxians.exe
Contents of the 'Scheduled Tasks' folder
2007-07-05 05:00:32 C:\WINDOWS\tasks\At1.job
2007-07-03 05:29:45 C:\WINDOWS\tasks\At10.job
2007-07-03 05:29:49 C:\WINDOWS\tasks\At11.job
2007-07-03 05:29:50 C:\WINDOWS\tasks\At12.job
2007-07-05 17:01:37 C:\WINDOWS\tasks\At13.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At14.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At15.job
2007-07-03 05:29:53 C:\WINDOWS\tasks\At16.job
2007-07-04 21:00:30 C:\WINDOWS\tasks\At17.job
2007-07-03 05:29:59 C:\WINDOWS\tasks\At18.job
2007-07-03 05:30:00 C:\WINDOWS\tasks\At19.job
2007-07-05 06:00:32 C:\WINDOWS\tasks\At2.job
2007-07-05 00:00:40 C:\WINDOWS\tasks\At20.job
2007-07-05 01:00:40 C:\WINDOWS\tasks\At21.job
2007-07-03 05:30:10 C:\WINDOWS\tasks\At22.job
2007-07-03 05:30:11 C:\WINDOWS\tasks\At23.job
2007-07-05 04:00:31 C:\WINDOWS\tasks\At24.job
2007-07-05 07:00:31 C:\WINDOWS\tasks\At3.job
2007-07-04 08:00:30 C:\WINDOWS\tasks\At4.job
2007-07-04 09:00:31 C:\WINDOWS\tasks\At5.job
2007-07-03 05:29:42 C:\WINDOWS\tasks\At6.job
2007-07-03 05:29:43 C:\WINDOWS\tasks\At7.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At8.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At9.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 18:12:09
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-09 18:13:14
C:\ComboFix-quarantined-files.txt ... 2007-07-09 18:12
C:\ComboFix2.txt ... 2007-07-09 13:18
--- E O F ---
#7
Posted 11 July 2007 - 09:53 PM
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and the combofix log from the instrunctions below
Reboot.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1338688F-F138-F1E8-1A14-F98DBA2DD5EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4607707f-70fd-490e-83bc-8bd1632f52dd}]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
#8
Posted 12 July 2007 - 09:20 AM
#9
Posted 12 July 2007 - 04:33 PM
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases - Click OK
- Now under select a target to scan:Select My Computer
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
PS you can do the Combofix-DO part before you run the AV scan if you wish/need. Usally posts should be done in the order given but in this case it makes little difference
Edited by jwbirdsong, 12 July 2007 - 04:35 PM.
#10
Posted 12 July 2007 - 07:33 PM
#11
Posted 12 July 2007 - 10:31 PM
Can you run and post a fresh Combofix log please
#12
Posted 13 July 2007 - 02:39 PM
"Owner" - 2007-07-13 15:28:04 - ComboFix 07-07-09.3 - Service Pack 1
((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))
2007-07-09 17:56 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-09 13:05 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 12:24 8,508 --a------ C:\WINDOWS\system32\RAV009F.exe
2007-07-05 12:24 8,396 --a------ C:\WINDOWS\system32\nwizwmgjs.exe
2007-07-05 12:24 65,536 --ah----- C:\WINDOWS\system32\msapi.dll
2007-07-05 12:24 5,058 --a------ C:\WINDOWS\system32\RAV009F.DAT
2007-07-05 12:24 11,264 --a------ C:\WINDOWS\system32\nwizwmgjs.dll
2007-07-05 12:22 9,844 --a------ C:\WINDOWS\system32\RAV008C.exe
2007-07-05 12:22 9,044 --a------ C:\WINDOWS\system32\RAV00AE.exe
2007-07-05 12:22 6,377 --a------ C:\WINDOWS\system32\RAV008C.DAT
2007-07-05 12:22 5,888 --ah----- C:\WINDOWS\system32\mssock.sys
2007-07-05 12:22 5,600 --a------ C:\WINDOWS\system32\RAV00AE.DAT
2007-07-05 12:22 32,912 --ah----- C:\WINDOWS\system32\mssql.dll
2007-07-05 12:22 19,968 --a------ C:\WINDOWS\system32\nwizwlwzs.exe
2007-07-05 12:22 16,896 --a------ C:\WINDOWS\system32\nwizqjsj.dll
2007-07-05 12:22 11,776 --a------ C:\WINDOWS\system32\nwizwlwzs.dll
2007-07-05 12:22 11,508 --a------ C:\WINDOWS\system32\nwizqjsj.exe
2007-07-05 12:21 13,312 --a------ C:\WINDOWS\system32\mh104.dll
2007-07-05 12:11 8,704 --a------ C:\WINDOWS\system32\Ravasktao.dll
2007-07-05 12:11 7,584 --a------ C:\WINDOWS\system32\Ravasktao.exe
2007-07-05 12:11 11,897 --a------ C:\WINDOWS\TIMHost.exe
2007-07-05 12:11 11,264 --a------ C:\WINDOWS\system32\TIMHost.dll
2007-07-05 02:07 33 --a------ C:\WINDOWS\system32\1u8e00Lgg.dll
2007-07-05 02:06 14,777 --a------ C:\WINDOWS\system32\77DB258C.DLL
2007-07-04 22:29 <DIR> d-------- C:\WINDOWS\pss
2007-07-03 22:48 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinTouch
2007-07-03 22:40 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-03 00:55 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-07-03 00:31 97,280 --a-s---- C:\WINDOWS\system32\reginia_sc.exe
2007-07-03 00:29 22,592 --a------ C:\WINDOWS\system32\64Nw3r2k.exe
2007-07-02 23:39 <DIR> d-------- C:\WINDOWS\system32\zslfiles
2007-07-02 23:38 <DIR> d-------- C:\WINDOWS\system32\ZeroSpyware Limited Edition
2007-07-02 23:37 <DIR> d-------- C:\Program Files\FBM Software
2007-07-02 22:53 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\WinPatrol
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F9
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F5
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F4
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F3
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F2
2007-07-02 13:12 <DIR> d-------- C:\WINDOWS\system32\F1
2007-06-27 04:36 113,901 --a------ C:\WINDOWS\system32\d03.exe
2007-06-19 00:54 <DIR> d-------- C:\Downloads
2007-06-19 00:54 <DIR> d-------- C:\DOCUME~2\Owner\APPLIC~1\GetRightToGo
2007-06-19 00:46 <DIR> d-------- C:\DOCUME~2\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-06-19 00:14 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-06-18 11:33 1,536,000 -ra------ C:\WINDOWS\system32\clubbox.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-09 18:02:30 45,056 ----a-w C:\WINDOWS\system32\dab1.dll
2007-07-03 05:30:13 -------- d-----w C:\Program Files\Winamp
2007-07-03 04:38:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-03 04:38:01 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-17 03:06:02 -------- d-----w C:\DOCUME~2\Owner\APPLIC~1\PandoraTV
2007-06-17 03:05:48 808,720 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-06-17 03:05:48 210,704 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-06-17 03:05:48 206,608 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-06-17 03:05:48 153,360 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-06-17 03:05:48 1,097,488 ----a-w C:\WINDOWS\system32\pavc.dll
2007-05-22 03:57:09 517,744 ----a-w C:\WINDOWS\system32\skcppl.dll
2007-05-22 03:57:09 468,592 ----a-w C:\WINDOWS\system32\skcbgm.dll
2007-05-22 03:57:09 198,256 ----a-w C:\WINDOWS\system32\skcwmf.dll
2007-05-22 03:57:09 169,584 ----a-w C:\WINDOWS\system32\skcbgm.exe
2007-05-22 03:57:09 145,008 ----a-w C:\WINDOWS\system32\skcbgmf1.dll
2007-05-19 01:44:12 385,024 ----a-w C:\WINDOWS\DownUpdater.exe
2007-05-14 07:02:40 901,120 ----a-w C:\WINDOWS\system32\OIBox.dll
2007-05-06 01:50:48 132,896 ----a-w C:\WINDOWS\pdrinst2.dll
2007-04-13 10:06:40 159,744 ----a-r C:\WINDOWS\system32\fscagent.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 15:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1338688F-F138-F1E8-1A14-F98DBA2DD5EF}]
C:\WINDOWS\System32\jicpfdu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4607707f-70fd-490e-83bc-8bd1632f52dd}]
C:\WINDOWS\System32\xqhscyi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-03 00:55 126976 --a------ C:\WINDOWS\xhelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EssSpkPhone"="essspk.exe" [2001-09-25 19:47 C:\WINDOWS\essspk.exe]
"S3TRAY2"="S3tray2.exe" [2002-02-21 10:38 C:\WINDOWS\system32\S3tray2.exe]
"HP TV Now"="C:\Program Files\Hewlett-Packard\HP TV Now\HpTvNow.exe" [2002-03-14 15:12]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe" [2002-03-07 20:57]
"CP4HPOT"="C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE" [2002-02-22 14:17]
"hpScannerFirstBoot"="c:\hp\drivers\scanners\scannerfb.exe" [2001-12-13 06:24]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 10:05]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-04 00:47]
"HostManager"="C:\Program Files\Common Files\AOL\1159332216\ee\AOLSoftware.exe" [2006-05-09 19:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 19:24]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 10:47]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source= C:\Program Files\Internet Explorer\vikoj.html
FriendlyName=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26368135-64FA-BC34-DA32-DCF4FD431C92}"="C:\WINDOWS\System32\qhbpri.dll" [2004-08-04 12:22]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=qhbpri.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rewardnet dùœ xùœ üþ
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
grdq
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
C:\WINDOWS\System32\nwizzhuxians.exe
Contents of the 'Scheduled Tasks' folder
2007-07-05 05:00:32 C:\WINDOWS\tasks\At1.job
2007-07-03 05:29:45 C:\WINDOWS\tasks\At10.job
2007-07-03 05:29:49 C:\WINDOWS\tasks\At11.job
2007-07-03 05:29:50 C:\WINDOWS\tasks\At12.job
2007-07-05 17:01:37 C:\WINDOWS\tasks\At13.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At14.job
2007-07-03 05:29:52 C:\WINDOWS\tasks\At15.job
2007-07-03 05:29:53 C:\WINDOWS\tasks\At16.job
2007-07-04 21:00:30 C:\WINDOWS\tasks\At17.job
2007-07-03 05:29:59 C:\WINDOWS\tasks\At18.job
2007-07-03 05:30:00 C:\WINDOWS\tasks\At19.job
2007-07-05 06:00:32 C:\WINDOWS\tasks\At2.job
2007-07-05 00:00:40 C:\WINDOWS\tasks\At20.job
2007-07-05 01:00:40 C:\WINDOWS\tasks\At21.job
2007-07-03 05:30:10 C:\WINDOWS\tasks\At22.job
2007-07-03 05:30:11 C:\WINDOWS\tasks\At23.job
2007-07-05 04:00:31 C:\WINDOWS\tasks\At24.job
2007-07-05 07:00:31 C:\WINDOWS\tasks\At3.job
2007-07-04 08:00:30 C:\WINDOWS\tasks\At4.job
2007-07-04 09:00:31 C:\WINDOWS\tasks\At5.job
2007-07-03 05:29:42 C:\WINDOWS\tasks\At6.job
2007-07-03 05:29:43 C:\WINDOWS\tasks\At7.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At8.job
2007-07-03 05:29:44 C:\WINDOWS\tasks\At9.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 15:31:09
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-13 15:32:08
C:\ComboFix-quarantined-files.txt ... 2007-07-13 15:31
C:\ComboFix2.txt ... 2007-07-09 18:13
C:\ComboFix3.txt ... 2007-07-09 13:18
--- E O F ---
#13
Posted 21 July 2007 - 10:37 PM
Sorry; your post sort of got lost in the cracks somehow.
If you still need help please post a current Combofix/HJT log.
Wouldn't hurt to delete thye combofix you have and download a new copy...It's update OFTEN.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users