Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

worm.win32.netsky


  • Please log in to reply

#1
fffuturama

fffuturama

    Member

  • Member
  • PipPip
  • 13 posts
just trying to fix this i got started, help please

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:51 PM, on 2/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SXG Advisor - {05CDA8E1-0F88-47BE-8BA0-39C84373432F} - C:\WINNT\dntpkwomwx.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5BD6E6E2-1BEE-4BEC-B653-DE8E146BEAF7} - C:\WINNT\system32\mlljj.dll (file missing)
O2 - BHO: {dec75efa-ecbf-f278-b2e4-a04a8ac89aaa} - {aaa98ca8-a40a-4e2b-872f-fbceafe57ced} - C:\WINNT\system32\mrwpyrft.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ekxdvft - {B3A57C90-D66D-42D7-AAC2-CBB2841008BD} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ekxdvft.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmlnl.exe] C:\WINNT\system32\dmlnl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ece465ef] rundll32.exe "C:\WINNT\system32\ftpcjkqy.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.19
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.19
O20 - Winlogon Notify: pmnnkkj - pmnnkkj.dll (file missing)
O21 - SSODL: adsoowf - {D2DBD606-8859-4DAB-9C59-43CEA7BE951F} - C:\WINNT\adsoowf.dll
O21 - SSODL: bgrlsmn - {706891C1-5271-4EE9-ABB5-11B661DC5066} - C:\WINNT\bgrlsmn.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 7768 bytes

Edited by fffuturama, 02 February 2008 - 04:03 PM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello fffuturama

Welcome to G2Go. :)
================
Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).
===============================================
Next:

Then Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
fffuturama

fffuturama

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
this is for the FixWareout, i am going to do the combofix now and post it with the log

Username "Administrator" - 02/02/2008 16:15:48 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmlnl"
HKLM\SOFTWARE\~\Winlogon\ "System"="csttr.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.94 85.255.112.19" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1trap" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "2trap" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "rttsc" Value deleted
HKCR\CLSID\{A7436DA4-16AE-46C5-9E0D-BBFB4D585B4C}\_h\4 Deleted.
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMax"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe\" /tray"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\K-Lite Codec Pack\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"ece465ef"="rundll32.exe \"C:\\WINNT\\system32\\ftpcjkqy.dll\",b"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"BitTorrent DNA"="\"C:\\Program Files\\DNA\\btdna.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
  • 0

#4
fffuturama

fffuturama

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboFix 08-02.03.1 - Administrator 02/02/2008 16:34:44.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.717 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\ShoppingReport
C:\Documents and Settings\Administrator\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Administrator\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINNT\cookies.ini
C:\WINNT\dat.txt
C:\WINNT\privacy_danger
C:\WINNT\privacy_danger\images\capt.gif
C:\WINNT\privacy_danger\images\danger.jpg
C:\WINNT\privacy_danger\images\down.gif
C:\WINNT\privacy_danger\images\spacer.gif
C:\WINNT\privacy_danger\index.htm
C:\WINNT\rs.txt
C:\WINNT\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 16:15 . 08-02-02 16:23 <DIR> d-------- C:\fixwareout
2008-02-02 14:05 . 08-02-02 14:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 13:19 . 08-02-01 11:01 319,488 --a------ C:\WINNT\dntpkwomwx.dll
2008-02-01 13:19 . 08-02-01 11:01 274,432 --a------ C:\WINNT\bgrlsmn.dll
2008-02-01 13:19 . 08-02-01 11:01 262,144 --a------ C:\WINNT\adsoowf.dll
2008-02-01 13:19 . 08-02-01 11:01 172,032 --a------ C:\WINNT\ekxdvft.dll
2008-02-01 13:19 . 08-02-01 11:01 81,920 --a------ C:\WINNT\ffvrdgt.exe
2008-01-25 20:03 . 08-01-25 20:05 <DIR> d-------- C:\Program Files\Age Of Wonders
2008-01-20 14:39 . 08-01-22 10:06 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-20 14:39 . 08-01-20 14:39 1,409 --a------ C:\WINNT\QTFont.for
2008-01-14 03:01 . 08-01-14 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-14 01:11 . 08-01-17 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-01-14 01:10 . 08-01-14 01:10 <DIR> d-------- C:\Program Files\DNA
2008-01-14 01:10 . 08-01-14 01:10 <DIR> d-------- C:\Program Files\BitTorrent
2008-01-14 01:10 . 08-02-02 16:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DNA
2008-01-13 18:11 . 08-01-13 18:11 <DIR> d-------- C:\Program Files\Photo Viewer
2008-01-13 18:06 . 08-01-13 18:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-01-13 18:06 . 08-01-13 18:06 82,380 --a------ C:\WINNT\system32\drivers\AFS2K.SYS
2008-01-13 18:05 . 03-06-19 13:05 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2008-01-13 18:05 . 03-06-19 13:05 12,592 --a--c--- C:\WINNT\system32\dllcache\usbscan.sys
2008-01-13 18:04 . 08-01-13 18:04 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-13 18:00 . 08-01-13 18:03 <DIR> d-------- C:\col4309
2008-01-13 17:52 . 08-01-13 17:52 <DIR> d-------- C:\Program Files\Bonjour
2008-01-13 17:50 . 08-01-13 17:50 <DIR> d-------- C:\WINNT\system32\BWKDLogs
2008-01-13 17:49 . 08-01-13 17:49 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-01-13 17:48 . 08-01-13 17:48 <DIR> d-------- C:\WINNT\system32\color
2008-01-13 17:48 . 08-01-13 17:48 <DIR> d-------- C:\KPCMS
2008-01-13 17:39 . 08-01-13 17:51 <DIR> d-------- C:\Program Files\Kodak
2008-01-13 17:39 . 08-01-13 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-07 19:24 . 08-01-07 19:24 <DIR> dr------- C:\Program Files\Liquid Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 22:46 --------- d---a-w C:\Program Files\Steam
2008-02-02 06:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-02 01:42 --------- d-----w C:\Program Files\DivX
2008-01-30 03:00 43,520 ----a-w C:\WINNT\system32\CmdLineExt03.dll
2008-01-14 00:06 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-13 23:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 20:37 --------- d-----w C:\Program Files\World of Warcraft
2007-12-26 20:16 --------- d-----w C:\Program Files\iTunes
2007-12-26 20:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-26 20:15 --------- d-----w C:\Program Files\iPod
2007-12-26 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-26 19:27 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-26 19:26 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2007-12-26 19:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-26 19:20 --------- d-----w C:\Program Files\Nero
2007-12-23 07:22 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-22 22:55 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-12-21 21:08 --------- d-----w C:\Program Files\Ventrilo
2007-12-21 21:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 00:51 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-21 00:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
2007-12-11 21:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-10 22:04 --------- d-----w C:\Program Files\AIM6
2007-12-10 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-10 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-10 21:57 --------- d-----w C:\Program Files\Viewpoint
2007-12-10 21:56 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-02 08:55 21,840 ----atw C:\WINNT\system32\SIntfNT.dll
2007-11-02 08:55 17,212 ----atw C:\WINNT\system32\SIntf32.dll
2007-11-02 08:55 12,067 ----atw C:\WINNT\system32\SIntf16.dll
2007-11-02 08:37 94,208 ----a-w C:\WINNT\DIIUnin.exe
2004-01-01 20:59 271 ---h--w C:\Program Files\desktop.ini
2004-01-01 20:59 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2007-10-21 20:26 50,438 --sha-w C:\WINNT\system32\jjllm.bak1
2007-10-23 20:27 55,693 --sha-w C:\WINNT\system32\jjllm.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05CDA8E1-0F88-47BE-8BA0-39C84373432F}]
08-02-01 11:01 319488 --a------ C:\WINNT\dntpkwomwx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BD6E6E2-1BEE-4BEC-B653-DE8E146BEAF7}]
C:\WINNT\system32\mlljj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aaa98ca8-a40a-4e2b-872f-fbceafe57ced}]
C:\WINNT\system32\mrwpyrft.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467}
{B3A57C90-D66D-42D7-AAC2-CBB2841008BD}

[HKEY_CLASSES_ROOT\clsid\{b3a57c90-d66d-42d7-aac2-cbb2841008bd}]
[HKEY_CLASSES_ROOT\ekxdvft.1]
[HKEY_CLASSES_ROOT\TypeLib\{85386565-ED72-48A5-897D-6013E9175146}]
[HKEY_CLASSES_ROOT\ekxdvft]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06-11-16 19:04 139264]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-08-30 16:43 4670704]
"Steam"="C:\Program Files\Steam\Steam.exe" [04-01-01 00:08 1266936]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [07-10-04 09:20 50528]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [08-01-14 01:10 290112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [06-03-09 15:29 7561216]
"nwiz"="nwiz.exe" [06-03-09 15:29 1519616 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\System32\NvMcTray.dll" [06-03-09 15:29 86016]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [05-04-13 02:48 36975]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [06-01-12 15:40 155648]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [06-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 256576]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-11-19 08:27 196608]
"ece465ef"="C:\WINNT\system32\ftpcjkqy.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-01-28 14:27 579072]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [02-04-17 10:42 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-10-26 13:44 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2004-01-03 19:44:24 262144]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"adsoowf"= {D2DBD606-8859-4DAB-9C59-43CEA7BE951F} - C:\WINNT\adsoowf.dll [08-02-01 11:01 262144]
"bgrlsmn"= {706891C1-5271-4EE9-ABB5-11B661DC5066} - C:\WINNT\bgrlsmn.dll [08-02-01 11:01 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnkkj]
pmnnkkj.dll

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [07-10-23 21:13 ]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [07-01-04 15:38 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 13:05 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 16:45:35
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\Explorer.EXE [5.00.3700.6690]
-> C:\WINNT\bgrlsmn.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-02-02 16:54:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 22:54:14
.
2008-01-14 09:01:17 --- E O F ---
  • 0

#5
fffuturama

fffuturama

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
sorry about so many posts in a row

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:40 PM, on 2/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SXG Advisor - {05CDA8E1-0F88-47BE-8BA0-39C84373432F} - C:\WINNT\dntpkwomwx.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5BD6E6E2-1BEE-4BEC-B653-DE8E146BEAF7} - C:\WINNT\system32\mlljj.dll (file missing)
O2 - BHO: {dec75efa-ecbf-f278-b2e4-a04a8ac89aaa} - {aaa98ca8-a40a-4e2b-872f-fbceafe57ced} - C:\WINNT\system32\mrwpyrft.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ekxdvft - {B3A57C90-D66D-42D7-AAC2-CBB2841008BD} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ekxdvft.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ece465ef] rundll32.exe "C:\WINNT\system32\ftpcjkqy.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.19
O20 - Winlogon Notify: pmnnkkj - pmnnkkj.dll (file missing)
O21 - SSODL: adsoowf - {D2DBD606-8859-4DAB-9C59-43CEA7BE951F} - C:\WINNT\adsoowf.dll
O21 - SSODL: bgrlsmn - {706891C1-5271-4EE9-ABB5-11B661DC5066} - C:\WINNT\bgrlsmn.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 7597 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No problem about the amount of posts. :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\dntpkwomwx.dll
C:\WINNT\bgrlsmn.dll
C:\WINNT\adsoowf.dll
C:\WINNT\ekxdvft.dll
C:\WINNT\ffvrdgt.exe
C:\WINNT\system32\jjllm.bak1
C:\WINNT\system32\jjllm.bak2
C:\WINNT\system32\mlljj.dll
C:\WINNT\system32\mrwpyrft.dll
C:\WINNT\system32\ftpcjkqy.dll
Folder::
C:\fixwareout
C:\col4309
C:\WINNT\privacy_danger
C:\Program Files\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05CDA8E1-0F88-47BE-8BA0-39C84373432F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BD6E6E2-1BEE-4BEC-B653-DE8E146BEAF7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aaa98ca8-a40a-4e2b-872f-fbceafe57ced}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3A57C90-D66D-42D7-AAC2-CBB2841008BD}"=-
[-HKEY_CLASSES_ROOT\clsid\{b3a57c90-d66d-42d7-aac2-cbb2841008bd}]
[-HKEY_CLASSES_ROOT\ekxdvft.1]
[-HKEY_CLASSES_ROOT\TypeLib\{85386565-ED72-48A5-897D-6013E9175146}]
[-HKEY_CLASSES_ROOT\ekxdvft]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ece465ef"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"adsoowf"=-
"bgrlsmn"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnkkj]
Driver::
Viewpoint Manager Service


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
fffuturama

fffuturama

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboFix 08-02.03.1 - Administrator 02/02/2008 17:20:42.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.687 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\adsoowf.dll
C:\WINNT\bgrlsmn.dll
C:\WINNT\dntpkwomwx.dll
C:\WINNT\ekxdvft.dll
C:\WINNT\ffvrdgt.exe
C:\WINNT\system32\ftpcjkqy.dll
C:\WINNT\system32\jjllm.bak1
C:\WINNT\system32\jjllm.bak2
C:\WINNT\system32\mlljj.dll
C:\WINNT\system32\mrwpyrft.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\col4309
C:\col4309\1028.mst
C:\col4309\1029.mst
C:\col4309\1030.mst
C:\col4309\1031.mst
C:\col4309\1032.mst
C:\col4309\1033.mst
C:\col4309\1034.mst
C:\col4309\1035.mst
C:\col4309\1036.mst
C:\col4309\1038.mst
C:\col4309\1040.mst
C:\col4309\1041.mst
C:\col4309\1042.mst
C:\col4309\1043.mst
C:\col4309\1044.mst
C:\col4309\1045.mst
C:\col4309\1046.mst
C:\col4309\1049.mst
C:\col4309\1053.mst
C:\col4309\1055.mst
C:\col4309\2052.mst
C:\col4309\ACUECO~1.cab
C:\col4309\ALBUMP~1.cab
C:\col4309\Common\Hewlett-Packard\Scanjet\hpsj3970s.spf
C:\col4309\Common\Hewlett-Packard\Scanjet\hpsj3970t.spf
C:\col4309\CUC780~1.cab
C:\col4309\CUESHA~1.cab
C:\col4309\CUESHA~2.cab
C:\col4309\CUESHA~3.cab
C:\col4309\CUESHA~4.cab
C:\col4309\DIRECT~1.cab
C:\col4309\DIZZYC~1.cab
C:\col4309\FRU10.cab
C:\col4309\HP Photo and Imaging 2.2 - Scanjet 3970 Series.msi
C:\col4309\HPIS10.cab
C:\col4309\HPMD\1028.mst
C:\col4309\HPMD\1029.mst
C:\col4309\HPMD\1030.mst
C:\col4309\HPMD\1031.mst
C:\col4309\HPMD\1032.mst
C:\col4309\HPMD\1033.mst
C:\col4309\HPMD\1034.mst
C:\col4309\HPMD\1035.mst
C:\col4309\HPMD\1036.mst
C:\col4309\HPMD\1038.mst
C:\col4309\HPMD\1040.mst
C:\col4309\HPMD\1041.mst
C:\col4309\HPMD\1042.mst
C:\col4309\HPMD\1043.mst
C:\col4309\HPMD\1044.mst
C:\col4309\HPMD\1045.mst
C:\col4309\HPMD\1046.mst
C:\col4309\HPMD\1049.mst
C:\col4309\HPMD\1053.mst
C:\col4309\HPMD\1055.mst
C:\col4309\HPMD\2052.mst
C:\col4309\HPMD\hpmdinst.msi
C:\col4309\HPSHAR~1.cab
C:\col4309\IMAGEE~1.cab
C:\col4309\instmsiA.exe
C:\col4309\instmsiW.exe
C:\col4309\PHEDB5~1.cab
C:\col4309\PHOTOP~1.cab
C:\col4309\PHOTOV~1.cab
C:\col4309\PHOTOV~2.cab
C:\col4309\PHOTOV~3.cab
C:\col4309\PHOTOV~4.cab
C:\col4309\program files\Hewlett-Packard\Digital Imaging\bin\hpqe3970.dll
C:\col4309\program files\Hewlett-Packard\Digital Imaging\bin\TwainCtrl.dll
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Data\DefaultScanSettings\3970.ini
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Data\DefaultScanSettings\DizzyInis.dll
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Data\Scanner.ini
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Data\ScDirCfg.dll
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Migrate\hpgt3970.cat
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Migrate\hpgt3970.dll
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Migrate\hpgt3970.inf
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Migrate\hpgwiamd.dll
C:\col4309\program files\Hewlett-Packard\Digital Imaging\Migrate\hpqgends.tmp
C:\col4309\SCANNE~1.cab
C:\col4309\SCANNE~2.cab
C:\col4309\SCANSP~1.cab
C:\col4309\setup.exe
C:\col4309\setup.ini
C:\col4309\Sherlock.cab
C:\col4309\System32\98\hpgwiamd.dll
C:\col4309\System32\hpgt3970.dll
C:\col4309\System32\hpgwiamd.dll
C:\col4309\WebReg10.cab
C:\col4309\Windows\inf\catalog\hpgt3970.cat
C:\col4309\Windows\inf\hpgt3970.inf
C:\col4309\Windows\TWAIN.DLL
C:\col4309\Windows\twain_32\hpqgends.tmp
C:\col4309\Windows\twain_32Dut\TWAIN_32.DLL
C:\col4309\Windows\twain_32Eng\TWAIN_32.DLL
C:\col4309\Windows\twain_32Fre\TWAIN_32.DLL
C:\col4309\Windows\twain_32Ger\TWAIN_32.DLL
C:\col4309\Windows\twain_32Ita\TWAIN_32.DLL
C:\col4309\Windows\twain_32Kor\TWAIN_32.DLL
C:\col4309\Windows\twain_32Por\TWAIN_32.DLL
C:\col4309\Windows\twain_32SCh\TWAIN_32.DLL
C:\col4309\Windows\twain_32Spa\TWAIN_32.DLL
C:\col4309\Windows\twain_32TCh\TWAIN_32.DLL
C:\col4309\Windows\twainEng\TWAIN.DLL
C:\col4309\Windows\twainFre\TWAIN.DLL
C:\col4309\Windows\twainGer\TWAIN.DLL
C:\col4309\Windows\twainIta\TWAIN.DLL
C:\col4309\Windows\twainKor\TWAIN.DLL
C:\col4309\Windows\twainPor\TWAIN.DLL
C:\col4309\Windows\twainSCh\TWAIN.DLL
C:\col4309\Windows\twainSpa\TWAIN.DLL
C:\col4309\Windows\twainTCh\TWAIN.DLL
C:\col4309\Windows\TWUNK_16.EXE
C:\col4309\Windows\TWUNK_32.EXE
C:\fixwareout
C:\fixwareout\dnsbak.reg
C:\fixwareout\FindT\clsid.bak
C:\fixwareout\FindT\dumphive.exe
C:\fixwareout\FindT\FixWareOut.reg
C:\fixwareout\FindT\nircmd.exe
C:\fixwareout\FindT\patterns.txt
C:\fixwareout\FindT\rbot.bat
C:\fixwareout\FindT\RestartIt.exe
C:\fixwareout\FindT\runback.txt
C:\fixwareout\FindT\runs.vbs
C:\fixwareout\FindT\swreg.exe
C:\fixwareout\FindT\vfind.exe
C:\fixwareout\FindT\XP-2K2.cmd
C:\fixwareout\FixIt.BAT
C:\fixwareout\report.txt
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Manager\CPtask.xml
C:\Program Files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\WINNT\adsoowf.dll
C:\WINNT\bgrlsmn.dll
C:\WINNT\dntpkwomwx.dll
C:\WINNT\ekxdvft.dll
C:\WINNT\ffvrdgt.exe
C:\WINNT\system32\jjllm.bak1
C:\WINNT\system32\jjllm.bak2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VIEWPOINT_MANAGER_SERVICE
-------\Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 17:20 . 08-02-02 17:20 3 --a------ C:\WINNT\Twain001.Mtx
2008-02-02 14:05 . 08-02-02 14:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 20:03 . 08-01-25 20:05 <DIR> d-------- C:\Program Files\Age Of Wonders
2008-01-20 14:39 . 08-01-22 10:06 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-20 14:39 . 08-01-20 14:39 1,409 --a------ C:\WINNT\QTFont.for
2008-01-14 03:01 . 08-01-14 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-14 01:11 . 08-01-17 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-01-14 01:10 . 08-01-14 01:10 <DIR> d-------- C:\Program Files\DNA
2008-01-14 01:10 . 08-01-14 01:10 <DIR> d-------- C:\Program Files\BitTorrent
2008-01-14 01:10 . 08-02-02 17:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DNA
2008-01-13 18:11 . 08-01-13 18:11 <DIR> d-------- C:\Program Files\Photo Viewer
2008-01-13 18:06 . 08-01-13 18:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-01-13 18:06 . 08-01-13 18:06 82,380 --a------ C:\WINNT\system32\drivers\AFS2K.SYS
2008-01-13 18:05 . 03-06-19 13:05 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2008-01-13 18:05 . 03-06-19 13:05 12,592 --a--c--- C:\WINNT\system32\dllcache\usbscan.sys
2008-01-13 18:04 . 08-01-13 18:04 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-13 17:52 . 08-01-13 17:52 <DIR> d-------- C:\Program Files\Bonjour
2008-01-13 17:50 . 08-01-13 17:50 <DIR> d-------- C:\WINNT\system32\BWKDLogs
2008-01-13 17:49 . 08-01-13 17:49 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-01-13 17:48 . 08-01-13 17:48 <DIR> d-------- C:\WINNT\system32\color
2008-01-13 17:48 . 08-01-13 17:48 <DIR> d-------- C:\KPCMS
2008-01-13 17:39 . 08-01-13 17:51 <DIR> d-------- C:\Program Files\Kodak
2008-01-13 17:39 . 08-01-13 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-07 19:24 . 08-01-07 19:24 <DIR> dr------- C:\Program Files\Liquid Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 22:49 --------- d---a-w C:\Program Files\Steam
2008-02-02 06:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-02 01:42 --------- d-----w C:\Program Files\DivX
2008-01-14 00:06 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-13 23:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 20:37 --------- d-----w C:\Program Files\World of Warcraft
2007-12-26 20:16 --------- d-----w C:\Program Files\iTunes
2007-12-26 20:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-26 20:15 --------- d-----w C:\Program Files\iPod
2007-12-26 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-26 19:27 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-26 19:26 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2007-12-26 19:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-26 19:20 --------- d-----w C:\Program Files\Nero
2007-12-23 07:22 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-22 22:55 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-12-21 21:08 --------- d-----w C:\Program Files\Ventrilo
2007-12-21 21:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 00:51 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-21 00:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
2007-12-11 21:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-10 22:04 --------- d-----w C:\Program Files\AIM6
2007-12-10 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-10 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-10 21:56 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-02 08:37 94,208 ----a-w C:\WINNT\DIIUnin.exe
2004-01-01 20:59 271 ---h--w C:\Program Files\desktop.ini
2004-01-01 20:59 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06-11-16 19:04 139264]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-08-30 16:43 4670704]
"Steam"="C:\Program Files\Steam\Steam.exe" [04-01-01 00:08 1266936]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [07-10-04 09:20 50528]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [08-01-14 01:10 290112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [06-03-09 15:29 7561216]
"nwiz"="nwiz.exe" [06-03-09 15:29 1519616 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\System32\NvMcTray.dll" [06-03-09 15:29 86016]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [05-04-13 02:48 36975]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [06-01-12 15:40 155648]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [06-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 256576]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-11-19 08:27 196608]
"ece465ef"="C:\WINNT\system32\ftpcjkqy.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-01-28 14:27 579072]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [02-04-17 10:42 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-10-26 13:44 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus.lnk - C:\Program Files\D-Link AirPlus\AirPlus.exe [2004-01-03 19:44:24 262144]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 23:11:40 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [07-10-23 21:13 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 13:05 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 17:36:13
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-02-02 17:45:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 23:44:38
ComboFix2.txt 2008-02-02 22:54:29
.
2008-01-14 09:01:17 --- E O F ---
  • 0

#8
fffuturama

fffuturama

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:17 PM, on 2/2/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ece465ef] rundll32.exe "C:\WINNT\system32\ftpcjkqy.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.19
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

--
End of file - 6491 bytes
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I am very sorry but I mistook this folder >C:\col4309 to be malware because of the funny name.

Go to C:\Qoobox and then open it.
Find this folder in it >col4309 it will have this extention > .vir right click on that folder and choose rename.
Then just remove the .vir extention from it.
Then right click on that same folder and choose Cut.
Then go back to the C:\ Drive and paste it there.
Then you should be back in buisness.

Very sorry about that.
=======================================
After that please Fix this with Hiajckthis

O4 - HKLM\..\Run: [ece465ef] rundll32.exe "C:\WINNT\system32\ftpcjkqy.dll",b

then close Hijackthis.
==================
After that Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#10
fffuturama

fffuturama

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i found the folder but there is no >vir. on the name, but everything inside the folder has that on it
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok well unfortunately you will have to Cut and paste that folder back onto the C:\Drive and rename all of those files in it by removing the .vir extention on it.
Again I am sorry.

Edited by kahdah, 02 February 2008 - 06:38 PM.
spelling

  • 0

#12
fffuturama

fffuturama

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
we don't use internet explorer is that a problem for this part, we still have it but we use mozilla firefox

After that Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes just for now use Internet explorer.
It won't work with Firefox.

Thank you. :)
  • 0

#14
fffuturama

fffuturama

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 02, 2008 9:34:54 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 546149
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
G:\
Scan Statistics
Total number of scanned objects 38286
Number of viruses found 8
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 01:30:33

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Application Data\Aim\szruwffy\fffuturama\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Aim\szruwffy\fffuturama\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-49cfd623.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-49cfd623.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-70408ee2.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-70408ee2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4477ad6a.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4477ad6a.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-2b0e2f8d.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-2b0e2f8d.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\installments\Nero-7.5.9.0A_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Administrator\Desktop\installments\Nero-7.5.9.0A_eng.exe RAR: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL OCP\AIM\Storage\data\cl3csoccerguy\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2e2qr4gt.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000001.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\QooBox\Quarantine\C\WINNT\adsoowf.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.asf skipped
C:\QooBox\Quarantine\C\WINNT\bgrlsmn.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.arc skipped
C:\QooBox\Quarantine\C\WINNT\dntpkwomwx.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.asg skipped
C:\QooBox\Quarantine\C\WINNT\ekxdvft.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.ase skipped
C:\QooBox\Quarantine\C\WINNT\ffvrdgt.exe.vir Infected: not-a-virus:AdWare.Win32.Vapsup.ash skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{E9392CF9-69CE-42CE-B1C1-58163E4119DB}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\drivers\sptd.sys Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Administrator\Desktop\installments\Nero-7.5.9.0A_eng.exe
Folder::
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-49cfd623.zip
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-70408ee2.zip
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4477ad6a.zip
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-2b0e2f8d.zip


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP