Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Exe icons have disappeared from desktop and start [RESOLVED]


  • This topic is locked This topic is locked

#16
viper151

viper151

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
I couldnt start combofix neither by dragging the script neither by double clicking upon combofix.. So i downloaded it again. is that ok?

It was loading but nothing was happening after that

But still the same..

Edited by viper151, 27 March 2008 - 02:27 PM.

  • 0

Advertisements


#17
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
lets try this one.....

Firstly, make sure you have uploaded that file in the prior post.

====STEP 1====
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Temp-torrents\obm.sys
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7bf5d9b-ec5e-11db-8be6-806d6172696f}
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====STEP 2====
Please download Navilog1 by IL-MAFIOSO:
http://pagesperso-or...ix/Navilog1.exe
(*Alternate download location Here)

* Save it to your Desktop.
* Double-click on Navilog1.exe to install the program.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double-click on the Navilog1 shortcut on your Desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time).
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)


In your next reply could i see:
1. the OTMoveIT log
2. the fixnavi.txt log
3. a new hijackthis log
4. confirmation that the file has been uploaded

andrewuk
  • 0

#18
viper151

viper151

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Sorry for not replying but i just restarted the pc and combofix worked :) I'm now running it and working on ur previous post..
  • 0

#19
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, i will be here :)
  • 0

#20
viper151

viper151

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
ComboFix 08-03-26.3 - viper151 2008-03-28 1:08:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1033.18.648 [GMT 2:00]
Running from: C:\Documents and Settings\viper151\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\viper151\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Temp-torrents\obm.sys
.

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 22:17 . 2008-03-27 22:19 <DIR> d-------- C:\HJT
2008-03-26 10:32 . 2008-03-26 10:32 <DIR> d-------- C:\_OTMoveIt
2008-03-20 09:11 . 2008-03-20 09:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-20 09:11 . 2008-03-20 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-20 08:50 . 2008-03-20 08:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-20 08:50 . 2008-03-20 08:50 <DIR> d-------- C:\Documents and Settings\viper151\Application Data\Malwarebytes
2008-03-20 08:50 . 2008-03-20 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-19 23:29 . 2008-03-19 23:29 38 --a------ C:\WINDOWS\avisplitter.INI
2008-03-19 23:05 . 2008-03-19 23:05 104 --a------ C:\WINDOWS\WebUpdateSvc.INI
2008-03-19 23:04 . 2008-03-19 23:05 <DIR> d-------- C:\Program Files\Workspace Macro Pro 6.5
2008-03-19 18:16 . 2008-03-19 18:16 <DIR> d-------- C:\WINDOWS\Macro Scheduler Std
2008-03-19 18:16 . 2008-03-19 18:28 <DIR> d-------- C:\Program Files\Macro Scheduler
2008-03-19 17:32 . 2008-03-19 18:34 <DIR> d-------- C:\Program Files\Counter-Strike
2008-03-19 12:41 . 2008-03-19 12:41 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2008-03-19 12:40 . 2008-03-19 12:41 <DIR> d-------- C:\Program Files\AutoGK
2008-03-19 12:34 . 2008-03-19 12:34 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-03-19 11:20 . 2008-03-19 11:48 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-03-19 11:20 . 2008-03-19 11:20 <DIR> d-------- C:\Documents and Settings\viper151\Application Data\URSoft
2008-03-19 10:15 . 2008-03-19 10:15 <DIR> d-------- C:\Deckard
2008-03-18 23:11 . 2008-03-19 14:19 <DIR> d-------- C:\Counter-Strike 1.6 V32
2008-03-18 15:17 . 2008-03-18 15:17 <DIR> d-------- C:\Program Files\Unity
2008-03-17 23:09 . 2008-03-17 23:09 <DIR> d-------- C:\Program Files\VideoReDoPlus
2008-03-17 23:09 . 2008-03-20 00:25 <DIR> d-------- C:\Documents and Settings\viper151\Application Data\VideoReDoPlus
2008-03-17 20:08 . 2008-03-17 20:09 <DIR> d-------- C:\Program Files\Hamachi
2008-03-13 23:40 . 2008-03-13 23:40 <DIR> d-------- C:\Fall Out Boy
2008-03-13 21:25 . 2008-03-26 01:36 130 --a------ C:\WINDOWS\EurekaLog.ini
2008-03-13 20:13 . 2008-03-13 20:13 <DIR> d-------- C:\Program Files\TechniSat DVB
2008-03-07 08:13 . 2008-03-07 08:13 <DIR> d-------- C:\Documents and Settings\viper151\Application Data\AD ON Multimedia
2008-03-06 22:06 . 2008-03-06 22:06 <DIR> d-------- C:\WINDOWS\uninstall\Satellite TV for PC Elite
2008-03-06 22:06 . 2008-03-06 22:06 <DIR> d-------- C:\WINDOWS\uninstall
2008-03-06 00:53 . 2008-03-06 00:53 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-03-06 00:53 . 2008-03-06 00:53 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-03-06 00:41 . 2008-03-06 00:41 <DIR> d-------- C:\Program Files\Ubisoft
2008-03-05 18:04 . 2008-03-05 18:04 <DIR> d-------- C:\Program Files\Mixesoft
2008-03-05 18:04 . 2008-03-05 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Mixesoft
2008-03-04 15:23 . 2008-03-04 15:23 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 18:17 . 2008-03-20 01:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 23:10 --------- d-----w C:\Documents and Settings\viper151\Application Data\uTorrent
2008-03-27 23:06 --------- d-----w C:\Documents and Settings\viper151\Application Data\Hamachi
2008-03-19 19:56 --------- d-----w C:\Program Files\Warcraft III
2008-03-19 10:41 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-19 10:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 10:31 --------- d-----w C:\Program Files\KONAMI
2008-03-19 10:30 --------- d-----w C:\Program Files\Symantec
2008-03-19 10:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-19 10:17 --------- d-----w C:\Program Files\DivX
2008-03-17 18:08 25,280 ----a-w C:\windows\system32\drivers\hamachi.sys
2008-03-13 19:17 --------- d-----w C:\Program Files\DVBViewerTE
2008-03-07 06:13 --------- d-----w C:\Program Files\MyPhoneExplorer
2008-03-06 20:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-06 19:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 22:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-04 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-19 19:38 --------- d-----w C:\Program Files\Electronic Arts
2008-02-18 17:13 --------- d-----w C:\Documents and Settings\viper151\Application Data\Vso
2008-02-14 20:11 --------- d-----w C:\Documents and Settings\viper151\Application Data\Leadertech
2008-02-12 17:08 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-02-11 21:25 --------- d-----w C:\Documents and Settings\viper151\Application Data\skypePM
2008-02-11 21:25 --------- d-----w C:\Documents and Settings\viper151\Application Data\Skype
2008-02-11 06:28 --------- d-----w C:\Program Files\Hasbro Interactive
2008-02-04 10:59 --------- d-----w C:\Program Files\ESET
2008-02-04 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-02-02 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-02 13:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-02 13:18 --------- d-----w C:\Program Files\Bonjour
2008-02-02 13:06 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-30 13:13 --------- d-----w C:\Documents and Settings\viper151\Application Data\Notepad++
2008-01-30 13:12 --------- d-----w C:\Program Files\Notepad++
2008-01-30 09:40 --------- d-----w C:\Program Files\Screamer Radio
2008-01-30 09:35 --------- d-----w C:\Documents and Settings\viper151\Application Data\streamripper
2008-01-30 09:34 --------- d-----w C:\Program Files\Streamripper
2008-01-29 20:22 --------- d-----w C:\Documents and Settings\viper151\Application Data\XTrackCad
2008-01-28 21:56 --------- d-----w C:\Program Files\Womble Multimedia
2008-01-28 18:26 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-28 18:25 --------- d-----w C:\Program Files\Skype
2008-01-28 18:25 --------- d-----w C:\Program Files\Common Files\Skype
2008-01-28 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-06 16:33 22,328 ----a-w C:\Documents and Settings\viper151\Application Data\PnkBstrK.sys
2007-04-20 18:38 87,608 ----a-w C:\Documents and Settings\viper151\Application Data\ezpinst.exe
2007-04-20 18:38 47,360 ----a-w C:\Documents and Settings\viper151\Application Data\pcouffin.sys
2006-05-03 09:06 163,328 --sh--r C:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((( [email protected]_11.18.24,93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 06:00:00 163,328 ----a-w C:\windows\ERDNT\subs\ERDNT.EXE
- 2008-03-24 19:29:33 58,596 ----a-w C:\windows\system32\perfc009.dat
+ 2008-03-27 20:33:59 58,596 ----a-w C:\windows\system32\perfc009.dat
- 2008-03-24 19:29:33 392,296 ----a-w C:\windows\system32\perfh009.dat
+ 2008-03-27 20:33:59 392,296 ----a-w C:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-02-04 12:25 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 08:19 729088]
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2003-06-06 16:52 151552]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"CnxDslTaskBar"="C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" [2004-06-16 13:55 233472]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-04-18 12:37:34 131072]
Run VNC Server.lnk - C:\Program Files\RealVNC\VNC4\winvnc4.exe [2007-12-05 01:00:16 914808]
Workspace Macro Pro Hotkeys.lnk - C:\Program Files\Workspace Macro Pro 6.5\WMPHotkeys.exe [2007-03-04 20:40:06 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 10:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2006-02-14 11:00 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"WinVNC4"=2 (0x2)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"usnjsvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"StarWindService"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"OpenVPNService"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NOD32krn"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"IviRegMgr"=2 (0x2)
"IDriverT"=3 (0x3)
"awhost32"=2 (0x2)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"C:\\Program Files\\RealVNC\\VNCTool\\vnctool.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Ubisoft\\Lost Via Domus\\Yeti_Final_Win32.exe"=
"C:\\Program Files\\Ubisoft\\Lost Via Domus\\gu.exe"=
"C:\\Program Files\\Ubisoft\\Lost Via Domus\\detection\\Launcher.exe"=
"D:\\Games\\C&C3\\RetailExe\\1.0\\cnc3game.dat"=
"D:\\Games\\C&C3\\RetailExe\\1.9\\cnc3game.dat"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\dvbdream\\dvbdream.exe"=
"C:\\Program Files\\Counter-Strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 Cinemsup;Cinemsup;C:\windows\system32\drivers\Cinemsup.sys [2002-07-19 08:10]
R1 epfwtdir;epfwtdir;C:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 BT848;CRYPTO WDM Video Capture;C:\windows\system32\drivers\BT848.sys [2001-11-06 08:20]
R2 BTTUNER;CRYPTO WDM TvTuner;C:\windows\system32\drivers\BTTUNER.sys [2001-03-07 12:30]
R2 BTXBAR;CRYPTO WDM Crossbar;C:\windows\system32\drivers\BTXBAR.sys [1999-07-21 11:28]
R3 CnxEtP;Crypto F200 USB ADSL Adapter Filter Driver;C:\windows\system32\DRIVERS\CnxEtP.sys [2004-06-16 13:51]
R3 CnxEtU;Crypto F200 USB ADSL Interface Device Driver;C:\windows\system32\DRIVERS\CnxEtU.sys [2004-06-16 13:51]
R3 CnxTgNW;Crypto F200 USB ADSL WAN PPPoA Adapter Driver;C:\windows\system32\DRIVERS\CnxTgNW.sys [2004-06-16 13:51]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;C:\windows\system32\DRIVERS\SkyNET.SYS [2006-03-14 03:22]
R3 tap0801;TAP-Win32 Adapter V8;C:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S1 SysTool;SysTool Overclocking Utility;C:\windows\system32\DRIVERS\SysTool.sys [2006-11-10 15:08]
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F5C04010-CF65-FE00-B534-C14F6F8C0001}]
C:\windows\system32\Win32dll.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-21 15:15:00 C:\windows\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-03-27 20:15:00 C:\windows\Tasks\DVBDream Weekly 20080314_024629.job"
- C:\dvbdream\dvbdream.exe
"2008-03-24 19:22:46 C:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 01:12:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\windows\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\No-IP\DUC20.exe
.
**************************************************************************
.
Completion time: 2008-03-28 1:14:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 23:14:52
ComboFix2.txt 2008-03-27 10:02:42
Pre-Run: 11,370,864,640 bytes free
Post-Run: 11,274,645,504 bytes free
.
2007-07-29 13:47:08 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:47 pµ, on 28/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\windows\system32\PnkBstrA.exe
C:\windows\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Workspace Macro Pro 6.5\WMPHotkeys.exe
C:\Program Files\No-IP\DUC20.exe
C:\windows\explorer.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\RealVNC\VNC4\vncclipboard.exe
C:\windows\system32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webba.bma.upatras.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto SA\AccessRunner ADSL USB\CnxDslTb.exe" "Crypto SA\AccessRunner ADSL USB"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: AccessRunner DSL.lnk = ?
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Run VNC Server.lnk = C:\Program Files\RealVNC\VNC4\winvnc4.exe
O4 - Global Startup: Workspace Macro Pro Hotkeys.lnk = C:\Program Files\Workspace Macro Pro 6.5\WMPHotkeys.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{711B1E2D-8BE9-430F-8A46-77B69BA7D6B9}: NameServer = 194.219.227.1 193.92.150.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\windows\system32\PnkBstrA.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe
O24 - Desktop Component 1: (no name) - http://www.greek-tracker.com/browse

--
End of file - 6976 bytes





Also couldnt find the wind32dll file.I found win32spl.dll only. Wanna upload it?

Want me to move to ur next post or u're gonna give me next instructions?
  • 0

#21
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Also couldnt find the wind32dll file.I found win32spl.dll only. Wanna upload it?

Want me to move to ur next post or u're gonna give me next instructions?

sounds like the file is gone then, so no need to upload anything. win32spl.dll is a valid file.

could you do Step 2 of my other post, the Navilog1 by IL-MAFIOSO

andrewuk
  • 0

#22
viper151

viper151

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Search Navipromo version 3.5.1 began on ?¨ 28/03/2008 at 2:08:06,90

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Actual User Account : "viper151"

Updated on 23.03.2008 at 22h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 6.0.2900.2180
Filesystem type : NTFS

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\windows ***



*** Search folders in C:\Program Files ***



*** Search folders in C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***




*** Search folders in "C:\Documents and Settings\viper151\applic~1" ***



*** Search folders in "C:\Documents and Settings\viper151\locals~1\applic~1" ***



*** Search folders in "C:\Documents and Settings\viper151\startm~1\programs" ***


*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

No file found



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\windows\system32 *

* Scan in "C:\Documents and Settings\viper151\locals~1\applic~1" *

* Scan in "C:\docume~1\Administrator\locals~1\applic~1" *



*** Search files ***




*** Search specific Registry keys ***


*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In C:\windows\system32 :


* In "C:\Documents and Settings\viper151\locals~1\applic~1" :


* In ""C:\docume~1\Administrator\locals~1\applic~1"" :


3)Certificates Search :

Egroup certificate not found !
Electronic-Group certificate not found !
OOO-Favorit certificate not found !
Sunny-Day-Design-Ltd certificate not found !

4)Search known files :



*** Search completed on ?¨ 28/03/2008 at 2:11:47,29 ***
  • 0

#23
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
nothing found there, lets remove one item and update your java and see how things are. i have a few more ideas up my sleave.

====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F5C04010-CF65-FE00-B534-C14F6F8C0001}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


====STEP 2====
Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    Downloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

i dont need to see any logs in your reply

and could you tell me how things are now?

andrewuk

Edited by andrewuk, 27 March 2008 - 07:03 PM.

  • 0

#24
viper151

viper151

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
I havent seen my pc yet bcz i left my city for an emergency call so i'll be able to inform u on monday probably.. Sorry again for the mess.. :)
  • 0

#25
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
no problem, i will be here :)
  • 0

Advertisements


#26
viper151

viper151

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Icons still dont exist.
To give you an idea its like this
Posted Image
But you've done great with the spyware removal :)
  • 0

#27
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets give this a shot:

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
regsvr32 /i shell32.dll
  • 0

#28
viper151

viper151

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Nop nothing happened.. :)
  • 0

#29
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets take a look in a Registry Key

Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
Please copy the contents of the code box below into the notepad. To do this highlight the contents of the box and right click on it.

reg query "HKEY_CLASSES_ROOT\exefile\DefaultIcon" >> output121.txt

save the notepad as runthis.bat to your desktop

on your desktop should appear an icon called runthis.bat. doubleclick runthis.bat and in a short moment a text file should appear called output121.txt

could you copy the contents of output121.txt in your next reply
  • 0

#30
viper151

viper151

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\exefile\DefaultIcon
<NO NAME> REG_SZ %1
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP