Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan downloader

Started by Euroghal , Apr 17 2008 05:10 PM

  • Please log in to reply

#1
Euroghal
Posted 17 April 2008 - 05:10 PM

Euroghal

    New Member

  • Member
  • Pip
  • 5 posts
Any ideas? no one can seem to help. anything would be nice thanks :)


Deckard's System Scanner v20071014.68
Run by Link on 2008-04-17 18:28:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-17 22:28:24 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Link.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:25 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\taskmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Link\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Link.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,C:\WINDOWS\system32\ntos.exe,
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8ff66054-1dd2-11b2-a586-d933140e6a0e} - C:\WINDOWS\arobmdcr.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: C:\WINDOWS\system32\H4dj24g.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\H4dj24g.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\Kf9467g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Kf9467g.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\H4dj24g.dll (file missing)
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Kf9467g.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Online Search Service - 2nd - Unknown owner - C:\WINDOWS\system32\winlast.exe (file missing)
O23 - Service: Googles Onlines Search Services - Unknown owner - C:\WINDOWS\system32\wnslogan.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5405 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vaf73 - c:\windows\system32\drivers\vaf73.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.2.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.2.0>

S3 rtl8185 (Realtek RTL8185 54M Wireless LAN Network Adapter Driver) - c:\windows\system32\drivers\rtl8185.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8185 54M Wireless LAN Network Adapter>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Google Online Search Service - 2nd - c:\windows\system32\winlast.exe -a (file missing)
S2 Googles Onlines Search Services - c:\windows\system32\wnslogan.exe -a (file missing)
S2 ICF - c:\windows\system32\svchost.exe:exe.exe (file missing)
S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8185 54M Wireless LAN Network Adapter
Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_818510EC&REV_20\3&13C0B0C5&0&48
Manufacturer: Realtek
Name: Realtek RTL8185 54M Wireless LAN Network Adapter
PNP Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_818510EC&REV_20\3&13C0B0C5&0&48
Service: rtl8185


-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 18:29:59 0 d-------- C:\Program Files\Trend Micro
2008-04-17 17:26:17 11776 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-03-29 18:32:25 38912 -rahs---- C:\WINDOWS\taskmon.exe
2008-03-29 08:28:49 0 d-------- C:\Logs
2008-03-28 21:02:29 0 d-------- C:\WINDOWS\nview
2008-03-28 21:01:46 0 d-------- C:\NVIDIA
2008-03-28 18:49:38 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-27 05:24:07 0 d---s---- C:\Documents and Settings\Link\UserData
2008-03-24 21:30:47 0 d-------- C:\WINDOWS\pss
2008-03-24 20:51:11 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-24 20:26:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-24 20:14:51 0 d-------- C:\Program Files\Spyware Doctor
2008-03-24 20:14:51 0 d-------- C:\Documents and Settings\Link\Application Data\PC Tools
2008-03-24 20:02:58 0 dr-h----- C:\$VAULT$.AVG
2008-03-24 20:01:26 0 d-------- C:\Documents and Settings\Link\Application Data\AVG7
2008-03-24 20:01:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-24 20:00:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 20:00:35 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-23 15:55:10 0 d-------- C:\Documents and Settings\Link\Application Data\WinIFixer.com
2008-03-23 15:55:02 9728 --a------ C:\WINDOWS\system32\dhcpserv.dll
2008-03-23 15:54:53 8192 --a------ C:\WINDOWS\system32\regapi32.dll
2008-03-23 15:54:47 5632 --a------ C:\WINDOWS\system32\ftpsystem.dll
2008-03-23 15:54:43 8192 --a------ C:\WINDOWS\system32\dcphnet.dll
2008-03-23 15:54:42 8192 --a------ C:\WINDOWS\system32\cbrowse.dll
2008-03-23 15:47:02 8704 --a------ C:\WINDOWS\system32\rcdll.dll
2008-03-23 15:46:49 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2008-03-23 15:30:02 7168 --a------ C:\WINDOWS\system32\protect.dll
2008-03-23 15:29:35 40960 --a------ C:\WINDOWS\system32\vedxga3me2.exe <Not Verified; ; getbot>
2008-03-23 15:29:35 9728 --a------ C:\WINDOWS\system32\vedxg4am1et2.exe
2008-03-23 15:29:35 13824 --a------ C:\WINDOWS\system32\maxpaynowti.exe
2008-03-23 15:29:29 1078124 --a------ C:\Documents and Settings\Link\Application Data\Install.dat
2008-03-23 15:28:01 120 --a------ C:\tempdel.bat
2008-03-23 15:27:32 0 d-------- C:\Program Files\XPdefender
2008-03-23 15:26:45 7168 --a------ C:\WINDOWS\system32\ggd470.exe
2008-03-23 15:26:45 7168 --a------ C:\WINDOWS\system32\bskl470.exe
2008-03-23 15:26:17 0 d--hs---- C:\WINDOWS\system32\wsnpoem
2008-03-23 15:26:14 17408 --a------ C:\WINDOWS\system32\ggd230.exe
2008-03-23 15:26:14 17408 --a------ C:\WINDOWS\system32\bskl230.exe
2008-03-23 15:25:52 26496 --a------ C:\WINDOWS\system32\drivers\Vaf73.sys
2008-03-23 15:25:41 14336 --a------ C:\Documents and Settings\Link\Application Data\ppszw.exe
2008-03-23 15:23:39 14336 --a------ C:\85b9mb.exe
2008-03-23 15:13:43 14080 --a------ C:\WINDOWS\voiceip.dll
2008-03-23 15:13:43 13312 --a------ C:\WINDOWS\swin32.dll
2008-03-23 15:13:43 18688 --a------ C:\WINDOWS\mspphe.dll
2008-03-23 15:13:43 8704 --a------ C:\WINDOWS\cdsm32.dll
2008-03-23 15:13:43 14592 --a------ C:\WINDOWS\bokja.exe
2008-03-23 15:13:42 18176 --a------ C:\WINDOWS\bjam.dll
2008-03-23 15:13:37 8448 --a------ C:\WINDOWS\system32\MSIXU.DLL
2008-03-23 15:13:37 10496 --a------ C:\WINDOWS\180ax.exe
2008-03-23 15:13:36 9472 --a------ C:\WINDOWS\salm.exe
2008-03-23 15:13:36 0 d-------- C:\WINDOWS\FLEOK
2008-03-23 15:13:35 29440 --a------ C:\WINDOWS\saiemod.dll
2008-03-23 15:13:34 12544 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-03-23 15:13:33 10752 --a------ C:\WINDOWS\msapasrc.dll
2008-03-23 15:13:33 9728 --a------ C:\WINDOWS\msa64chk.dll
2008-03-23 15:13:29 27904 --a------ C:\WINDOWS\shdocpl.dll
2008-03-23 15:13:28 28160 --a------ C:\WINDOWS\ntnut.exe
2008-03-23 15:13:27 29696 --a------ C:\WINDOWS\shdocpe.dll
2008-03-23 15:13:25 0 d-------- C:\Program Files\Sysmnt
2008-03-23 15:13:24 28928 --a------ C:\WINDOWS\winsb.dll
2008-03-23 15:13:22 22016 --a------ C:\WINDOWS\browserad.dll
2008-03-23 15:13:20 23040 --a------ C:\WINDOWS\aviwrap32.dll
2008-03-23 15:13:19 22272 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-23 15:13:19 32768 --a------ C:\WINDOWS\avifile32.dll
2008-03-23 15:13:17 19200 --a------ C:\WINDOWS\autodisc32.dll
2008-03-23 15:13:16 20736 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-23 15:13:16 8448 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-23 15:13:15 32512 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-23 15:13:14 10240 --a------ C:\WINDOWS\athprxy32.dll
2008-03-23 15:13:14 28672 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-23 15:13:11 22272 --a------ C:\WINDOWS\asferror32.dll
2008-03-23 15:13:10 25344 --a------ C:\WINDOWS\apphelp32.dll
2008-03-23 15:13:08 13312 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-23 15:00:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-23 14:59:57 3806230 --a------ C:\WINDOWS\Ily63cN5QR.exe
2008-03-23 14:58:51 52736 --a------ C:\WINDOWS\ezgdylwx.exe
2008-03-23 14:58:49 180224 --a------ C:\WINDOWS\ulklebyp.dll
2008-03-23 14:58:49 0 d-------- C:\WINDOWS\cgtpnipv
2008-03-23 14:58:46 59904 --a------ C:\Documents and Settings\All Users\Application Data\ubqxibwb.dll
2008-03-23 14:58:45 59904 --a------ C:\WINDOWS\arobmdcr.dll
2008-03-23 14:58:02 0 d-------- C:\WINDOWS\?racle


-- Find3M Report ---------------------------------------------------------------

2008-04-03 20:13:52 0 d-------- C:\Documents and Settings\Link\Application Data\Ventrilo
2008-04-01 19:43:08 0 d-------- C:\Program Files\World of Warcraft on 192.168.0.193
2008-03-28 21:01:56 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-23 15:51:46 0 d-------- C:\Program Files\Common Files
2008-03-15 00:58:41 23040 --a------ C:\WINDOWS\system32\000090.exe
2008-03-13 04:23:08 0 d-------- C:\Documents and Settings\Link\Application Data\Macromedia
2008-03-13 04:23:07 0 d-------- C:\Documents and Settings\Link\Application Data\Adobe
2008-03-12 08:21:00 0 d-------- C:\Program Files\Ventrilo
2008-03-12 08:20:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 07:16:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 07:15:41 0 d-------- C:\Program Files\CREATIVE
2008-03-12 06:36:05 0 d-------- C:\Program Files\C-Media
2008-03-12 06:29:48 0 d-------- C:\Program Files\802.11 Wireless LAN
2008-03-12 05:07:02 0 d-------- C:\Documents and Settings\Link\Application Data\Identities
2008-03-12 05:01:26 0 d-------- C:\Program Files\microsoft frontpage
2008-03-12 05:01:06 0 -rahs---- C:\MSDOS.SYS
2008-03-12 05:01:06 0 -rahs---- C:\IO.SYS
2008-03-12 05:01:06 0 --a------ C:\CONFIG.SYS
2008-03-12 05:01:06 0 --a------ C:\AUTOEXEC.BAT
2008-03-12 04:59:03 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-12 04:58:57 0 d-------- C:\Program Files\Online Services
2008-03-12 04:58:05 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-12 04:57:56 0 d-------- C:\Program Files\Movie Maker
2008-03-12 04:57:28 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-12 04:56:10 0 d-------- C:\Program Files\Messenger
2008-03-12 04:56:05 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-12 04:55:55 0 d-------- C:\Program Files\Windows NT
2008-03-11 23:41:26 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-11 23:41:22 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-11 23:40:53 62 --ahs---- C:\Documents and Settings\Link\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ff66054-1dd2-11b2-a586-d933140e6a0e}]
03/23/2008 02:58 PM 59904 --a------ C:\WINDOWS\arobmdcr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
C:\WINDOWS\system32\H4dj24g.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
C:\WINDOWS\system32\Kf9467g.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 01:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 01:22 PM]
"taskmon"="C:\WINDOWS\taskmon.exe" [03/29/2008 06:32 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.15.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe [11/20/2006 12:04:12 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=1 (0x1)
"Wallpaper"=C:\WINDOWS\desktop.html

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\H4dj24g.dll [ ]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"= C:\WINDOWS\system32\Kf9467g.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 04/17/2008 05:26 PM 11776 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vaf73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Link\Local Settings\Application Data\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ubqxibwb]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ubqxibwb.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinIFixer]
C:\Program Files\WinIFixer\WinIFixer.exe




-- Hosts -----------------------------------------------------------------------

124.217.252.78 secure.isoftpay.com


-- End of Deckard's System Scanner: finished at 2008-04-17 18:31:51 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.00GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 767.49 MiB / 530.91 MiB
Pagefile Memory (total/avail): 1876.23 MiB / 1676.31 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.21 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.27 GiB total, 24.46 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Link\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LINK-83C3AECC39
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Link
LOGONSERVER=\\LINK-83C3AECC39
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Link\LOCALS~1\Temp
TMP=C:\DOCUME~1\Link\LOCALS~1\Temp
USERDOMAIN=LINK-83C3AECC39
USERNAME=Link
USERPROFILE=C:\Documents and Settings\Link
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Link (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\CTSetup\CTSetup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
802.11g Wireless Adapter HW.15 V.1.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{F266A90C-3F4A-4F65-9901-3DBBB0D77D80}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PCI Audio Driver --> cmuninst.exe
Sound Blaster AudioPCI Drivers Online Help --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CREATIVE\AUDIO\HELP\SBPCIDRV.isu"
Sound Blaster PCI128 Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{509291FD-CFC8-11D6-A285-00A0CC51B2FE}\Setup.exe" -l0x9 /remove
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins001.exe /LOG
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type700 / Error
Event Submitted/Written: 04/16/2008 04:59:54 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type691 / Error
Event Submitted/Written: 04/15/2008 06:22:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x069647ad.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type666 / Error
Event Submitted/Written: 04/11/2008 06:33:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x060c62b8.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type640 / Error
Event Submitted/Written: 04/08/2008 03:13:56 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type639 / Error
Event Submitted/Written: 04/08/2008 03:07:59 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x0370baf7.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7914 / Error
Event Submitted/Written: 04/17/2008 06:01:07 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type7912 / Warning
Event Submitted/Written: 04/17/2008 05:56:56 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type7902 / Error
Event Submitted/Written: 04/17/2008 05:56:40 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%2

Event Record #/Type7901 / Error
Event Submitted/Written: 04/17/2008 05:56:40 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The ICF service failed to start due to the following error:
%%2

Event Record #/Type7894 / Warning
Event Submitted/Written: 04/17/2008 05:51:53 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-04-17 18:31:51 ------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:51 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\taskmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Link\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Link.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,C:\WINDOWS\system32\ntos.exe,
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8ff66054-1dd2-11b2-a586-d933140e6a0e} - C:\WINDOWS\arobmdcr.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: C:\WINDOWS\system32\H4dj24g.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\H4dj24g.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\Kf9467g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Kf9467g.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\H4dj24g.dll (file missing)
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Kf9467g.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Online Search Service - 2nd - Unknown owner - C:\WINDOWS\system32\winlast.exe (file missing)
O23 - Service: Googles Onlines Search Services - Unknown owner - C:\WINDOWS\system32\wnslogan.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5454 bytes
  • 0

Advertisements

#2
Tigger93
Posted 17 April 2008 - 06:18 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hello and Welcome to Geekstogo! :)

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#3
Euroghal
Posted 18 April 2008 - 05:34 PM

Euroghal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
the program works great thanks but i still have the following files that get deleted and then reapear i have manually deleted them from registry and even exported them and renamed them to a .txt so they would not work but to no avail. any ideas?


Malwarebytes' Anti-Malware 1.11
Database version: 652

Scan type: Full Scan (C:\|)
Objects scanned: 37648
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#4
Tigger93
Posted 18 April 2008 - 06:53 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
Euroghal
Posted 19 April 2008 - 09:06 AM

Euroghal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ok here are the logs

ComboFix 08-04-18.3 - Link 2008-04-19 10:58:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.549 [GMT -4:00]
Running from: C:\Documents and Settings\Link\Desktop\ComboFix123.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\config.ini
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\n.ini
C:\WINDOWS\default.htm
C:\WINDOWS\racle~1
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\Vaf73.sys

----- BITS: Possible infected sites -----

hxxp://mynudenetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF
-------\Legacy_TASKMON.SYS
-------\Legacy_VAF73
-------\Service_asc3550p
-------\Service_oqtxde
-------\Service_taskmon.sys
-------\Service_Vaf73


((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 20:00 . 2008-04-18 20:00 <DIR> d-------- C:\Documents and Settings\Link\Application Data\Simply Super Software
2008-04-18 20:00 . 2008-04-18 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-04-18 20:00 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-18 20:00 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-04-18 20:00 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-18 20:00 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-18 20:00 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-04-18 18:12 . 2008-04-18 18:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-18 18:12 . 2008-04-18 18:12 <DIR> d-------- C:\Documents and Settings\Link\Application Data\Malwarebytes
2008-04-18 18:12 . 2008-04-18 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 18:29 . 2008-04-17 18:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 18:27 . 2008-04-17 18:27 <DIR> d-------- C:\Deckard
2008-04-17 16:50 . 2008-04-17 16:50 260 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-03-29 08:28 . 2008-03-29 08:28 <DIR> d-------- C:\Logs
2008-03-28 21:02 . 2008-03-28 21:04 <DIR> d-------- C:\WINDOWS\nview
2008-03-28 21:02 . 2006-10-22 16:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-28 21:02 . 2006-10-22 13:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-28 21:02 . 2008-04-19 11:02 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-28 21:02 . 2006-10-22 13:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-28 21:01 . 2008-03-28 21:01 <DIR> d-------- C:\NVIDIA
2008-03-28 18:49 . 2008-03-28 18:49 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-27 05:24 . 2008-03-27 05:24 <DIR> d---s---- C:\Documents and Settings\Link\UserData
2008-03-24 20:26 . 2008-04-17 17:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-24 20:21 . 2008-03-24 20:21 2 --a------ C:\11.tmp
2008-03-24 20:15 . 2007-12-10 15:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-24 20:15 . 2007-12-10 15:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-24 20:15 . 2008-02-01 13:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-24 20:15 . 2007-12-10 15:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-24 20:14 . 2008-03-28 18:28 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-24 20:14 . 2008-03-24 20:14 <DIR> d-------- C:\Documents and Settings\Link\Application Data\PC Tools
2008-03-24 20:02 . 2008-04-16 20:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-24 20:01 . 2008-03-24 20:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-24 20:01 . 2008-04-17 17:19 <DIR> d-------- C:\Documents and Settings\Link\Application Data\AVG7
2008-03-24 20:01 . 2008-03-24 20:01 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-24 20:01 . 2008-03-24 20:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-24 20:00 . 2008-03-24 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 20:00 . 2008-03-24 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-23 15:58 . 2008-03-24 20:27 104 --a------ C:\WINDOWS\system32\inet.ocx
2008-03-23 15:57 . 2008-03-23 15:57 2 --a------ C:\E.tmp
2008-03-23 15:53 . 2008-03-23 15:53 2 --a------ C:\B.tmp
2008-03-23 15:45 . 2008-03-23 15:45 62 --a------ C:\6.tmp
2008-03-23 15:29 . 2008-03-23 15:29 29 --a------ C:\WINDOWS\system32\tyofghei.tmp
2008-03-23 15:29 . 2008-03-23 15:29 2 --a------ C:\A.tmp
2008-03-23 15:28 . 2008-03-23 15:28 120 --a------ C:\tempdel.bat
2008-03-23 15:26 . 2008-03-23 15:26 2 --a------ C:\49.tmp
2008-03-23 15:25 . 2008-03-23 15:23 14,336 --a------ C:\Documents and Settings\Link\Application Data\ppszw.exe
2008-03-23 15:23 . 2008-03-23 15:23 14,336 --a------ C:\85b9mb.exe
2008-03-23 14:59 . 2008-03-23 14:59 3,806,230 --a------ C:\WINDOWS\Ily63cN5QR.exe
2008-03-23 14:58 . 2008-03-23 14:58 <DIR> d-------- C:\WINDOWS\cgtpnipv
2008-03-23 14:58 . 2008-03-23 14:58 180,224 --a------ C:\WINDOWS\ulklebyp.dll
2008-03-23 14:58 . 2008-03-23 14:58 59,904 --a------ C:\WINDOWS\arobmdcr.dll
2008-03-23 14:58 . 2008-03-23 14:58 59,904 --a------ C:\Documents and Settings\All Users\Application Data\ubqxibwb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 00:37 --------- d-----w C:\Program Files\World of Warcraft on 192.168.0.193
2008-04-17 21:20 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-04 00:13 --------- d-----w C:\Documents and Settings\Link\Application Data\Ventrilo
2008-03-29 01:01 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-23 19:27 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-03-12 12:21 --------- d-----w C:\Program Files\Ventrilo
2008-03-12 12:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 11:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 11:15 --------- d-----w C:\Program Files\CREATIVE
2008-03-12 10:36 --------- d-----w C:\Program Files\C-Media
2008-03-12 10:30 21,419 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-12 10:29 --------- d-----w C:\Program Files\802.11 Wireless LAN
2008-03-12 09:01 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-10 22:54 4,407,686 ----a-w C:\SBAudioSetup_W2k.zip
2008-02-01 08:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ff66054-1dd2-11b2-a586-d933140e6a0e}]
2008-03-23 14:58 59904 --a------ C:\WINDOWS\arobmdcr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-24 20:00 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.15.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe [2006-11-20 00:04:12 634880]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vaf73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Link\Local Settings\Application Data\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-03-24 20:00 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-ra------ 2002-07-12 16:33 1581056 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-02-01 13:55 1103240 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ubqxibwb]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\ubqxibwb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinIFixer]
C:\Program Files\WinIFixer\WinIFixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S2 Googles Onlines Search Services;Googles Onlines Search Services;C:\WINDOWS\system32\wnslogan.exe []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 11:02:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\Osne53.sys 167936 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Osne53]

.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\802~1.11W\80211G~1.00\WlanCU.exe
.
**************************************************************************
.
Completion time: 2008-04-19 11:04:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 15:04:40

Pre-Run: 26,204,282,880 bytes free
Post-Run: 26,180,333,568 bytes free

166


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:57 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,C:\WINDOWS\system32\ntos.exe,
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: (no name) - {8ff66054-1dd2-11b2-a586-d933140e6a0e} - C:\WINDOWS\arobmdcr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Googles Onlines Search Services - Unknown owner - C:\WINDOWS\system32\wnslogan.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 3231 bytes
  • 0

#6
Tigger93
Posted 19 April 2008 - 09:07 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Please go here and upload the following files (please note as you can only do 4 files at a time, it will take a few times to upload them all):

C:\E.tmp
C:\B.tmp
C:\6.tmp
C:\WINDOWS\system32\tyofghei.tmp
C:\A.tmp
C:\49.tmp
C:\Documents and Settings\Link\Application Data\ppszw.exe
C:\85b9mb.exe
C:\WINDOWS\Ily63cN5QR.exe
C:\WINDOWS\ulklebyp.dll
C:\WINDOWS\arobmdcr.dll
C:\Documents and Settings\All Users\Application Data\ubqxibwb.dll

Please let me know when you have done that.
  • 0

#7
Euroghal
Posted 19 April 2008 - 10:00 PM

Euroghal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ok uploaded what would up load some of the files no longer exists......dont know y that would be and i didsabled all spyware and tried again but some didnt load
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP