Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infection causing unability to connect to certain websites. [CLOSED]


  • This topic is locked This topic is locked

#1
Situationeer

Situationeer

    Member

  • Member
  • PipPip
  • 49 posts
Like the title states I think a malware infection is causing my unability to connect to certain websites such as myspace.com, yahoo.com, and google.com, and actually, even this website. What I have to do to access any of these websites is use a proxy.

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:25 AM, on 4/22/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\AdAware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVG\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\AdAware\AAWTray.exe
D:\Program Files\WinAmp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\DAEMON\daemon.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Mike\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.sony.com/vaiopeople
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AAWTray] D:\Program Files\AdAware\AAWTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\WinAmp\winampa.exe"
O4 - HKLM\..\Run: [hgdaxxwxur] Rundll32.exe "C:\WINDOWS\System32\sstttrsq.dll",s
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\DAEMON\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BM13618375] Rundll32.exe "C:\WINDOWS\System32\elaibvra.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program

Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\DJ MIKE A\Application

Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\DJ MIKE A\Application

Data\Microsoft\Windows\rbnnwsc.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite

6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite

6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: wjlm.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search -

http://edits.mywebse...html?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -

http://lads.myspace....ploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...uweb_site.cab?1

203567704609
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program

Files\AdAware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\AVG\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. -

C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity

Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program

Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5468 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Open notepad, click Format, uncheck wordwrap



Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
Situationeer

Situationeer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thank you for the quick reply! After the ComboFix scan I am still unable to connect to the websites.

Here's the new updated HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:32 PM, on 4/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\AdAware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVG\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
D:\Program Files\AdAware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\WinAmp\winampa.exe
D:\Program Files\DAEMON\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mike\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AAWTray] D:\Program Files\AdAware\AAWTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\WinAmp\winampa.exe"
O4 - HKLM\..\Run: [hgdaxxwxur] Rundll32.exe "C:\WINDOWS\System32\sstttrsq.dll",s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\DAEMON\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BM13618375] Rundll32.exe "C:\WINDOWS\System32\vtbdqhyo.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: wjlm.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203567704609
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\AdAware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5130 bytes










And the ComboFix Log:


ComboFix 08-04-22.1 - DJ MIKE A 2008-04-23 3:27:11.6 - FAT32x86
Running from: C:\Documents and Settings\DJ MIKE A\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\accasrxt.dll
C:\WINDOWS\system32\agrmecfh.ini
C:\WINDOWS\system32\amcwjurs.dll
C:\WINDOWS\system32\aqbyttgf.ini
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\bgxlbcbw.dll
C:\WINDOWS\system32\bicinabc.ini
C:\WINDOWS\system32\biildrkf.dll
C:\WINDOWS\system32\bjetuxot.dll
C:\WINDOWS\system32\blpbfguh.ini
C:\WINDOWS\system32\bmpiynbw.dll
C:\WINDOWS\system32\bnrwfjvn.dll
C:\WINDOWS\system32\bpttglnq.ini
C:\WINDOWS\system32\brrmdfiv.ini
C:\WINDOWS\system32\bsvujwie.dll
C:\WINDOWS\system32\btrxjhga.dll
C:\WINDOWS\system32\btyfybij.dll
C:\WINDOWS\system32\bxiojwui.dll
C:\WINDOWS\system32\cfnhwfpg.dll
C:\WINDOWS\system32\cipsosnx.dll
C:\WINDOWS\system32\davwfgkf.ini
C:\WINDOWS\system32\dbcvpxvf.ini
C:\WINDOWS\system32\dcffsnio.dll
C:\WINDOWS\system32\dcwnfxeo.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\dgxaymul.ini
C:\WINDOWS\system32\dqgrvkyi.ini
C:\WINDOWS\system32\dqtqhuow.dll
C:\WINDOWS\system32\drtjmnin.dll
C:\WINDOWS\system32\dwpgnrxn.dll
C:\WINDOWS\system32\eapfwikp.ini
C:\WINDOWS\system32\eaphjkyn.ini
C:\WINDOWS\system32\edncnrre.dll
C:\WINDOWS\system32\eflwbdca.ini
C:\WINDOWS\system32\egwxeder.ini
C:\WINDOWS\system32\elaibvra.dll
C:\WINDOWS\system32\elgyrwqf.ini
C:\WINDOWS\system32\emyjjnkl.ini
C:\WINDOWS\system32\eplqpkoy.dll
C:\WINDOWS\system32\farpjdym.dll
C:\WINDOWS\system32\fawnmnqv.dll
C:\WINDOWS\system32\fdxetegj.dll
C:\WINDOWS\system32\fevnojrw.dll
C:\WINDOWS\system32\fgttybqa.dll
C:\WINDOWS\system32\fjdocjvo.dll
C:\WINDOWS\system32\fnneartr.dll
C:\WINDOWS\system32\fntxqvmj.ini
C:\WINDOWS\system32\frnpafnj.ini
C:\WINDOWS\system32\ftijgsrm.ini
C:\WINDOWS\system32\ftlfebkv.dll
C:\WINDOWS\system32\ftxicrue.dll
C:\WINDOWS\system32\fvybfpch.dll
C:\WINDOWS\system32\fwneumef.dll
C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\ggexjnsq.ini
C:\WINDOWS\system32\halxyiem.dll
C:\WINDOWS\system32\hgjyjlow.dll
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\hmaxytnv.dll
C:\WINDOWS\system32\hmftsunq.dll
C:\WINDOWS\system32\hngvqgmr.dll
C:\WINDOWS\system32\htkhnhrp.dll
C:\WINDOWS\system32\hugfbplb.dll
C:\WINDOWS\system32\hvhhtkhd.dll
C:\WINDOWS\system32\ichrwllp.ini
C:\WINDOWS\system32\ifnunkqe.ini
C:\WINDOWS\system32\ihggwqrk.dll
C:\WINDOWS\system32\iishbilg.dll
C:\WINDOWS\system32\irubymon.dll
C:\WINDOWS\system32\iwbvurjs.ini
C:\WINDOWS\system32\iykvrgqd.dll
C:\WINDOWS\system32\jcwkahea.dll
C:\WINDOWS\system32\jfujivap.dll
C:\WINDOWS\system32\jhphbfgc.dll
C:\WINDOWS\system32\jibyfytb.ini
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jknortbp.dll
C:\WINDOWS\system32\jmtfaryf.ini
C:\WINDOWS\system32\jnsjkgca.ini
C:\WINDOWS\system32\jpewsoqg.dll
C:\WINDOWS\system32\jrsjhcnt.dll
C:\WINDOWS\system32\jwyfwugy.dll
C:\WINDOWS\system32\jxrgqqbi.ini
C:\WINDOWS\system32\jygbwvfu.dll
C:\WINDOWS\system32\kbloghmn.dll
C:\WINDOWS\system32\kkrwjcve.ini
C:\WINDOWS\system32\kmd.exe
C:\WINDOWS\system32\kpgwqixt.dll
C:\WINDOWS\system32\kppnrmxw.dll
C:\WINDOWS\system32\krqwgghi.ini
C:\WINDOWS\system32\ktqljaaf.dll
C:\WINDOWS\system32\kuyhvgpr.dll
C:\WINDOWS\system32\kwvnlavc.dll
C:\WINDOWS\system32\kxemhlfr.dll
C:\WINDOWS\system32\lcscgmat.ini
C:\WINDOWS\system32\ljnptece.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\melqhywa.dll
C:\WINDOWS\system32\mficgrcf.dll
C:\WINDOWS\system32\mhqbsmjp.dll
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mllmk.dll
C:\WINDOWS\system32\nawhfhef.ini
C:\WINDOWS\system32\ncenqwat.dll
C:\WINDOWS\system32\ngqvkxii.dll
C:\WINDOWS\system32\njjqgfav.ini
C:\WINDOWS\system32\njpljqui.dll
C:\WINDOWS\system32\nmoseesw.dll
C:\WINDOWS\system32\nnwnymgd.dll
C:\WINDOWS\system32\nosdlxip.dll
C:\WINDOWS\system32\nqmmponn.dll
C:\WINDOWS\system32\nqphvbij.dll
C:\WINDOWS\system32\nsomgxnd.ini
C:\WINDOWS\system32\nubytjbj.ini
C:\WINDOWS\system32\nyagjvld.dll
C:\WINDOWS\system32\obldgwpl.dll
C:\WINDOWS\system32\oievlxet.ini
C:\WINDOWS\system32\oipdprmc.dll
C:\WINDOWS\system32\oonvvrsp.ini
C:\WINDOWS\system32\orpgdrxi.dll
C:\WINDOWS\system32\osomqwgp.ini
C:\WINDOWS\system32\oyervitp.dll
C:\WINDOWS\system32\pbtronkj.ini
C:\WINDOWS\system32\pemaqwly.dll
C:\WINDOWS\system32\pennlnwk.ini
C:\WINDOWS\system32\pllwrhci.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\poiiaerp.dll
C:\WINDOWS\system32\ppmsmtyr.dll
C:\WINDOWS\system32\pptvjwgt.ini
C:\WINDOWS\system32\prhnhkth.ini
C:\WINDOWS\system32\psrvvnoo.dll
C:\WINDOWS\system32\pxiuqwah.dll
C:\WINDOWS\system32\qdsmqkmg.ini
C:\WINDOWS\system32\qgtsxrvj.ini
C:\WINDOWS\system32\qneeifkf.dll
C:\WINDOWS\system32\qnnlygsb.dll
C:\WINDOWS\system32\qnodvpbe.dll
C:\WINDOWS\system32\qnustfmh.ini
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\qullrusp.dll
C:\WINDOWS\system32\quxthbqg.ini
C:\WINDOWS\system32\qvaxhblx.dll
C:\WINDOWS\system32\qyqdnyah.dll
C:\WINDOWS\system32\rfomxabd.dll
C:\WINDOWS\system32\rjhmjgpn.dll
C:\WINDOWS\system32\rmgqvgnh.ini
C:\WINDOWS\system32\rnaeyctr.dll
C:\WINDOWS\system32\roxxiriw.dll
C:\WINDOWS\system32\roxxlrac.dll
C:\WINDOWS\system32\rsfjuhme.ini
C:\WINDOWS\system32\savsdjfr.ini
C:\WINDOWS\system32\segvxbdq.ini
C:\WINDOWS\system32\soiqtfus.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\tdxjivsb.ini
C:\WINDOWS\system32\tlencosd.ini
C:\WINDOWS\system32\tllihtyq.ini
C:\WINDOWS\system32\tmgucwac.ini
C:\WINDOWS\system32\tpuwvasc.ini
C:\WINDOWS\system32\tvbtkbxa.dll
C:\WINDOWS\system32\twuyyius.ini
C:\WINDOWS\system32\twygrqop.dll
C:\WINDOWS\system32\tycfuefu.dll
C:\WINDOWS\system32\tyglydtr.ini
C:\WINDOWS\system32\tynymwrb.dll
C:\WINDOWS\system32\uedtmawp.ini
C:\WINDOWS\system32\uhefcsqs.dll
C:\WINDOWS\system32\umfarrbt.dll
C:\WINDOWS\system32\urlpgprl.dll
C:\WINDOWS\system32\utglsbyt.dll
C:\WINDOWS\system32\vebnwlty.dll
C:\WINDOWS\system32\vgapdhhi.dll
C:\WINDOWS\system32\vofyexxe.dll
C:\WINDOWS\system32\vsipyuwh.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vwlsfwyt.dll
C:\WINDOWS\system32\wdqkkxda.dll
C:\WINDOWS\system32\wgapbrwk.ini
C:\WINDOWS\system32\wrjonvef.ini
C:\WINDOWS\system32\wsmapymm.dll
C:\WINDOWS\system32\wsqbctsh.dll
C:\WINDOWS\system32\xacyqsey.dll
C:\WINDOWS\system32\xhdpfvjn.dll
C:\WINDOWS\system32\xhsqlohp.dll
C:\WINDOWS\system32\xkoldyaj.ini
C:\WINDOWS\system32\xqvqwxwv.dll
C:\WINDOWS\system32\yqvemnms.dll
C:\WINDOWS\system32\ystwykdu.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 08:51 . 2008-04-23 08:51 272,384 --------- C:\WINDOWS\system32\awvts.dll
2008-04-23 08:51 . 2008-04-23 08:56 444 --ahs---- C:\WINDOWS\system32\stvwa.ini
2008-04-23 08:51 . 2008-04-23 08:55 345 --ahs---- C:\WINDOWS\system32\stvwa.ini2
2008-04-22 08:50 . 2008-04-22 08:50 <DIR> d---s---- C:\Documents and Settings\DJ MIKE A\UserData
2008-04-21 03:55 . 2008-04-21 03:55 <DIR> d-------- C:\Documents and Settings\DJ MIKE A\Application Data\Leadertech
2008-04-21 03:00 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-04-21 03:00 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-04-21 02:57 . 2008-04-21 02:57 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-20 16:46 . 2008-04-21 16:45 1,520,966 ---hs---- C:\WINDOWS\system32\ttdwhvty.ini
2008-04-20 13:03 . 2008-04-21 01:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 13:03 . 2008-04-20 13:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-20 11:56 . 2008-04-20 11:56 <DIR> d-------- C:\Documents and Settings\DJ MIKE A\Application Data\SystemRequirementsLab
2008-04-18 04:03 . 2008-04-18 04:03 <DIR> d-------- C:\Documents and Settings\DJ MIKE A\Application Data\WinAmp
2008-04-16 22:14 . 2008-04-16 22:14 <DIR> d-------- C:\Documents and Settings\DJ MIKE A\Application Data\AppDate
2008-04-15 02:52 . 2008-04-15 03:05 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-04-15 02:52 . 2008-04-15 03:05 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-15 02:51 . 2008-04-15 02:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-15 02:51 . 2008-04-15 02:51 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-04-14 19:21 . 2008-04-14 19:21 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\InstallShield
2008-04-13 12:46 . 2008-04-13 12:46 9,216 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-10 21:05 . 2008-04-10 21:05 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Nokia Multimedia Player
2008-03-29 02:29 . 2008-03-30 03:41 1,556,908 ---hs---- C:\WINDOWS\system32\qodmnedc.ini
2008-03-27 22:59 . 2008-03-29 02:27 1,749,577 ---hs---- C:\WINDOWS\system32\rufidkpu.ini
2008-03-26 22:55 . 2008-03-27 23:00 1,708,651 ---hs---- C:\WINDOWS\system32\kfrcnput.ini
2008-03-26 09:46 . 2008-03-26 19:04 2,149,203 ---hs---- C:\WINDOWS\system32\ukyjsxoj.ini
2008-03-26 07:27 . 2008-03-26 09:43 2,208,478 ---hs---- C:\WINDOWS\system32\ywhrfhnp.ini
2008-03-25 01:43 . 2008-03-26 07:24 2,438,221 ---hs---- C:\WINDOWS\system32\wqawnlvb.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 17:08 99,904 ----a-w C:\WINDOWS\system32\jtojhntd.dll
2008-03-17 17:03 95,296 ----a-w C:\WINDOWS\system32\ijgtojmo.dll
2008-03-17 13:14 99,904 ----a-w C:\WINDOWS\system32\untjcebf.dll
2008-03-17 13:11 95,296 ----a-w C:\WINDOWS\system32\ojmpnmip.dll
2008-03-17 12:14 99,904 ----a-w C:\WINDOWS\system32\daiscsde.dll
2008-03-17 12:11 95,296 ----a-w C:\WINDOWS\system32\jwkvupio.dll
2008-03-17 11:14 99,904 ----a-w C:\WINDOWS\system32\irvieedr.dll
2008-03-17 11:11 95,296 ----a-w C:\WINDOWS\system32\jxeipdho.dll
2008-03-17 10:17 99,904 ----a-w C:\WINDOWS\system32\ygyeumvy.dll
2008-03-17 10:11 95,296 ----a-w C:\WINDOWS\system32\jvkfcgpe.dll
2008-03-17 09:17 99,904 ----a-w C:\WINDOWS\system32\xmjghyas.dll
2008-03-17 09:11 95,296 ----a-w C:\WINDOWS\system32\japmishl.dll
2008-03-17 08:11 99,904 ----a-w C:\WINDOWS\system32\jasyfkyq.dll
2008-03-17 08:08 95,296 ----a-w C:\WINDOWS\system32\akrrvahw.dll
2008-03-17 07:14 99,904 ----a-w C:\WINDOWS\system32\nsyebqiv.dll
2008-03-17 07:09 95,296 ----a-w C:\WINDOWS\system32\ssbtyxws.dll
2008-03-17 05:04 99,904 ----a-w C:\WINDOWS\system32\qjrnhswr.dll
2008-03-17 04:59 95,296 ----a-w C:\WINDOWS\system32\mctshimr.dll
2008-03-17 00:36 99,904 ----a-w C:\WINDOWS\system32\cuyhmsdk.dll
2008-03-17 00:30 95,296 ----a-w C:\WINDOWS\system32\dqtjeoxt.dll
2008-03-16 23:33 99,904 ----a-w C:\WINDOWS\system32\xosmafrb.dll
2008-03-16 23:30 95,296 ----a-w C:\WINDOWS\system32\boasedts.dll
2008-03-16 22:33 99,904 ----a-w C:\WINDOWS\system32\wxbvlsrp.dll
2008-03-16 22:27 95,296 ----a-w C:\WINDOWS\system32\patyypoq.dll
2008-03-16 21:33 99,904 ----a-w C:\WINDOWS\system32\hodlbosa.dll
2008-03-16 21:27 95,296 ----a-w C:\WINDOWS\system32\vhhveqfs.dll
2008-03-16 20:30 99,904 ----a-w C:\WINDOWS\system32\wfnifaxf.dll
2008-03-16 20:27 95,296 ----a-w C:\WINDOWS\system32\fqusuprp.dll
2008-03-16 19:30 99,904 ----a-w C:\WINDOWS\system32\gphvtorb.dll
2008-03-16 19:27 95,296 ----a-w C:\WINDOWS\system32\gomruscp.dll
2008-03-16 18:33 99,904 ----a-w C:\WINDOWS\system32\iiygsrxn.dll
2008-03-16 18:28 95,296 ----a-w C:\WINDOWS\system32\cfmhvmib.dll
2008-03-16 17:30 99,904 ----a-w C:\WINDOWS\system32\cybxwioo.dll
2008-03-16 17:27 95,296 ----a-w C:\WINDOWS\system32\gqtmwbdg.dll
2008-03-16 16:29 99,904 ----a-w C:\WINDOWS\system32\qiwydgyq.dll
2008-03-16 16:26 95,296 ----a-w C:\WINDOWS\system32\oggksnlg.dll
2008-03-16 15:26 99,904 ----a-w C:\WINDOWS\system32\baxllhxb.dll
2008-03-16 15:23 95,296 ----a-w C:\WINDOWS\system32\csqrxnio.dll
2008-03-16 14:21 95,296 ----a-w C:\WINDOWS\system32\wjoarytk.dll
2008-03-15 18:08 98,368 ----a-w C:\WINDOWS\system32\ddstmahl.dll
2008-03-15 18:05 98,368 ----a-w C:\WINDOWS\system32\ikmxfcid.dll
2008-03-14 18:08 98,368 ----a-w C:\WINDOWS\system32\cnrjmkla.dll
2008-03-14 18:03 96,832 ----a-w C:\WINDOWS\system32\xcbfjmkj.dll
2008-03-12 22:47 --------- d-----w C:\Documents and Settings\DJ MIKE A\Application Data\acccore
2008-03-09 23:01 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-09 23:01 --------- d-----w C:\Documents and Settings\Mike\Application Data\SystemRequirementsLab
2008-03-05 22:11 96,832 ----a-w C:\WINDOWS\system32\mhvgboea.dll
2008-03-04 21:10 96,832 ----a-w C:\WINDOWS\system32\lxlelyta.dll
2008-03-03 21:13 95,296 ----a-w C:\WINDOWS\system32\epuyhtdu.dll
2008-03-01 18:17 294,400 ----a-w C:\WINDOWS\system32\geede.dll
2008-03-01 14:40 294,400 ----a-w C:\WINDOWS\system32\ddayv.dll
2008-02-24 06:27 --------- d-----w C:\Documents and Settings\Christine\Application Data\acccore
2008-02-17 07:41 22,016 ----a-w C:\WINDOWS\system32\sstttrsq.dll
2008-02-17 07:41 22,016 ----a-w C:\WINDOWS\ssqrsqrp.dll
2008-02-17 07:41 22,016 ----a-w C:\Documents and Settings\Mike\Application Data\mllmkjki.dll
2008-02-05 13:23 90,688 ----a-w C:\WINDOWS\system32\metqwyoe.dll
2008-02-01 08:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-07-07 00:12 784 ----a-w C:\Documents and Settings\DJ MIKE A\Application Data\mpauth.dat
2007-06-30 06:13 784 ----a-w C:\Documents and Settings\Candice\Application Data\mpauth.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6426ed86-81ea-4ae4-8e74-e027dfb74220}]
2008-04-23 08:57 97856 --a------ C:\WINDOWS\System32\lqdouhsf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C196BF59-D6EC-491F-894A-A27DDFB43AE0}]
2008-02-17 02:41 22016 --a------ C:\WINDOWS\ssqrsqrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1F1541C-A100-4BAB-8EEC-A9D43FFF14F2}]
2008-04-23 08:51 272384 --------- C:\WINDOWS\System32\awvts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]
"Steam"="D:\Program Files\Steam\Steam.exe" [ ]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AAWTray"="D:\Program Files\AdAware\AAWTray.exe" [2007-08-08 15:53 88024]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"WinampAgent"="D:\Program Files\WinAmp\winampa.exe" [2008-01-15 17:54 37376]
"hgdaxxwxur"="C:\WINDOWS\System32\sstttrsq.dll" [2008-02-17 02:41 22016]
"DAEMON Tools-1033"="D:\Program Files\DAEMON\daemon.exe" [2004-08-22 17:05 81920]
"1052b0e9"="C:\WINDOWS\System32\fhmpaues.dll" [2008-04-23 08:55 88640]
"BM13618375"="C:\WINDOWS\System32\vtbdqhyo.dll" [2008-04-23 08:54 95808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
wjlm.exe [2008-02-17 02:41:40 22248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\awvts
Notification Packages REG_MULTI_SZ scecli C:\Documents and Settings\Mike\Application Data\mllmkjki.dll C:\Documents and Settings\Mike\Application Data\mllmkjki.dll C:\Documents and Settings\Mike\Application Data\mllmkjki.dll C:\Documents and Settings\Mike\Application Data\mllmkjki.dll C:\Documents and Settings\Mike\Application Data\mllmkjki.dll C:\Documents and Settings\Mike\Application Data\mllmkjki.dll C:\Documents and Settings\Mike\Application Data\mllmkjki.dll C:\Documents and Settings\Mike\Application Data\mllmkjki.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"!AVG Anti-Spyware"="D:\Program Files\AVG\AVG Anti-Spyware 7.5\avgas.exe" /minimized
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
"PCSuiteTrayApplication"=D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\System32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2001-08-18 05:00]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 12:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-18 22:15:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- D:\Program Files\Tune Up\SystemOptimizer.exe
"2008-02-15 01:04:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-15 03:46:02 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 08:53:11
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Documents and Settings\Mike\Application Data\mllmkjki.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\fhmpaues.dll
-> C:\WINDOWS\System32\sstttrsq.dll
-> C:\WINDOWS\System32\vtbdqhyo.dll
-> C:\WINDOWS\System32\awvts.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
D:\Program Files\AdAware\aawservice.exe
D:\Program Files\AVG\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2000\TMNTSRV.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\MOM.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\CCC.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-23 9:00:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 13:59:50

Pre-Run: 1,780,404,224 bytes free
Post-Run: 1,916,682,240 bytes free

426 --- E O F --- 2008-02-21 07:17:38




Cheers!
  • 0

#4
Situationeer

Situationeer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Sorry double post. Browsing through this proxy is a pain!

Edited by Situationeer, 23 April 2008 - 02:47 PM.

  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\ttdwhvty.ini
C:\WINDOWS\system32\qodmnedc.ini
C:\WINDOWS\system32\rufidkpu.ini
C:\WINDOWS\system32\kfrcnput.ini
C:\WINDOWS\system32\ukyjsxoj.ini
C:\WINDOWS\system32\ywhrfhnp.ini
C:\WINDOWS\system32\wqawnlvb.ini
C:\WINDOWS\system32\jtojhntd.dll
C:\WINDOWS\system32\ijgtojmo.dll
C:\WINDOWS\system32\untjcebf.dll
C:\WINDOWS\system32\ojmpnmip.dll
C:\WINDOWS\system32\daiscsde.dll
C:\WINDOWS\system32\jwkvupio.dll
C:\WINDOWS\system32\irvieedr.dll
C:\WINDOWS\system32\jxeipdho.dll
C:\WINDOWS\system32\ygyeumvy.dll
C:\WINDOWS\system32\jvkfcgpe.dll
C:\WINDOWS\system32\xmjghyas.dll
C:\WINDOWS\system32\japmishl.dll
C:\WINDOWS\system32\jasyfkyq.dll
C:\WINDOWS\system32\akrrvahw.dll
C:\WINDOWS\system32\nsyebqiv.dll
C:\WINDOWS\system32\ssbtyxws.dll
C:\WINDOWS\system32\qjrnhswr.dll
C:\WINDOWS\system32\mctshimr.dll
C:\WINDOWS\system32\cuyhmsdk.dll
C:\WINDOWS\system32\dqtjeoxt.dll
C:\WINDOWS\system32\xosmafrb.dll
C:\WINDOWS\system32\boasedts.dll
C:\WINDOWS\system32\wxbvlsrp.dll
C:\WINDOWS\system32\patyypoq.dll
C:\WINDOWS\system32\hodlbosa.dll
C:\WINDOWS\system32\vhhveqfs.dll
C:\WINDOWS\system32\wfnifaxf.dll
C:\WINDOWS\system32\fqusuprp.dll
C:\WINDOWS\system32\gphvtorb.dll
C:\WINDOWS\system32\gomruscp.dll
C:\WINDOWS\system32\iiygsrxn.dll
C:\WINDOWS\system32\cfmhvmib.dll
C:\WINDOWS\system32\cybxwioo.dll
C:\WINDOWS\system32\gqtmwbdg.dll
C:\WINDOWS\system32\qiwydgyq.dll
C:\WINDOWS\system32\oggksnlg.dll
C:\WINDOWS\system32\baxllhxb.dll
C:\WINDOWS\system32\csqrxnio.dll
C:\WINDOWS\system32\wjoarytk.dll
C:\WINDOWS\system32\ddstmahl.dll
C:\WINDOWS\system32\ikmxfcid.dll
C:\WINDOWS\system32\cnrjmkla.dll
C:\WINDOWS\system32\xcbfjmkj.dll
C:\WINDOWS\system32\mhvgboea.dll
C:\WINDOWS\system32\lxlelyta.dll
C:\WINDOWS\system32\epuyhtdu.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\sstttrsq.dll
C:\WINDOWS\ssqrsqrp.dll
C:\WINDOWS\system32\metqwyoe.dll
C:\Documents and Settings\Mike\Application Data\mllmkjki.dll
C:\WINDOWS\System32\fhmpaues.dll
C:\WINDOWS\System32\sstttrsq.dll
C:\WINDOWS\System32\vtbdqhyo.dll
C:\WINDOWS\System32\awvts.dll

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#6
Situationeer

Situationeer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Thank you again for the quick reply. I still can\'t connect without a proxy.

Here\'s the ComboFix Log:

ComboFix 08-04-22.1 - DJ MIKE A 2008-04-24 16:38:07.7 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255 [GMT -5:00]
Running from: C:\\Documents and Settings\\DJ MIKE A\\Desktop\\ComboFix.exe
Command switches used :: C:\\Documents and Settings\\DJ MIKE A\\Desktop\\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\\Documents and Settings\\Mike\\Application Data\\mllmkjki.dll
C:\\WINDOWS\\ssqrsqrp.dll
C:\\WINDOWS\\system32\\akrrvahw.dll
C:\\WINDOWS\\system32\\awvts.dll
C:\\WINDOWS\\System32\\awvts.dll
C:\\WINDOWS\\system32\\baxllhxb.dll
C:\\WINDOWS\\system32\\boasedts.dll
C:\\WINDOWS\\system32\\cfmhvmib.dll
C:\\WINDOWS\\system32\\cnrjmkla.dll
C:\\WINDOWS\\system32\\csqrxnio.dll
C:\\WINDOWS\\system32\\cuyhmsdk.dll
C:\\WINDOWS\\system32\\cybxwioo.dll
C:\\WINDOWS\\system32\\daiscsde.dll
C:\\WINDOWS\\system32\\ddayv.dll
C:\\WINDOWS\\system32\\ddstmahl.dll
C:\\WINDOWS\\system32\\dqtjeoxt.dll
C:\\WINDOWS\\system32\\epuyhtdu.dll
C:\\WINDOWS\\System32\\fhmpaues.dll
C:\\WINDOWS\\system32\\fqusuprp.dll
C:\\WINDOWS\\system32\\geede.dll
C:\\WINDOWS\\system32\\gomruscp.dll
C:\\WINDOWS\\system32\\gphvtorb.dll
C:\\WINDOWS\\system32\\gqtmwbdg.dll
C:\\WINDOWS\\system32\\hodlbosa.dll
C:\\WINDOWS\\system32\\iiygsrxn.dll
C:\\WINDOWS\\system32\\ijgtojmo.dll
C:\\WINDOWS\\system32\\ikmxfcid.dll
C:\\WINDOWS\\system32\\irvieedr.dll
C:\\WINDOWS\\system32\\japmishl.dll
C:\\WINDOWS\\system32\\jasyfkyq.dll
C:\\WINDOWS\\system32\\jtojhntd.dll
C:\\WINDOWS\\system32\\jvkfcgpe.dll
C:\\WINDOWS\\system32\\jwkvupio.dll
C:\\WINDOWS\\system32\\jxeipdho.dll
C:\\WINDOWS\\system32\\kfrcnput.ini
C:\\WINDOWS\\system32\\lxlelyta.dll
C:\\WINDOWS\\system32\\mctshimr.dll
C:\\WINDOWS\\system32\\metqwyoe.dll
C:\\WINDOWS\\system32\\mhvgboea.dll
C:\\WINDOWS\\system32\\nsyebqiv.dll
C:\\WINDOWS\\system32\\oggksnlg.dll
C:\\WINDOWS\\system32\\ojmpnmip.dll
C:\\WINDOWS\\system32\\patyypoq.dll
C:\\WINDOWS\\system32\\qiwydgyq.dll
C:\\WINDOWS\\system32\\qjrnhswr.dll
C:\\WINDOWS\\system32\\qodmnedc.ini
C:\\WINDOWS\\system32\\rufidkpu.ini
C:\\WINDOWS\\system32\\ssbtyxws.dll
C:\\WINDOWS\\system32\\sstttrsq.dll
C:\\WINDOWS\\System32\\sstttrsq.dll
C:\\WINDOWS\\system32\\stvwa.ini
C:\\WINDOWS\\system32\\stvwa.ini2
C:\\WINDOWS\\system32\\ttdwhvty.ini
C:\\WINDOWS\\system32\\ukyjsxoj.ini
C:\\WINDOWS\\system32\\untjcebf.dll
C:\\WINDOWS\\system32\\vhhveqfs.dll
C:\\WINDOWS\\System32\\vtbdqhyo.dll
C:\\WINDOWS\\system32\\wfnifaxf.dll
C:\\WINDOWS\\system32\\wjoarytk.dll
C:\\WINDOWS\\system32\\wqawnlvb.ini
C:\\WINDOWS\\system32\\wxbvlsrp.dll
C:\\WINDOWS\\system32\\xcbfjmkj.dll
C:\\WINDOWS\\system32\\xmjghyas.dll
C:\\WINDOWS\\system32\\xosmafrb.dll
C:\\WINDOWS\\system32\\ygyeumvy.dll
C:\\WINDOWS\\system32\\ywhrfhnp.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\\Documents and Settings\\Mike\\Application Data\\mllmkjki.dll
C:\\WINDOWS\\pskt.ini
C:\\WINDOWS\\ssqrsqrp.dll
C:\\WINDOWS\\system32\\akrrvahw.dll
C:\\WINDOWS\\system32\\awvts.dll
C:\\WINDOWS\\system32\\awvvu.dll
C:\\WINDOWS\\system32\\baxllhxb.dll
C:\\WINDOWS\\system32\\boasedts.dll
C:\\WINDOWS\\system32\\cfmhvmib.dll
C:\\WINDOWS\\system32\\cnrjmkla.dll
C:\\WINDOWS\\system32\\csqrxnio.dll
C:\\WINDOWS\\system32\\cuyhmsdk.dll
C:\\WINDOWS\\system32\\cybxwioo.dll
C:\\WINDOWS\\system32\\daiscsde.dll
C:\\WINDOWS\\system32\\ddayv.dll
C:\\WINDOWS\\system32\\ddstmahl.dll
C:\\WINDOWS\\system32\\dqtjeoxt.dll
C:\\WINDOWS\\system32\\epuyhtdu.dll
C:\\WINDOWS\\System32\\fhmpaues.dll
C:\\WINDOWS\\system32\\fqusuprp.dll
C:\\WINDOWS\\system32\\geede.dll
C:\\WINDOWS\\system32\\gomruscp.dll
C:\\WINDOWS\\system32\\gphvtorb.dll
C:\\WINDOWS\\system32\\gqssjemo.ini
C:\\WINDOWS\\system32\\gqtmwbdg.dll
C:\\WINDOWS\\system32\\hjkkj.ini
C:\\WINDOWS\\system32\\hjkkj.ini2
C:\\WINDOWS\\system32\\hodlbosa.dll
C:\\WINDOWS\\system32\\iiygsrxn.dll
C:\\WINDOWS\\system32\\ijgtojmo.dll
C:\\WINDOWS\\system32\\ikmxfcid.dll
C:\\WINDOWS\\system32\\irvieedr.dll
C:\\WINDOWS\\system32\\japmishl.dll
C:\\WINDOWS\\system32\\jasyfkyq.dll
C:\\WINDOWS\\system32\\jkkjh.dll
C:\\WINDOWS\\system32\\jtojhntd.dll
C:\\WINDOWS\\system32\\jvkfcgpe.dll
C:\\WINDOWS\\system32\\jwkvupio.dll
C:\\WINDOWS\\system32\\jxeipdho.dll
C:\\WINDOWS\\system32\\kfrcnput.ini
C:\\WINDOWS\\system32\\kxxrcctn.dll
C:\\WINDOWS\\system32\\lqdouhsf.dll
C:\\WINDOWS\\system32\\lxlelyta.dll
C:\\WINDOWS\\system32\\mctshimr.dll
C:\\WINDOWS\\system32\\metqwyoe.dll
C:\\WINDOWS\\system32\\mhvgboea.dll
C:\\WINDOWS\\system32\\nafoaega.dll
C:\\WINDOWS\\system32\\nsyebqiv.dll
C:\\WINDOWS\\system32\\oggksnlg.dll
C:\\WINDOWS\\system32\\ojmpnmip.dll
C:\\WINDOWS\\system32\\omejssqg.dll
C:\\WINDOWS\\system32\\patyypoq.dll
C:\\WINDOWS\\system32\\qiwydgyq.dll
C:\\WINDOWS\\system32\\qjrnhswr.dll
C:\\WINDOWS\\system32\\qodmnedc.ini
C:\\WINDOWS\\system32\\rufidkpu.ini
C:\\WINDOWS\\system32\\ssbtyxws.dll
C:\\WINDOWS\\system32\\sstttrsq.dll
C:\\WINDOWS\\system32\\stvwa.ini
C:\\WINDOWS\\system32\\stvwa.ini2
C:\\WINDOWS\\system32\\ttdwhvty.ini
C:\\WINDOWS\\system32\\ukyjsxoj.ini
C:\\WINDOWS\\system32\\untjcebf.dll
C:\\WINDOWS\\system32\\uvvwa.ini
C:\\WINDOWS\\system32\\uvvwa.ini2
C:\\WINDOWS\\system32\\vhhveqfs.dll
C:\\WINDOWS\\System32\\vtbdqhyo.dll
C:\\WINDOWS\\system32\\wfnifaxf.dll
C:\\WINDOWS\\system32\\wjoarytk.dll
C:\\WINDOWS\\system32\\wqawnlvb.ini
C:\\WINDOWS\\system32\\wxbvlsrp.dll
C:\\WINDOWS\\system32\\xcbfjmkj.dll
C:\\WINDOWS\\system32\\xmjghyas.dll
C:\\WINDOWS\\system32\\xosmafrb.dll
C:\\WINDOWS\\system32\\ygyeumvy.dll
C:\\WINDOWS\\system32\\ywhrfhnp.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-23 08:55 . 2008-04-23 09:01 1,540,677 ---hs---- C:\\WINDOWS\\system32\\seuapmhf.ini
2008-04-22 08:50 . 2008-04-22 08:50 <DIR> d---s---- C:\\Documents and Settings\\DJ MIKE A\\UserData
2008-04-21 03:55 . 2008-04-21 03:55 <DIR> d-------- C:\\Documents and Settings\\DJ MIKE A\\Application Data\\Leadertech
2008-04-21 03:00 . 2004-08-22 16:31 155,136 --a------ C:\\WINDOWS\\system32\\drivers\\d347bus.sys
2008-04-21 03:00 . 2004-08-22 16:31 5,248 --a------ C:\\WINDOWS\\system32\\drivers\\d347prt.sys
2008-04-21 02:57 . 2008-04-21 02:57 <DIR> d-------- C:\\WINDOWS\\Downloaded Installations
2008-04-20 13:03 . 2008-04-21 01:54 54,156 --ah----- C:\\WINDOWS\\QTFont.qfn
2008-04-20 13:03 . 2008-04-20 13:03 1,409 --a------ C:\\WINDOWS\\QTFont.for
2008-04-20 11:56 . 2008-04-20 11:56 <DIR> d-------- C:\\Documents and Settings\\DJ MIKE A\\Application Data\\SystemRequirementsLab
2008-04-18 04:03 . 2008-04-18 04:03 <DIR> d-------- C:\\Documents and Settings\\DJ MIKE A\\Application Data\\WinAmp
2008-04-16 22:14 . 2008-04-16 22:14 <DIR> d-------- C:\\Documents and Settings\\DJ MIKE A\\Application Data\\AppDate
2008-04-15 02:52 . 2008-04-15 03:05 107,832 --a------ C:\\WINDOWS\\system32\\PnkBstrB.exe
2008-04-15 02:52 . 2008-04-15 03:05 22,328 --a------ C:\\WINDOWS\\system32\\drivers\\PnkBstrK.sys
2008-04-15 02:51 . 2008-04-15 02:51 <DIR> d-------- C:\\WINDOWS\\system32\\LogFiles
2008-04-15 02:51 . 2008-04-15 02:51 66,872 --a------ C:\\WINDOWS\\system32\\PnkBstrA.exe
2008-04-14 19:21 . 2008-04-14 19:21 <DIR> d-------- C:\\Documents and Settings\\Mike\\Application Data\\InstallShield
2008-04-13 12:46 . 2008-04-13 12:46 9,216 --ahs---- C:\\WINDOWS\\Thumbs.db
2008-04-10 21:05 . 2008-04-10 21:05 <DIR> d-------- C:\\Documents and Settings\\Mike\\Application Data\\Nokia Multimedia Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 22:47 --------- d-----w C:\\Documents and Settings\\DJ MIKE A\\Application Data\\acccore
2008-03-09 23:01 --------- d-----w C:\\Program Files\\SystemRequirementsLab
2008-03-09 23:01 --------- d-----w C:\\Documents and Settings\\Mike\\Application Data\\SystemRequirementsLab
2008-02-24 06:27 --------- d-----w C:\\Documents and Settings\\Christine\\Application Data\\acccore
2008-02-01 08:21 245,408 ----a-w C:\\WINDOWS\\system32\\unicows.dll
2007-07-07 00:12 784 ----a-w C:\\Documents and Settings\\DJ MIKE A\\Application Data\\mpauth.dat
2007-06-30 06:13 784 ----a-w C:\\Documents and Settings\\Candice\\Application Data\\mpauth.dat
.

((((((((((((((((((((((((((((( [email protected]_ 8.58.21.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 13:50:16 2,048 --s-a-w C:\\WINDOWS\\bootstat.dat
+ 2008-04-24 21:55:40 2,048 --s-a-w C:\\WINDOWS\\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\\~\\Browser Helper Objects\\{1D980A6C-71B1-42AE-8327-F61EA152E9E4}]
2008-04-24 18:45 272384 --a------ C:\\WINDOWS\\System32\\jkhhg.dll

[HKEY_LOCAL_MACHINE\\~\\Browser Helper Objects\\{C196BF59-D6EC-491F-894A-A27DDFB43AE0}]
2008-04-24 18:45 22248 --a------ C:\\WINDOWS\\ddabywus.dll

[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
\"MSMSGS\"=\"C:\\Program Files\\Messenger\\msmsgs.exe\" [2004-11-15 16:18 1670144]
\"Steam\"=\"D:\\Program Files\\Steam\\Steam.exe\" [ ]
\"Aim6\"=\"\" []

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
\"AAWTray\"=\"D:\\Program Files\\AdAware\\AAWTray.exe\" [2007-08-08 15:53 88024]
\"StartCCC\"=\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe\" [2006-11-10 12:35 90112]
\"WinampAgent\"=\"D:\\Program Files\\WinAmp\\winampa.exe\" [2008-01-15 17:54 37376]
\"hgdaxxwxur\"=\"C:\\WINDOWS\\System32\\sstttrsq.dll\" [ ]
\"DAEMON Tools-1033\"=\"D:\\Program Files\\DAEMON\\daemon.exe\" [2004-08-22 17:05 81920]
\"awtqrrpmjg\"=\"C:\\WINDOWS\\System32\\jkhhebyw.dll\" [2008-04-24 18:45 22248]
\"BM13618375\"=\"C:\\WINDOWS\\System32\\xplxdjkv.dll\" [2008-04-24 18:48 96320]
\"1052b0e9\"=\"C:\\WINDOWS\\System32\\mdridrkf.dll\" [2008-04-24 18:48 88640]

[HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
\"Nokia.PCSync\"=\"D:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe\" [2007-03-27 15:58 1744896]

C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\
wjlm.exe [2008-02-17 02:41:40 22248]

[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\drivers32]
\"VIDC.MJPG\"= sonymjpg.dll
\"vidc.ffds\"= C:\\PROGRA~1\\COMBIN~1\\Filters\\FFDShow\\ff_vfw.dll

[HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\control\\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\System32\\jkhhg
Notification Packages REG_MULTI_SZ scecli C:\\Documents and Settings\\Mike\\Application Data\\mllmkjki.dll C:\\Documents and Settings\\DJ MIKE A\\Application Data\\ssqpmkig.dll

[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run-]
\"QuickTime Task\"=\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime
\"!AVG Anti-Spyware\"=\"D:\\Program Files\\AVG\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized
\"iTunesHelper\"=\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"
\"SunJavaUpdateSched\"=C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe
\"PCSuiteTrayApplication\"=D:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup
\"NvCplDaemon\"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
\"Pop3trap.exe\"=\"C:\\Program Files\\Trend Micro\\PC-cillin 2000\\Pop3trap.exe\"
\"WebTrapNT.exe\"=\"C:\\Program Files\\Trend Micro\\PC-cillin 2000\\WebTrapNT.exe\"

R1 SonyFanC;FAN Control Device Service;C:\\WINDOWS\\System32\\Drivers\\SonyFanC.sys [2001-09-06 16:21]
R2 UxTuneUp;TuneUp Theme Extension;C:\\WINDOWS\\System32\\svchost.exe [2001-08-18 05:00]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\\WINDOWS\\System32\\DRIVERS\\bcm42xx5.sys [2001-08-17 12:11]

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost - NetSvcs
UxTuneUp

.
Contents of the \'Scheduled Tasks\' folder
\"2008-04-16 12:48:02 C:\\WINDOWS\\Tasks\\AppleSoftwareUpdate.job\"
- C:\\Program Files\\Apple Software Update\\SoftwareUpdate.exe
\"2008-04-18 22:15:02 C:\\WINDOWS\\Tasks\\1-Click Maintenance.job\"
- D:\\Program Files\\Tune Up\\SystemOptimizer.exe
\"2008-02-15 01:04:06 C:\\WINDOWS\\Tasks\\Uniblue SpeedUpMyPC.job\"
- C:\\Program Files\\Uniblue\\SpeedUpMyPC 3\\SpeedUpMyPC.exe
\"2008-04-15 03:46:02 C:\\WINDOWS\\Tasks\\Uniblue SpeedUpMyPC Nag.job\"
- C:\\Program Files\\Uniblue\\SpeedUpMyPC 3\\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 18:44:01
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\\WINDOWS\\explorer.exe
-> C:\\WINDOWS\\System32\\mdridrkf.dll
-> C:\\WINDOWS\\System32\\jkhhebyw.dll
-> C:\\WINDOWS\\System32\\xplxdjkv.dll
-> C:\\WINDOWS\\System32\\jkhhg.dll
.
------------------------ Other Running Processes ------------------------
.
C:\\WINDOWS\\SYSTEM32\\ATI2EVXX.EXE
C:\\WINDOWS\\SYSTEM32\\ATI2EVXX.EXE
D:\\Program Files\\AdAware\\aawservice.exe
D:\\Program Files\\AVG\\AVG Anti-Spyware 7.5\\guard.exe
C:\\WINDOWS\\SYSTEM32\\NVSVC32.EXE
C:\\WINDOWS\\SYSTEM32\\PNKBSTRA.EXE
C:\\PROGRAM FILES\\TREND MICRO\\PC-CILLIN 2000\\TMNTSRV.EXE
C:\\WINDOWS\\SYSTEM32\\WDFMGR.EXE
C:\\WINDOWS\\System32\\rundll32.exe
C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\MOM.EXE
C:\\WINDOWS\\System32\\rundll32.exe
C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\ccc.exe
C:\\WINDOWS\\System32\\rundll32.exe
C:\\WINDOWS\\System32\\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-24 18:53:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 23:52:10
ComboFix2.txt 2008-04-23 14:00:56

Pre-Run: 1,769,111,552 bytes free
Post-Run: 1,923,256,320 bytes free

288 --- E O F --- 2008-02-21 07:17:38



And the HiJackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:28 PM, on 4/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\System32\\Ati2evxx.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\Ati2evxx.exe
D:\\Program Files\\AdAware\\aawservice.exe
C:\\WINDOWS\\system32\\spoolsv.exe
D:\\Program Files\\AVG\\AVG Anti-Spyware 7.5\\guard.exe
C:\\WINDOWS\\System32\\nvsvc32.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\Program Files\\Trend Micro\\PC-cillin 2000\\Tmntsrv.exe
C:\\WINDOWS\\System32\\wuauclt.exe
D:\\Program Files\\AdAware\\AAWTray.exe
C:\\Program Files\\Messenger\\msmsgs.exe
C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\MOM.EXE
C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\ccc.exe
C:\\WINDOWS\\explorer.exe
C:\\Program Files\\AIM6\\aim6.exe
C:\\Program Files\\AIM6\\aolsoftware.exe
C:\\WINDOWS\\System32\\taskmgr.exe
C:\\WINDOWS\\System32\\rundll32.exe
C:\\Program Files\\Mozilla Firefox\\firefox.exe
C:\\Documents and Settings\\Mike\\Desktop\\HiJackThis.exe

R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\\WINDOWS\\System32\\msdxm.ocx
O4 - HKLM\\..\\Run: [AAWTray] D:\\Program Files\\AdAware\\AAWTray.exe
O4 - HKLM\\..\\Run: [StartCCC] \"C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe\"
O4 - HKLM\\..\\Run: [WinampAgent] \"D:\\Program Files\\WinAmp\\winampa.exe\"
O4 - HKLM\\..\\Run: [hgdaxxwxur] Rundll32.exe \"C:\\WINDOWS\\System32\\sstttrsq.dll\",s
O4 - HKLM\\..\\Run: [DAEMON Tools-1033] \"D:\\Program Files\\DAEMON\\daemon.exe\" -lang 1033
O4 - HKLM\\..\\Run: [awtqrrpmjg] Rundll32.exe \"C:\\WINDOWS\\System32\\jkhhebyw.dll\",s
O4 - HKLM\\..\\Run: [BM13618375] Rundll32.exe \"C:\\WINDOWS\\System32\\xplxdjkv.dll\",s
O4 - HKCU\\..\\Run: [MSMSGS] \"C:\\Program Files\\Messenger\\msmsgs.exe\" /background
O4 - HKCU\\..\\Run: [Steam] \"D:\\Program Files\\Steam\\Steam.exe\" -silent
O4 - HKUS\\S-1-5-18\\..\\Run: [Nokia.PCSync] D:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog (User \'SYSTEM\')
O4 - HKUS\\.DEFAULT\\..\\Run: [Nokia.PCSync] D:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog (User \'Default user\')
O4 - Global Startup: wjlm.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.6.0_02\\bin\\ssv.dll
O9 - Extra \'Tools\' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.6.0_02\\bin\\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\\WINDOWS\\System32\\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\MSMSGS.EXE
O9 - Extra \'Tools\' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\MSMSGS.EXE
O12 - Plugin for .spop: C:\\Program Files\\Internet Explorer\\Plugins\\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203567704609
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\\Program Files\\AdAware\\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\\WINDOWS\\System32\\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\\WINDOWS\\system32\\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\\Program Files\\AVG\\AVG Anti-Spyware 7.5\\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\\WINDOWS\\System32\\ZoneLabs\\isafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\\Program Files\\iPod\\bin\\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\\WINDOWS\\System32\\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\\WINDOWS\\System32\\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\\Program Files\\Common Files\\Sony Shared\\AVLib\\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\\Program Files\\Trend Micro\\PC-cillin 2000\\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\\WINDOWS\\system32\\ZONELABS\\vsmon.exe

--
End of file - 5108 bytes


Thank you!
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - App Paths, Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check, and File - Purity Scan.
  • Under Drivers change it to Non-Microsoft.
  • Check the box beside Scan All User Accounts at the top
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

#8
Situationeer

Situationeer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Report attached.
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You didn't seem to attach it, may have been too big. If it is, zip the file then try
  • 0

#10
Situationeer

Situationeer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
After zipping the file it came out to 536kb. After raring the file it came out to 60kb but it wont let me upload a .rar file.
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you zip the file instead of using winrar

Or host the rar file at a site like mediafire.com
  • 0

#12
Situationeer

Situationeer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I did zip it, but the file size was still too large (by 36kb go figure). So I just uploaded the .rar to the website you suggested.

http://www.mediafire.com/?2dm9dekg1ln
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Start OTScanIt. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Driver Services - Non-Microsoft Only]
YY -> (catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\ComboFix\catchme.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> awtqrrpmjg -> %SystemRoot%\System32\jkhhebyw.DLL [Rundll32.exe "C:\WINDOWS\System32\jkhhebyw.dll",s]
YY -> BM13618375 -> %SystemRoot%\System32\xplxdjkv.DLL [Rundll32.exe "C:\WINDOWS\System32\xplxdjkv.dll",s]
YN -> hgdaxxwxur -> %SystemRoot%\System32\sstttrsq.DLL [Rundll32.exe "C:\WINDOWS\System32\sstttrsq.dll",s]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Aim6 -> []
YN -> Steam -> D:\Program Files\Steam\Steam.exe ["D:\Program Files\Steam\Steam.exe" -silent]
< Run [HKEY_USERS\S-1-5-21-329068152-926492609-725345543-1004\] > -> HKEY_USERS\S-1-5-21-329068152-926492609-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Aim6 -> []
YN -> Steam -> D:\Program Files\Steam\Steam.exe ["D:\Program Files\Steam\Steam.exe" -silent]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
YY -> ~EmptyValue -> %AllUsersProfile%\Start Menu\Programs\Startup\wjlm.exe
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {C196BF59-D6EC-491F-894A-A27DDFB43AE0} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\ddabywus.dll [Reg Error: Value does not exist or could not be read.]
YY -> {CCCC1C4A-FE14-40C4-91F3-E36ACDC99DB9} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\jkhhg.dll [Reg Error: Value does not exist or could not be read.]
YY -> {fdb66bd5-c857-45d3-a8c4-08b032134f5f} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\xlnpadsx.dll [Reg Error: Value does not exist or could not be read.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Search ->
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Search ->
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Search ->
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-329068152-926492609-725345543-1004\] > -> HKEY_USERS\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-329068152-926492609-725345543-1004\] > -> HKEY_USERS\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Search ->
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\System32\jkhhg -> %SystemRoot%\System32\jkhhg.dll
< BotCheck > ->
[Files/Folders - Created Within 90 days]
NY -> QooBox -> %SystemDrive%\QooBox
NY -> FOUND.023 -> %SystemDrive%\FOUND.023
NY -> FOUND.024 -> %SystemDrive%\FOUND.024
NY -> FOUND.016 -> %SystemDrive%\FOUND.016
NY -> FOUND.017 -> %SystemDrive%\FOUND.017
NY -> FOUND.018 -> %SystemDrive%\FOUND.018
NY -> FOUND.019 -> %SystemDrive%\FOUND.019
NY -> FOUND.020 -> %SystemDrive%\FOUND.020
NY -> FOUND.021 -> %SystemDrive%\FOUND.021
NY -> FOUND.022 -> %SystemDrive%\FOUND.022
NY -> jkhhebyw.dll -> %SystemRoot%\System32\jkhhebyw.dll
NY -> jkhhg.dll -> %SystemRoot%\System32\jkhhg.dll
NY -> ghhkj.ini -> %SystemRoot%\System32\ghhkj.ini
NY -> xplxdjkv.dll -> %SystemRoot%\System32\xplxdjkv.dll
NY -> ghhkj.ini2 -> %SystemRoot%\System32\ghhkj.ini2
NY -> seuapmhf.ini -> %SystemRoot%\System32\seuapmhf.ini
NY -> mdridrkf.dll -> %SystemRoot%\System32\mdridrkf.dll
NY -> fkrdirdm.ini -> %SystemRoot%\System32\fkrdirdm.ini
NY -> xlnpadsx.dll -> %SystemRoot%\System32\xlnpadsx.dll
NY -> ccllyhan.ini -> %SystemRoot%\System32\ccllyhan.ini
NY -> amstream.dll -> %SystemRoot%\System32\amstream.dll
NY -> tjjandlp.ini -> %SystemRoot%\System32\tjjandlp.ini
NY -> feklowlt.ini -> %SystemRoot%\System32\feklowlt.ini
NY -> uotnjfip.ini -> %SystemRoot%\System32\uotnjfip.ini
NY -> xsofpfxn.ini -> %SystemRoot%\System32\xsofpfxn.ini
NY -> tmaqiall.ini -> %SystemRoot%\System32\tmaqiall.ini
NY -> wvsbtnjv.ini -> %SystemRoot%\System32\wvsbtnjv.ini
NY -> wvwuuuuu -> %SystemRoot%\System32\wvwuuuuu
NY -> ddabywus.dll -> %SystemRoot%\ddabywus.dll
NY -> BM13618375.xml -> %SystemRoot%\BM13618375.xml
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> ssqpmkig.dll -> %AppData%\ssqpmkig.dll
NY -> ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe
NY -> wjlm.exe -> %AllUsersProfile%\Start Menu\Programs\Startup\wjlm.exe
[Files/Folders - Modified Within 90 days]
NY -> QooBox -> %SystemDrive%\QooBox
NY -> FOUND.023 -> %SystemDrive%\FOUND.023
NY -> FOUND.024 -> %SystemDrive%\FOUND.024
NY -> FOUND.016 -> %SystemDrive%\FOUND.016
NY -> FOUND.017 -> %SystemDrive%\FOUND.017
NY -> FOUND.018 -> %SystemDrive%\FOUND.018
NY -> FOUND.019 -> %SystemDrive%\FOUND.019
NY -> FOUND.020 -> %SystemDrive%\FOUND.020
NY -> FOUND.021 -> %SystemDrive%\FOUND.021
NY -> jkhhebyw.dll -> %SystemRoot%\System32\jkhhebyw.dll
NY -> jkhhg.dll -> %SystemRoot%\System32\jkhhg.dll
NY -> ghhkj.ini -> %SystemRoot%\System32\ghhkj.ini
NY -> xplxdjkv.dll -> %SystemRoot%\System32\xplxdjkv.dll
NY -> ghhkj.ini2 -> %SystemRoot%\System32\ghhkj.ini2
NY -> seuapmhf.ini -> %SystemRoot%\System32\seuapmhf.ini
NY -> fkrdirdm.ini -> %SystemRoot%\System32\fkrdirdm.ini
NY -> xlnpadsx.dll -> %SystemRoot%\System32\xlnpadsx.dll
NY -> ccllyhan.ini -> %SystemRoot%\System32\ccllyhan.ini
NY -> tjjandlp.ini -> %SystemRoot%\System32\tjjandlp.ini
NY -> feklowlt.ini -> %SystemRoot%\System32\feklowlt.ini
NY -> uotnjfip.ini -> %SystemRoot%\System32\uotnjfip.ini
NY -> xsofpfxn.ini -> %SystemRoot%\System32\xsofpfxn.ini
NY -> tmaqiall.ini -> %SystemRoot%\System32\tmaqiall.ini
NY -> wvsbtnjv.ini -> %SystemRoot%\System32\wvsbtnjv.ini
NY -> wvwuuuuu -> %SystemRoot%\System32\wvwuuuuu
NY -> ddabywus.dll -> %SystemRoot%\ddabywus.dll
NY -> wp40yzpk.exe -> C:\Documents and Settings\DJ MIKE A\Local Settings\Temp\wp40yzpk.exe
NY -> s2quwofq.exe -> C:\Documents and Settings\DJ MIKE A\Local Settings\Temp\s2quwofq.exe
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> ssqpmkig.dll -> %AppData%\ssqpmkig.dll
NY -> wjlm.exe -> %AllUsersProfile%\Start Menu\Programs\Startup\wjlm.exe
[File - Lop Check: Additional Folder Scans - Non-Microsoft Only]
NY -> uorxrqv8.default -> C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\uorxrqv8.default
[File - Purity Scan: Additional Folder Scans - Non-Microsoft Only]
NY -> ??sks -> C:\Program Files\Τаsks
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.




Then do this


Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP