Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32:TratBHO [Trj] [RESOLVED]

Started by checkyoulater , Feb 10 2008 01:59 AM

  • This topic is locked This topic is locked

#16
checkyoulater
Posted 10 February 2008 - 03:01 PM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
2 things before i restore the lost hijacked files....

i had to reboot the moveit thing so i lost the green area that i'm supposed to make a copy of :)

i downloaded erunt and ran it, but when i clicked save (to the folder that was suggested...i kept recieving errors, RegCreateKeyEx: 5 - Access Denied, that happened about 9 times til finally it said registry back up complete..(i just kept clicking yes by the way to continue)
  • 0

Advertisements

#17
Rorschach112
Posted 10 February 2008 - 03:02 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok just go ahead and restore those backups, be careful that you don't restore the malware entries

Then reboot and post a new DSS log and the OTMoveIt results which should be in the folder C:\OTMoveIt2
  • 0

#18
checkyoulater
Posted 10 February 2008 - 03:08 PM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
i'm really hating vista right now...i just skipped ahead to the restore as you said...but again i came upon an error...

i think it was referring to the local host thing (the first one you said to put a check on) path/file access error

after clicking yes....a pop up came up saying hijackthis has stopped working...should i hit "close program"? << well i did since there was really no other choice, i'm rebooting now will post the DSS and moveit as soon as it's done :)

Edited by checkyoulater, 10 February 2008 - 03:13 PM.

  • 0

#19
checkyoulater
Posted 10 February 2008 - 03:19 PM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
here goes...(keeping my fingers crossed)

moveit log...

File move failed. C:\Windows\mrofinu1044.exe scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\system32\nnnklkk.dll
C:\Windows\system32\nnnklkk.dll NOT unregistered.
File move failed. C:\Windows\system32\nnnklkk.dll scheduled to be moved on reboot.
File/Folder G:\RavMon.exe not found.
File/Folder C:\Users\benito\AppData\Local\Temp\ssttq.dll not found.
DllUnregisterServer procedure not found in C:\Users\benito\AppData\Local\Temp\vtutt.dll
C:\Users\benito\AppData\Local\Temp\vtutt.dll NOT unregistered.
File move failed. C:\Users\benito\AppData\Local\Temp\vtutt.dll scheduled to be moved on reboot.
[Custom Input]
< purity >

OTMoveIt2 v1.0.19 log created on 02112008_045207


then the new DSS log...

Deckard's System Scanner v20071014.68
Run by benito on 2008-02-11 05:14:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis (run as benito.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:17 AM, on 2/11/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Users\benito\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\benito.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philmug.p...isplay.php?f=60
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nnnklkk.dll,#1
O4 - HKLM\..\Run: [runner1] C:\Windows\mrofinu1044.exe 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\benito\AppData\Local\Temp\ddabc.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\benito\AppData\Local\Temp\vtutt.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5547 bytes

-- Files created between 2008-01-11 and 2008-02-11 -----------------------------

2008-02-08 10:56:05 0 d-------- C:\VundoFix Backups
2008-02-02 12:10:26 0 d-------- C:\Program Files\Trend Micro
2008-01-28 22:13:06 32 --a------ C:\Users\All Users\ezsid.dat
2008-01-27 13:32:56 0 d-------- C:\Program Files\Microsoft Works
2008-01-27 13:26:43 0 d-------- C:\Program Files\Microsoft.NET
2008-01-27 13:21:07 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-27 13:17:13 0 d-------- C:\Users\All Users\Microsoft Help
2008-01-27 13:16:19 0 dr-h----- C:\MSOCache
2008-01-27 01:06:32 36864 --a------ C:\Windows\mrofinu1044.exe
2008-01-27 01:06:05 38400 --a------ C:\Windows\system32\nnnklkk.dll
2008-01-26 23:12:12 0 d-------- C:\Users\All Users\FLEXnet
2008-01-26 22:53:09 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-26 14:34:26 0 d-------- C:\Windows\WinRAR
2008-01-26 11:34:18 0 d-------- C:\Program Files\Java
2008-01-26 11:28:23 0 d-------- C:\Program Files\Common Files\Java
2008-01-24 16:23:45 0 d-------- C:\Program Files\WinSCP
2008-01-23 16:30:43 0 d-------- C:\Program Files\AviSynth 2.5
2008-01-23 16:30:35 0 d-------- C:\Program Files\Red Kawa
2008-01-22 14:05:27 0 d-------- C:\Windows\SoftwareDistribution
2008-01-22 14:02:47 0 d-------- C:\Windows\Debug
2008-01-22 14:02:46 0 d-------- C:\Windows\CSC
2008-01-22 13:57:08 0 d-------- C:\Windows\Prefetch
2008-01-22 13:55:45 0 d-------- C:\Windows\Panther
2008-01-22 11:53:10 0 d--hs---- C:\Boot
2008-01-22 11:31:07 0 d-------- C:\Windows.old
2008-01-22 06:11:34 0 d-------- C:\Users\All Users\Yahoo!
2008-01-22 06:11:18 0 d-------- C:\Users\All Users\NVIDIA
2008-01-22 02:12:05 0 d-------- C:\Windows\PCHEALTH
2008-01-22 02:03:40 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-22 02:03:09 0 d-------- C:\Program Files\Windows Live
2008-01-22 02:02:39 0 d-------- C:\Users\All Users\WLInstaller
2008-01-22 01:59:46 0 d-------- C:\Program Files\Skype
2008-01-22 01:59:45 0 d-------- C:\Program Files\Common Files\Skype
2008-01-22 01:59:33 0 d-------- C:\Users\All Users\Skype
2008-01-22 01:47:29 0 d-------- C:\Windows\system32\Macromed
2008-01-22 01:44:34 0 d-------- C:\Program Files\Yahoo!
2008-01-22 01:33:53 0 d-------- C:\Program Files\Handbrake
2008-01-22 01:29:55 0 d-------- C:\Program Files\uTorrent
2008-01-22 01:29:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-22 01:28:56 0 d-------- C:\Users\All Users\Adobe
2008-01-22 01:28:10 0 d-------- C:\Windows\Downloaded Installations
2008-01-21 23:41:23 0 d-------- C:\Program Files\iPod
2008-01-21 23:41:08 0 d-------- C:\Program Files\iTunes
2008-01-21 23:39:50 0 d-------- C:\Program Files\Bonjour
2008-01-21 23:38:46 0 d-------- C:\Program Files\QuickTime
2008-01-21 23:38:40 0 d-------- C:\Users\All Users\Apple Computer
2008-01-21 23:37:51 0 d-------- C:\Program Files\Apple Software Update
2008-01-21 23:36:32 0 d-------- C:\Program Files\Common Files\Apple
2008-01-21 23:36:28 0 d-------- C:\Users\All Users\Apple
2008-01-21 23:35:48 0 d--hs---- C:\Windows\Installer
2008-01-21 23:18:59 0 d-------- C:\Program Files\Alwil Software
2008-01-21 23:03:00 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-01-21 22:17:40 0 dr------- C:\Users\benito\Searches
2008-01-21 22:17:00 0 dr------- C:\Users\benito\Contacts
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Templates
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Start Menu
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\SendTo
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Recent
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\PrintHood
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\NetHood
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\My Documents
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Local Settings
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Cookies
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Application Data
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Videos
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Saved Games
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Pictures
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Music
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Links
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Favorites
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Downloads
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Documents
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Desktop
2008-01-21 22:16:40 0 d--h----- C:\Users\benito\AppData
2008-01-21 22:16:39 1310720 --ahs---- C:\Users\benito\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-02-08 10:57:06 0 d-------- C:\Users\benito\AppData\Roaming\uTorrent
2008-02-01 02:38:09 0 d-------- C:\Users\benito\AppData\Roaming\Media Player Classic
2008-01-29 02:27:34 0 d-------- C:\Users\benito\AppData\Roaming\Skype
2008-01-29 00:03:07 0 d-------- C:\Users\benito\AppData\Roaming\skypePM
2008-01-27 13:32:11 0 d-------- C:\Program Files\MSBuild
2008-01-27 13:30:39 0 d-------- C:\Program Files\Common Files
2008-01-26 23:20:19 0 d-------- C:\Users\benito\AppData\Roaming\Adobe
2008-01-25 00:51:55 0 d-------- C:\Users\benito\AppData\Roaming\Leadertech
2008-01-24 16:39:17 0 d-------- C:\Users\benito\AppData\Roaming\WinRAR
2008-01-22 16:54:03 0 d-------- C:\Users\benito\AppData\Roaming\Mozilla
2008-01-22 12:54:06 0 d-------- C:\Users\benito\AppData\Roaming\Apple Computer
2008-01-22 01:51:20 0 d-------- C:\Users\benito\AppData\Roaming\Macromedia
2008-01-21 23:16:12 174 --ahs---- C:\Program Files\desktop.ini
2008-01-21 23:11:03 0 d-------- C:\Program Files\Windows Calendar
2008-01-21 23:11:02 0 d-------- C:\Program Files\Windows Mail
2008-01-21 23:11:01 0 d-------- C:\Program Files\Windows Defender
2008-01-21 23:10:58 0 d-------- C:\Program Files\Windows Sidebar
2008-01-21 22:17:12 0 d-------- C:\Users\benito\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/21/2008 11:02 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"SoundMan"="SOUNDMAN.EXE" [03/09/2007 04:28 PM C:\Windows\SOUNDMAN.EXE]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 05:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 05:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 05:28 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MSServer"="C:\Windows\system32\nnnklkk.dll" [01/27/2008 01:06 AM]
"runner1"="C:\Windows\mrofinu1044.exe" [01/27/2008 01:06 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"="C:\Users\benito\AppData\Local\Temp\ddabc.dll,#1" []
"cmds"="C:\Users\benito\AppData\Local\Temp\vtutt.dll,c" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{446624E1-B767-4443-AA6E-0F355CAFD21B}"= C:\Windows\system32\nnnklkk.dll [01/27/2008 01:06 AM 38400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{038819f6-cae5-11dc-9849-001109dafb52}]
Auto\command- RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
Browser\command- RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0477d1-c84f-11dc-88a9-001109dafb52}]
AutoRun\command- G:\RavMon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-02-11 05:16:23 ------------
  • 0

#20
Rorschach112
Posted 10 February 2008 - 03:45 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nnnklkk.dll,#1
O4 - HKLM\..\Run: [runner1] C:\Windows\mrofinu1044.exe 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\benito\AppData\Local\Temp\ddabc.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\benito\AppData\Local\Temp\vtutt.dll,c

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please run the OTMoveIt2 by OldTimer again.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\mrofinu1044.exe
C:\Windows\system32\nnnklkk.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#21
checkyoulater
Posted 10 February 2008 - 04:04 PM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
ok here goes....

i did the flash drive thing

skipped the ATF cleaner, because you posted this works for XP and win200 only and i'm running vista business

went ahead and did the hijackthis and moveit thing...

and here's the DSS log...

Deckard's System Scanner v20071014.68
Run by benito on 2008-02-11 05:59:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis (run as benito.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:13 AM, on 2/11/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Users\benito\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\benito.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philmug.p...isplay.php?f=60
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nnnklkk.dll,#1
O4 - HKLM\..\Run: [runner1] C:\Windows\mrofinu1044.exe 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\benito\AppData\Local\Temp\ddccy.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\benito\AppData\Local\Temp\vtutt.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5547 bytes

-- Files created between 2008-01-11 and 2008-02-11 -----------------------------

2008-02-11 05:50:47 0 drahs---- C:\autorun.inf
2008-02-08 10:56:05 0 d-------- C:\VundoFix Backups
2008-02-02 12:10:26 0 d-------- C:\Program Files\Trend Micro
2008-01-28 22:13:06 32 --a------ C:\Users\All Users\ezsid.dat
2008-01-27 13:32:56 0 d-------- C:\Program Files\Microsoft Works
2008-01-27 13:26:43 0 d-------- C:\Program Files\Microsoft.NET
2008-01-27 13:21:07 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-27 13:17:13 0 d-------- C:\Users\All Users\Microsoft Help
2008-01-27 13:16:19 0 dr-h----- C:\MSOCache
2008-01-27 01:06:32 36864 --a------ C:\Windows\mrofinu1044.exe
2008-01-27 01:06:05 38400 --a------ C:\Windows\system32\nnnklkk.dll
2008-01-26 23:12:12 0 d-------- C:\Users\All Users\FLEXnet
2008-01-26 22:53:09 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-26 14:34:26 0 d-------- C:\Windows\WinRAR
2008-01-26 11:34:18 0 d-------- C:\Program Files\Java
2008-01-26 11:28:23 0 d-------- C:\Program Files\Common Files\Java
2008-01-24 16:23:45 0 d-------- C:\Program Files\WinSCP
2008-01-23 16:30:43 0 d-------- C:\Program Files\AviSynth 2.5
2008-01-23 16:30:35 0 d-------- C:\Program Files\Red Kawa
2008-01-22 14:05:27 0 d-------- C:\Windows\SoftwareDistribution
2008-01-22 14:02:47 0 d-------- C:\Windows\Debug
2008-01-22 14:02:46 0 d-------- C:\Windows\CSC
2008-01-22 13:57:08 0 d-------- C:\Windows\Prefetch
2008-01-22 13:55:45 0 d-------- C:\Windows\Panther
2008-01-22 11:53:10 0 d--hs---- C:\Boot
2008-01-22 11:31:07 0 d-------- C:\Windows.old
2008-01-22 06:11:34 0 d-------- C:\Users\All Users\Yahoo!
2008-01-22 06:11:18 0 d-------- C:\Users\All Users\NVIDIA
2008-01-22 02:12:05 0 d-------- C:\Windows\PCHEALTH
2008-01-22 02:03:40 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-22 02:03:09 0 d-------- C:\Program Files\Windows Live
2008-01-22 02:02:39 0 d-------- C:\Users\All Users\WLInstaller
2008-01-22 01:59:46 0 d-------- C:\Program Files\Skype
2008-01-22 01:59:45 0 d-------- C:\Program Files\Common Files\Skype
2008-01-22 01:59:33 0 d-------- C:\Users\All Users\Skype
2008-01-22 01:47:29 0 d-------- C:\Windows\system32\Macromed
2008-01-22 01:44:34 0 d-------- C:\Program Files\Yahoo!
2008-01-22 01:33:53 0 d-------- C:\Program Files\Handbrake
2008-01-22 01:29:55 0 d-------- C:\Program Files\uTorrent
2008-01-22 01:29:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-22 01:28:56 0 d-------- C:\Users\All Users\Adobe
2008-01-22 01:28:10 0 d-------- C:\Windows\Downloaded Installations
2008-01-21 23:41:23 0 d-------- C:\Program Files\iPod
2008-01-21 23:41:08 0 d-------- C:\Program Files\iTunes
2008-01-21 23:39:50 0 d-------- C:\Program Files\Bonjour
2008-01-21 23:38:46 0 d-------- C:\Program Files\QuickTime
2008-01-21 23:38:40 0 d-------- C:\Users\All Users\Apple Computer
2008-01-21 23:37:51 0 d-------- C:\Program Files\Apple Software Update
2008-01-21 23:36:32 0 d-------- C:\Program Files\Common Files\Apple
2008-01-21 23:36:28 0 d-------- C:\Users\All Users\Apple
2008-01-21 23:35:48 0 d--hs---- C:\Windows\Installer
2008-01-21 23:18:59 0 d-------- C:\Program Files\Alwil Software
2008-01-21 23:03:00 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-01-21 22:17:40 0 dr------- C:\Users\benito\Searches
2008-01-21 22:17:00 0 dr------- C:\Users\benito\Contacts
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Templates
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Start Menu
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\SendTo
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Recent
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\PrintHood
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\NetHood
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\My Documents
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Local Settings
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Cookies
2008-01-21 22:16:44 0 d--hs---- C:\Users\benito\Application Data
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Videos
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Saved Games
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Pictures
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Music
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Links
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Favorites
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Downloads
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Documents
2008-01-21 22:16:40 0 dr------- C:\Users\benito\Desktop
2008-01-21 22:16:40 0 d--h----- C:\Users\benito\AppData
2008-01-21 22:16:39 1310720 --ahs---- C:\Users\benito\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-02-08 10:57:06 0 d-------- C:\Users\benito\AppData\Roaming\uTorrent
2008-02-01 02:38:09 0 d-------- C:\Users\benito\AppData\Roaming\Media Player Classic
2008-01-29 02:27:34 0 d-------- C:\Users\benito\AppData\Roaming\Skype
2008-01-29 00:03:07 0 d-------- C:\Users\benito\AppData\Roaming\skypePM
2008-01-27 13:32:11 0 d-------- C:\Program Files\MSBuild
2008-01-27 13:30:39 0 d-------- C:\Program Files\Common Files
2008-01-26 23:20:19 0 d-------- C:\Users\benito\AppData\Roaming\Adobe
2008-01-25 00:51:55 0 d-------- C:\Users\benito\AppData\Roaming\Leadertech
2008-01-24 16:39:17 0 d-------- C:\Users\benito\AppData\Roaming\WinRAR
2008-01-22 16:54:03 0 d-------- C:\Users\benito\AppData\Roaming\Mozilla
2008-01-22 12:54:06 0 d-------- C:\Users\benito\AppData\Roaming\Apple Computer
2008-01-22 01:51:20 0 d-------- C:\Users\benito\AppData\Roaming\Macromedia
2008-01-21 23:16:12 174 --ahs---- C:\Program Files\desktop.ini
2008-01-21 23:11:03 0 d-------- C:\Program Files\Windows Calendar
2008-01-21 23:11:02 0 d-------- C:\Program Files\Windows Mail
2008-01-21 23:11:01 0 d-------- C:\Program Files\Windows Defender
2008-01-21 23:10:58 0 d-------- C:\Program Files\Windows Sidebar
2008-01-21 22:17:12 0 d-------- C:\Users\benito\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/21/2008 11:02 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"SoundMan"="SOUNDMAN.EXE" [03/09/2007 04:28 PM C:\Windows\SOUNDMAN.EXE]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 05:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 05:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 05:28 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MSServer"="C:\Windows\system32\nnnklkk.dll" [01/27/2008 01:06 AM]
"runner1"="C:\Windows\mrofinu1044.exe" [01/27/2008 01:06 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"="C:\Users\benito\AppData\Local\Temp\ddccy.dll,#1" []
"cmds"="C:\Users\benito\AppData\Local\Temp\vtutt.dll,c" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{446624E1-B767-4443-AA6E-0F355CAFD21B}"= C:\Windows\system32\nnnklkk.dll [01/27/2008 01:06 AM 38400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0477d1-c84f-11dc-88a9-001109dafb52}]
AutoRun\command- G:\RavMon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-02-11 06:01:17 ------------

by the way here is the move it log if you need it too....

File move failed. C:\Windows\mrofinu1044.exe scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\system32\nnnklkk.dll
C:\Windows\system32\nnnklkk.dll NOT unregistered.
File move failed. C:\Windows\system32\nnnklkk.dll scheduled to be moved on reboot.
[Custom Input]
< purity >

OTMoveIt2 v1.0.19 log created on 02112008_055726

Edited by checkyoulater, 10 February 2008 - 04:05 PM.

  • 0

#22
Rorschach112
Posted 10 February 2008 - 04:19 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ugh this infection is being annoying

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#23
checkyoulater
Posted 10 February 2008 - 11:23 PM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
sorry for the late reply i had pressing matters to attend to...i guess this computer really is in over it's head as far as malware goes...

here's the combofix log...

ComboFix 08-02.05.3 - benito 2008-02-11 13:14:32.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.362 [GMT 8:00]
Running from: C:\Users\benito\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\mrofinu1044.exe
C:\Windows\system32\nnnklkk.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 04:52 . 2008-02-11 04:52 <DIR> d-------- C:\_OTMoveIt
2008-02-11 04:30 . 2008-02-11 04:30 <DIR> d-------- C:\Deckard
2008-02-08 10:56 . 2008-02-09 13:45 <DIR> d-------- C:\VundoFix Backups
2008-02-02 12:10 . 2008-02-02 12:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 02:38 . 2008-02-01 02:38 <DIR> d-------- C:\Users\benito\AppData\Roaming\Media Player Classic
2008-01-28 22:13 . 2008-01-29 00:03 <DIR> d-------- C:\Users\benito\AppData\Roaming\skypePM
2008-01-28 22:13 . 2008-01-28 22:13 32 --a------ C:\Users\All Users\ezsid.dat
2008-01-28 22:13 . 2008-01-28 22:13 32 --a------ C:\ProgramData\ezsid.dat
2008-01-27 13:35 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-01-27 13:32 . 2008-01-27 13:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-27 13:26 . 2008-01-27 13:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-27 13:21 . 2008-01-27 13:21 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-27 13:17 . 2008-01-28 02:38 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-01-27 13:17 . 2008-01-28 02:38 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-01-27 13:16 . 2008-01-27 13:16 <DIR> dr-h----- C:\MSOCache
2008-01-26 23:12 . 2008-01-26 23:12 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-01-26 23:12 . 2008-01-26 23:12 <DIR> d-------- C:\ProgramData\FLEXnet
2008-01-26 22:53 . 2008-01-26 22:53 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-26 16:42 . 2007-09-24 23:31 69,632 --a------ C:\Windows\System32\javacpl.cpl
2008-01-26 14:34 . 2008-01-26 14:37 <DIR> d-------- C:\Windows\WinRAR
2008-01-26 11:34 . 2008-01-26 16:42 <DIR> d-------- C:\Program Files\Java
2008-01-26 11:28 . 2008-01-26 11:28 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-25 00:51 . 2008-01-25 00:51 <DIR> d-------- C:\Users\benito\AppData\Roaming\Leadertech
2008-01-24 16:23 . 2008-01-24 16:23 <DIR> d-------- C:\Program Files\WinSCP
2008-01-23 16:30 . 2008-01-23 16:30 <DIR> d-------- C:\Program Files\Red Kawa
2008-01-23 16:30 . 2008-01-23 16:30 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-01-22 14:02 . 2008-01-21 22:57 <DIR> d-------- C:\Windows\Debug
2008-01-22 13:55 . 2008-01-22 14:07 <DIR> d-------- C:\Windows\Panther
2008-01-22 12:02 . 2008-01-22 11:53 355 -rahs---- C:\Boot.ini.saved
2008-01-22 11:53 . 2008-01-22 13:55 <DIR> d--hs---- C:\Boot
2008-01-22 11:53 . 2006-11-02 17:53 438,840 -rahs---- C:\bootmgr
2008-01-22 11:53 . 2008-01-22 13:55 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-01-22 11:31 . 2008-01-22 06:23 <DIR> d-------- C:\Windows.old
2008-01-22 06:11 . 2008-01-29 02:27 <DIR> d-------- C:\Users\benito\AppData\Roaming\Skype
2008-01-22 06:11 . 2008-01-22 06:11 <DIR> d-------- C:\Users\All Users\Yahoo!
2008-01-22 06:11 . 2008-01-22 06:40 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-01-22 06:11 . 2008-01-22 06:11 <DIR> d-------- C:\ProgramData\Yahoo!
2008-01-22 06:11 . 2008-01-22 06:40 <DIR> d-------- C:\ProgramData\NVIDIA
2008-01-22 02:29 . 2008-01-22 02:29 229,888 --a------ C:\Windows\System32\msshsq.dll
2008-01-22 02:28 . 2007-09-12 05:28 1,073,152 --a------ C:\Windows\System32\nvcpluir.dll
2008-01-22 02:28 . 2007-09-12 05:28 753,664 --a------ C:\Windows\System32\nvcplui.exe
2008-01-22 02:28 . 2007-09-12 05:28 413,696 --a------ C:\Windows\System32\nvcpl.cpl
2008-01-22 02:28 . 2007-09-12 05:28 307,200 --a------ C:\Windows\System32\nvexpbar.dll
2008-01-22 02:12 . 2008-01-22 02:12 <DIR> d-------- C:\Windows\PCHEALTH
2008-01-22 02:03 . 2008-01-22 02:12 <DIR> d-------- C:\Program Files\Windows Live
2008-01-22 02:03 . 2008-01-22 02:11 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-22 02:02 . 2008-01-22 02:02 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-01-22 02:02 . 2008-01-22 02:02 <DIR> d-------- C:\ProgramData\WLInstaller
2008-01-22 01:59 . 2008-01-22 01:59 <DIR> d-------- C:\Users\All Users\Skype
2008-01-22 01:59 . 2008-01-22 01:59 <DIR> d-------- C:\ProgramData\Skype
2008-01-22 01:59 . 2008-01-22 01:59 <DIR> d-------- C:\Program Files\Skype
2008-01-22 01:59 . 2008-01-22 01:59 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-22 01:47 . 2008-01-22 01:47 <DIR> d-------- C:\Windows\System32\Macromed
2008-01-22 01:44 . 2008-01-22 01:46 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-22 01:33 . 2008-01-22 01:33 <DIR> d-------- C:\Program Files\Handbrake
2008-01-22 01:29 . 2008-02-08 10:57 <DIR> d-------- C:\Users\benito\AppData\Roaming\uTorrent
2008-01-22 01:29 . 2008-01-22 01:29 <DIR> d-------- C:\Program Files\uTorrent
2008-01-22 01:29 . 2008-01-26 23:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-22 01:28 . 2008-01-22 01:28 <DIR> d-------- C:\Windows\Downloaded Installations
2008-01-22 01:28 . 2008-01-26 23:08 <DIR> d-------- C:\Users\All Users\Adobe
2008-01-21 23:41 . 2008-01-22 12:54 <DIR> d-------- C:\Users\benito\AppData\Roaming\Apple Computer
2008-01-21 23:41 . 2008-01-21 23:41 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 23:41 . 2008-01-21 23:41 <DIR> d-------- C:\Program Files\iPod
2008-01-21 23:39 . 2008-01-21 23:39 <DIR> d-------- C:\Program Files\Bonjour
2008-01-21 23:38 . 2008-01-21 23:41 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-01-21 23:38 . 2008-01-21 23:41 <DIR> d-------- C:\ProgramData\Apple Computer
2008-01-21 23:38 . 2008-01-21 23:39 <DIR> d-------- C:\Program Files\QuickTime
2008-01-21 23:37 . 2008-01-21 23:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-21 23:36 . 2008-01-21 23:36 <DIR> d-------- C:\Users\All Users\Apple
2008-01-21 23:36 . 2008-01-21 23:36 <DIR> d-------- C:\ProgramData\Apple
2008-01-21 23:36 . 2008-01-21 23:36 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-21 23:35 . 2008-01-29 04:31 <DIR> d--hs---- C:\Windows\Installer
2008-01-21 23:19 . 2003-03-19 04:20 1,060,864 --a------ C:\Windows\System32\MFC71.dll
2008-01-21 23:19 . 2007-12-04 21:04 837,496 --a------ C:\Windows\System32\aswBoot.exe
2008-01-21 23:19 . 2003-03-19 03:14 499,712 --a------ C:\Windows\System32\MSVCP71.dll
2008-01-21 23:19 . 2004-01-09 17:13 380,928 --a------ C:\Windows\System32\actskin4.ocx
2008-01-21 23:19 . 2003-02-21 11:42 348,160 --a------ C:\Windows\System32\MSVCR71.dll
2008-01-21 23:19 . 2007-12-04 20:54 95,608 --a------ C:\Windows\System32\AvastSS.scr
2008-01-21 23:19 . 2007-12-04 22:52 45,648 --a------ C:\Windows\System32\drivers\aswMonFlt.sys
2008-01-21 23:19 . 2007-12-04 22:51 42,912 --a------ C:\Windows\System32\drivers\aswTdi.sys
2008-01-21 23:19 . 2007-12-04 22:53 23,152 --a------ C:\Windows\System32\drivers\aswRdr.sys
2008-01-21 23:18 . 2008-01-21 23:18 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-21 23:06 . 2008-01-21 23:06 2,923,520 --a------ C:\Windows\explorer.exe
2008-01-21 23:03 . 2008-01-21 23:03 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-01-21 23:03 . 2008-01-21 23:03 376,320 --a------ C:\Windows\System32\winsrv.dll
2008-01-21 23:03 . 2008-01-21 23:03 49,664 --a------ C:\Windows\System32\csrsrv.dll
2008-01-21 23:01 . 2008-01-21 23:01 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-21 23:01 . 2008-01-21 23:01 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-21 23:01 . 2008-01-21 23:01 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-21 23:01 . 2008-01-21 23:01 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-21 23:01 . 2008-01-21 23:01 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-21 23:00 . 2008-01-21 23:00 414,208 --a------ C:\Windows\System32\msscp.dll
2008-01-21 22:59 . 2008-01-21 22:59 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-01-21 22:59 . 2008-01-21 22:59 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-01-21 22:59 . 2008-01-21 22:59 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-01-21 22:59 . 2008-01-21 22:59 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-01-21 22:59 . 2008-01-21 22:59 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-01-21 22:58 . 2008-01-21 22:58 396,800 --a------ C:\Windows\System32\MPSSVC.dll
2008-01-21 22:58 . 2008-01-21 22:58 392,192 --a------ C:\Windows\System32\FirewallAPI.dll
2008-01-21 22:58 . 2008-01-21 22:58 178,688 --a------ C:\Windows\System32\iphlpsvc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 05:32 --------- d-----w C:\Program Files\MSBuild
2008-01-21 15:16 174 --sha-w C:\Program Files\desktop.ini
2008-01-21 15:11 --------- d-----w C:\Program Files\Windows Mail
2008-01-21 15:11 --------- d-----w C:\Program Files\Windows Defender
2008-01-21 15:11 --------- d-----w C:\Program Files\Windows Calendar
2008-01-21 15:10 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-21 15:07 8,192 ----a-w C:\Windows\System32\riched32.dll
2008-01-21 15:07 77,824 ----a-w C:\Windows\System32\rascfg.dll
2008-01-21 15:07 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-01-21 15:07 694,784 ----a-w C:\Windows\System32\localspl.dll
2008-01-21 15:07 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-01-21 15:07 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-01-21 15:07 52,736 ----a-w C:\Windows\System32\rasdiag.dll
2008-01-21 15:07 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-01-21 15:07 384,000 ----a-w C:\Windows\System32\netcfgx.dll
2008-01-21 15:07 36,864 ----a-w C:\Windows\System32\cdd.dll
2008-01-21 15:07 33,280 ----a-w C:\Windows\System32\traffic.dll
2008-01-21 15:07 32,768 ----a-w C:\Windows\System32\rasmxs.dll
2008-01-21 15:07 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
2008-01-21 15:07 22,016 ----a-w C:\Windows\System32\rasser.dll
2008-01-21 15:07 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-01-21 15:07 15,360 ----a-w C:\Windows\System32\pacerprf.dll
2008-01-21 15:07 134,656 ----a-w C:\Windows\System32\dps.dll
2008-01-21 15:07 13,824 ----a-w C:\Windows\System32\wshqos.dll
2008-01-21 15:07 13,824 ----a-w C:\Windows\System32\icsunattend.exe
2008-01-21 15:06 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-01-21 15:06 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-01-21 15:06 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-01-21 15:06 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-01-21 15:06 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-01-21 15:06 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-01-21 15:06 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-01-21 15:06 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-01-21 15:06 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-01-21 15:06 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-01-21 15:06 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-01-21 15:06 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-01-21 15:06 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-01-21 14:56 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-21 14:56 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-21 14:56 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-21 14:56 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-21 14:47 88,576 ----a-w C:\Windows\System32\avifil32.dll
2008-01-21 14:47 82,944 ----a-w C:\Windows\System32\mciavi32.dll
2008-01-21 14:47 8,138,240 ----a-w C:\Windows\System32\ssBranded.scr
2008-01-21 14:47 712,192 ----a-w C:\Windows\System32\WindowsCodecs.dll
2008-01-21 14:47 69,632 ----a-w C:\Windows\System32\sendmail.dll
2008-01-21 14:47 65,024 ----a-w C:\Windows\System32\avicap32.dll
2008-01-21 14:47 61,440 ----a-w C:\Windows\System32\ntprint.exe
2008-01-21 14:47 320,000 ----a-w C:\Windows\system32\drivers\csc.sys
2008-01-21 14:47 31,232 ----a-w C:\Windows\System32\msvidc32.dll
2008-01-21 14:47 269,824 ----a-w C:\Windows\System32\schannel.dll
2008-01-21 14:47 220,160 ----a-w C:\Windows\System32\ntprint.dll
2008-01-21 14:47 123,904 ----a-w C:\Windows\System32\msvfw32.dll
2008-01-21 14:47 120,320 ----a-w C:\Windows\System32\dhcpcsvc6.dll
2008-01-21 14:47 12,800 ----a-w C:\Windows\System32\msrle32.dll
2008-01-21 14:47 105,984 ----a-w C:\Windows\System32\CscMig.dll
2008-01-21 14:47 10,240 ----a-w C:\Windows\System32\dhcpcmonitor.dll
2008-01-21 14:47 1,984,512 ----a-w C:\Windows\System32\authui.dll
2008-01-21 14:44 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-01-21 14:44 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-01-21 14:44 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-01-21 14:44 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-01-21 14:44 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-01-21 14:44 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-01-21 14:44 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-01-21 14:44 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-21 23:02 1006264]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"SoundMan"="SOUNDMAN.EXE" [2007-03-09 16:28 598016 C:\Windows\SOUNDMAN.EXE]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 05:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 05:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 05:28 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-12-04 22:52]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 15:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0477d1-c84f-11dc-88a9-001109dafb52}]
\shell\AutoRun\command - G:\RavMon.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 23:03:25 C:\Windows\Tasks\User_Feed_Synchronization-{C3B6750F-69EC-4A83-ACAA-6641E8AD71D1}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 13:18:14
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 13:18:59
ComboFix-quarantined-files.txt 2008-02-11 05:18:56
.
2008-02-08 06:51:00 --- E O F ---


and the new hijackthis log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:00 PM, on 2/11/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philmug.p...isplay.php?f=60
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5032 bytes


i can't thank you enough for my laptop :) here's hoping you have the patience to make my pc clen and safe too :)
  • 0

#24
Rorschach112
Posted 11 February 2008 - 08:28 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
G:\RavMon.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0477d1-c84f-11dc-88a9-001109dafb52}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Reboot and post a new HijackThis log and tell me how your PC is running
  • 0

#25
checkyoulater
Posted 11 February 2008 - 10:09 AM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
hi again,

i tried doing your first instruction, making the notepad file but something popped up: "freeware implementation of REG.EXE has stopped working"

rafter that i clicked close program and now it looks to be running again....i have a question though...in the notepad file you had me create it had g:/rav....would it matter that i no longer have my thumbdrive in? i actually went ahead and formatted the drive to completely erase everything so i guess even if i did stick it in it should no longer have the ravmon.exe file in their...

will post in a few about the combofix log as well as the superantispyware :)
  • 0

Advertisements

#26
Rorschach112
Posted 11 February 2008 - 10:12 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No need to worry about having the thumb drive in

Just post the ComboFix and SUPERAntiSpyware logs when they are done

Should be nearly done now
  • 0

#27
checkyoulater
Posted 11 February 2008 - 11:31 AM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
looks like it's still going to be a while maybe 30 more mins...(jeez, i hope that's all) i can't imagine how much more files i could have in my PC over my laptop, esp since i just reformated that thing about a month ago. I had upgraded to vista business from XP pro...i'm a sucker for pretty looking software...hehehe


44 thousand files scanned and counting i sure hope this ends soon so we can see just how clean my system is :)

thanks again for your patience....

by the way i'm curious where's you learn all this stuff? esp reading a hijackthis log...
  • 0

#28
Rorschach112
Posted 11 February 2008 - 11:36 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Those anti-spyware scans take a while, try not to use your PC too much and it will go faster

I learnt a bit about HijackThis myself from here

http://www.bleepingc...tutorial42.html

I learnt most of it from the GeekU here

http://www.geekstogo...ware-t4817.html
  • 0

#29
checkyoulater
Posted 11 February 2008 - 11:40 AM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
thanks for the links i'll be sure to read them when i'm done with this entire mess...btw i'm using laptop now my PC is still scanning and I try as much as possible not to run anything except whatever runs on start up....save the occasional muse movement to make sure it doesn't go into sleep/screensaver mode

still scanning....51thousand and counting... :)



it's on it's 2nd hour of scanning :) 104 thousand files and counting.......

in case it's of any interest....the files scanned under the "SCANNING PROGRESS HEADING" seem to be repeating....i could have sworn i saw it scan the folder it says is currently being scanned, but i could be wrong....

Edited by checkyoulater, 11 February 2008 - 12:38 PM.

  • 0

#30
checkyoulater
Posted 11 February 2008 - 02:12 PM

checkyoulater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
it's not that i'm delayed but...

it's still scanning??? :)

189 thousand files and counting......441 threats detected....

i'll post results as soon as they're done


in the meantime assuming you won't be able to respond right away since you're on a different timezone altogether will be ok to just go about my normal computer business? or should i refrain from using it?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP