Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan

Started by w00tOwnage , May 03 2008 06:25 PM

  • Please log in to reply

#1
w00tOwnage
Posted 03 May 2008 - 06:25 PM

w00tOwnage

    New Member

  • Member
  • Pip
  • 2 posts
I got one of those 'Is this picture of you ok to upload to myspace' files that get sent through msn...and it started sending itself to my contacts. My virus-scan must have missed it...anyways I saw an older thread that said run ComboFix and Hijackthis. and post logs...the logs of both are below.




Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:25 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\cahrtn.exe
C:\WINDOWS\system32\uaylej.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Chessware\TouchIt\TouchIts.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\touchitw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\mIRC\mIRC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: (no name) - {593D3A52-4706-4C3F-8903-B8DCF56A8074} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A6984C00-C6EB-11D4-B4A4-080000180323} - C:\PROGRA~1\Rapidown\rapi310.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {c5df9448-d20a-4a5b-9f2e-7f00e1d2bcb3} - C:\WINDOWS\system32\wnjqtxhr.dll (file missing)
O2 - BHO: (no name) - {d0d784a2-974f-4ced-8272-a5888c78e318} - C:\WINDOWS\system32\jamklhlx.dll (file missing)
O2 - BHO: BrowsingAdvisor - {F1E96EDC-E0C8-BE98-1F15-C29DBED83B53} - C:\Program Files\BrowsingAdvisor\BrowsingAdvisor-2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Touch-It] C:\Program Files\Chessware\TouchIt\TouchIt.exe
O4 - HKLM\..\Run: [Burn Dvd Mail More] C:\Documents and Settings\All Users\Application Data\Part title burn dvd\fast open.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [zhm] C:\WINDOWS\system32\zhm.exe
O4 - HKLM\..\Run: [kd] C:\WINDOWS\system32\kd.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [cahrtn] C:\WINDOWS\system32\cahrtn.exe
O4 - HKLM\..\Run: [wjmipukhhpf] C:\WINDOWS\system32\wjmipukhhpf.exe
O4 - HKLM\..\Run: [close surf mail dupe] C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf\Kind Extra.exe
O4 - HKLM\..\Run: [uaylej] C:\WINDOWS\system32\uaylej.exe
O4 - HKLM\..\RunServices: [cahrtn] C:\WINDOWS\system32\cahrtn.exe
O4 - HKLM\..\RunServices: [uaylej] C:\WINDOWS\system32\uaylej.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [meow hold] C:\DOCUME~1\Chris\APPLIC~1\DOWNLO~1\softbook.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PlayNC Launcher] C:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Baixar com o Rapidown... - C:\Program Files\Rapidown\rapidownGet.htm
O8 - Extra context menu item: Baixar tudo com o Rapidown... - C:\Program Files\Rapidown\rapidownGetAll.htm
O8 - Extra context menu item: Download all by Rapidown... - C:\Program Files\Rapidown\rapidownGetAll.htm
O8 - Extra context menu item: Download by Rapidown... - C:\Program Files\Rapidown\rapidownGet.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\rapidown.exe (file missing)
O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\Program Files\Rapidown\rapidown.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Locate - {B6F776D7-C231-11D4-8158-005004ADEFCA} - C:\Program Files\Software River Solutions\Visual WhoIs 2004\srstools.dll
O9 - Extra 'Tools' menuitem: Locate Using Visual WhoIs 2004 - {B6F776D7-C231-11D4-8158-005004ADEFCA} - C:\Program Files\Software River Solutions\Visual WhoIs 2004\srstools.dll
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C6B8A039-7350-42CB-ACF2-CDBB0E598EB0} - http://search.msn.com/s/p4/p4dw.cab?ver=
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - Winlogon Notify: qomkjgf - qomkjgf.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Amazon Unbox Video Service (nua1ae7uoydpi5z7) - Unknown owner - C:\WINDOWS\system32\uaylej.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Touch-It Virtual Keyboard (TouchIt) - Chessware SA - C:\Program Files\Chessware\TouchIt\TouchIts.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Print Spooler Service (xo2leiau) - Unknown owner - C:\WINDOWS\system32\kd.exe

--
End of file - 12950 bytes

ComboFix Log

ComboFix 08-05-01.3 - Chris 2008-05-03 20:15:29.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.205 [GMT -4:00]
Running from: C:\Documents and Settings\Chris\Desktop\New Folder (3)\ComboFix.exe.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-04-04 to 2008-05-04  )))))))))))))))))))))))))))))))
.

2008-05-03 20:12 . 2008-05-03 20:12	<DIR>	d--------	C:\Program Files\Trend Micro
2008-05-03 19:36 . 2008-05-03 19:36	<DIR>	d--------	C:\_OTMoveIt
2008-05-03 18:49 . 2008-05-03 18:49	245,760	--a------	C:\WINDOWS\system32\uaylej.exe
2008-05-03 15:08 . 2008-05-03 15:10	<DIR>	d--------	C:\Program Files\NCSoft
2008-05-03 15:07 . 2008-05-03 15:07	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\GetRightToGo
2008-05-03 09:55 . 2008-05-03 10:16	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\GarageGames
2008-04-29 17:42 . 2004-05-17 15:27	25,088	--a------	C:\Documents and Settings\Chris\xxpoof.exe
2008-04-29 02:47 . 2008-04-29 02:47	<DIR>	d--------	C:\Program Files\Download Mode Ball
2008-04-21 19:17 . 2008-04-21 19:17	159,744	--a------	C:\WINDOWS\system32\ognno.exe
2008-04-20 18:06 . 2008-04-20 18:06	159,744	--a------	C:\WINDOWS\system32\wjmipukhhpf.exe
2008-04-20 13:11 . 2008-04-20 13:11	<DIR>	d--------	C:\Program Files\Common Files\L&H
2008-04-20 13:09 . 2008-04-20 13:09	<DIR>	d--------	C:\Program Files\Microsoft ActiveSync
2008-04-20 13:07 . 2008-04-20 13:07	<DIR>	d--------	C:\Program Files\Microsoft Works
2008-04-20 13:06 . 2008-04-20 13:10	<DIR>	d--------	C:\WINDOWS\SHELLNEW
2008-04-20 13:05 . 2008-04-20 13:05	<DIR>	d--------	C:\Program Files\Microsoft.NET
2008-04-20 13:01 . 2008-04-20 13:01	<DIR>	dr-h-----	C:\MSOCache
2008-04-13 19:00 . 2008-04-13 19:00	159,744	--a------	C:\WINDOWS\system32\cahrtn.exe
2008-04-13 12:32 . 2008-04-13 12:32	<DIR>	d--------	C:\Program Files\TextPad 5
2008-04-13 12:32 . 2008-04-13 12:32	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\Helios
2008-04-11 20:39 . 2008-04-11 20:39	<DIR>	d--------	C:\Program Files\inKline Global
2008-04-11 16:44 . 2006-06-21 05:12	<DIR>	d--------	C:\Documents and Settings\LogMeInRemoteUser\WINDOWS
2008-04-11 16:44 . 2008-04-12 14:01	<DIR>	d--------	C:\Documents and Settings\LogMeInRemoteUser
2008-04-11 16:44 . 2008-05-03 19:42	1,024	--ah-----	C:\Documents and Settings\LogMeInRemoteUser\ntuser.dat.LOG
2008-04-11 14:51 . 2007-11-15 18:46	83,288	--a------	C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-04-11 14:51 . 2007-08-03 15:09	46,112	--a------	C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-04-11 14:51 . 2007-11-15 18:46	21,496	--a------	C:\WINDOWS\system32\LMIport.dll
2008-04-11 14:50 . 2008-05-03 14:19	<DIR>	d--------	C:\Program Files\LogMeIn
2008-04-11 14:50 . 2007-11-15 18:46	87,352	--a------	C:\WINDOWS\system32\LMIinit.dll
2008-04-11 14:50 . 2008-04-11 14:50	1,024	--a------	C:\.rnd
2008-04-10 14:41 . 2008-04-10 14:41	<DIR>	d--------	C:\Program Files\Software River Solutions
2008-04-10 14:40 . 2008-04-10 14:40	<DIR>	d--------	C:\WINDOWS\Downloaded Installations
2008-04-10 14:35 . 2008-04-10 15:24	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\Active Whois
2008-04-10 14:34 . 2008-04-10 14:35	<DIR>	d--------	C:\Program Files\Active Whois
2008-04-10 02:00 . 2003-08-16 19:27	27,136	--a------	C:\Documents and Settings\Chris\sin.exe
2008-04-09 21:10 . 2008-04-26 18:55	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\GPass
2008-04-09 21:03 . 2007-09-03 16:20	11,264	--a------	C:\Documents and Settings\Chris\ircaids.exe
2008-04-09 16:05 . 2008-04-09 16:05	<DIR>	d--------	C:\Program Files\Fiddler2
2008-04-06 13:22 . 2004-03-09 01:00	212,240	--a------	C:\WINDOWS\system32\richtx32.OCX
2008-04-06 12:05 . 2008-04-06 12:05	<DIR>	d--------	C:\Program Files\Windows Live Toolbar
2008-04-06 12:05 . 2008-04-06 12:05	<DIR>	d--------	C:\Program Files\Windows Live Favorites

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 00:19	---------	d-----w	C:\Documents and Settings\Chris\Application Data\mIRC
2008-05-04 00:05	---------	d-----w	C:\Program Files\mIRC
2008-05-03 19:08	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-05-03 15:34	---------	d-----w	C:\Program Files\BrowsingAdvisor
2008-04-30 22:32	---------	d-----w	C:\Program Files\Windows Live Safety Center
2008-04-29 06:49	---------	d-----w	C:\Documents and Settings\Chris\Application Data\Download Mode Ball
2008-04-29 06:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf
2008-04-27 21:30	---------	d-----w	C:\Program Files\FrostWire
2008-04-27 15:13	---------	d-----w	C:\Program Files\Winamp
2008-04-27 15:11	---------	d-----w	C:\Documents and Settings\Chris\Application Data\Winamp
2008-04-27 04:42	---------	d-----w	C:\Program Files\PowerArchiver
2008-04-17 12:13	---------	d-----w	C:\Program Files\Audiosurf
2008-04-15 03:31	---------	d-----w	C:\Program Files\StuffPlug3
2008-04-14 21:23	---------	d-----w	C:\Documents and Settings\Chris\Application Data\FrostWire
2008-04-12 02:45	---------	d-----w	C:\Program Files\MSN Messenger
2008-04-12 02:45	---------	d-----w	C:\Program Files\Messenger Plus! Live
2008-04-12 02:45	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Part title burn dvd
2008-04-09 20:41	---------	d-----w	C:\Documents and Settings\Chris\Application Data\Azureus
2008-04-09 11:27	---------	d-----w	C:\Program Files\MessengerDiscovery
2008-04-06 16:02	---------	dcsh--w	C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-06 15:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-05 13:17	---------	d-----w	C:\Program Files\Java
2008-04-02 20:43	---------	d-----w	C:\Program Files\Google Hacks
2008-04-01 19:01	---------	d-----w	C:\Program Files\FBrowsingAdvisor
2008-03-28 20:41	---------	d-----w	C:\Program Files\Arpton11a
2008-03-27 20:33	13	----a-w	C:\Documents and Settings\Chris\bs.dat
2008-03-26 01:08	---------	d-----w	C:\Program Files\FBrowserAdvisor
2008-03-21 04:34	---------	d-----w	C:\Program Files\Opera
2008-03-20 08:05	---------	d-----w	C:\Documents and Settings\Chris\Application Data\Atari
2008-03-20 08:02	43,520	----a-w	C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-20 08:01	---------	d-----w	C:\Documents and Settings\Chris\Application Data\Leadertech
2008-03-20 07:48	---------	d-----w	C:\Program Files\Atari
2008-03-20 00:24	159,744	----a-w	C:\WINDOWS\system32\zhm.exe
2008-03-20 00:24	159,744	----a-w	C:\WINDOWS\system32\kd.exe
2008-03-19 09:47	1,845,248	----a-w	C:\WINDOWS\system32\win32k.sys
2008-03-17 22:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-17 22:25	---------	d-----w	C:\Program Files\Common Files\InstallShield
2008-03-17 22:17	---------	d-----w	C:\Program Files\Eidos
2008-03-17 16:56	---------	d-----w	C:\Documents and Settings\Chris\Application Data\DMCache
2008-03-17 02:56	---------	d-----w	C:\Program Files\Geometry Wars for XP
2008-03-16 07:01	---------	d-----w	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-16 04:36	---------	d-----w	C:\Program Files\RapidLeecher Ultimate 2007
2008-03-16 02:01	---------	d-----w	C:\Program Files\HP
2008-03-16 02:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\HP
2008-03-16 01:59	---------	d-----w	C:\Program Files\Common Files\HP
2008-03-16 01:55	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-03-16 01:53	---------	d-----w	C:\Program Files\Common Files\Hewlett-Packard
2008-03-13 20:55	---------	d-----w	C:\Program Files\DivoCodec
2008-03-12 12:16	---------	d-----w	C:\Program Files\Xvid
2008-03-12 12:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\ConeXware
2008-03-12 11:46	---------	d-----w	C:\Program Files\12Ghosts
2008-03-12 11:29	---------	d-----w	C:\Program Files\MediaCoder
2008-03-06 20:49	---------	d-----w	C:\Program Files\Windows Live
2008-03-01 13:06	826,368	----a-w	C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51	282,624	----a-w	C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32	45,568	----a-w	C:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 13:51	41,984	----a-w	C:\WINDOWS\system32\YGWUninstaller.exe
2008-02-11 22:11	151,552	----a-w	C:\WINDOWS\system32\nvRegDev.dll
2008-02-05 20:24	2,560	----a-w	C:\WINDOWS\_MSRSTRT.EXE
2007-11-27 22:02	208,896	----a-w	C:\Documents and Settings\Chris\readdxt.exe
2007-11-13 04:05	5,759	----a-w	C:\Program Files\install.log
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{593D3A52-4706-4C3F-8903-B8DCF56A8074}]
			C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5df9448-d20a-4a5b-9f2e-7f00e1d2bcb3}]
			C:\WINDOWS\system32\wnjqtxhr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d0d784a2-974f-4ced-8272-a5888c78e318}]
			C:\WINDOWS\system32\jamklhlx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1E96EDC-E0C8-BE98-1F15-C29DBED83B53}]
2007-12-30 16:49	1019904	--a------	C:\Program Files\BrowsingAdvisor\BrowsingAdvisor-2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"meow hold"="C:\DOCUME~1\Chris\APPLIC~1\DOWNLO~1\softbook.exe" [2008-04-29 02:47 405504]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 16:02 495616]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"PlayNC Launcher"="C:\Program Files\NCSoft\Launcher\NCLauncher.exe" [2008-04-21 11:59 38128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-11 21:40 1236992]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 10:20 413696 C:\WINDOWS\stsystra.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 18:14 504080]
"Touch-It"="C:\Program Files\Chessware\TouchIt\TouchIt.exe" [2008-02-14 13:30 1484288]
"Burn Dvd Mail More"="C:\Documents and Settings\All Users\Application Data\Part title burn dvd\fast open.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"zhm"="C:\WINDOWS\system32\zhm.exe" [2008-03-19 20:24 159744]
"kd"="C:\WINDOWS\system32\kd.exe" [2008-03-19 20:24 159744]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"PC Booster"="C:\Program Files\inKline Global\PC Booster\pcbooster.exe" [2007-11-30 17:16 14450688]
"cahrtn"="C:\WINDOWS\system32\cahrtn.exe" [2008-04-13 19:00 159744]
"wjmipukhhpf"="C:\WINDOWS\system32\wjmipukhhpf.exe" [2008-04-20 18:06 159744]
"close surf mail dupe"="C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf\Kind Extra.exe" [2008-05-03 19:58 3537408]
"uaylej"="C:\WINDOWS\system32\uaylej.exe" [2008-05-03 18:49 245760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"cahrtn"="C:\WINDOWS\system32\cahrtn.exe" [2008-04-13 19:00 159744]
"uaylej"="C:\WINDOWS\system32\uaylej.exe" [2008-05-03 18:49 245760]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomkjgf]
qomkjgf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-05 16:33 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"C:\\Program Files\\XBC\\neXBC.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"C:\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Dynamix\\TRIBES\\Tribes.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\Halo Custom Edition.exe"=
"C:\\Documents and Settings\\Chris\\Application Data\\GarageGames\\IAPlayer\\products\\7000\\install\\Zap.exe"=
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=

R2 ACEDRV06;ACEDRV06;C:\WINDOWS\system32\drivers\ACEDRV06.sys [2007-11-11 18:01]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 TouchIt;Touch-It Virtual Keyboard;C:\Program Files\Chessware\TouchIt\TouchIts.exe [2008-02-01 15:14]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 nua1ae7uoydpi5z7;Amazon Unbox Video Service;C:\WINDOWS\system32\uaylej.exe [2008-05-03 18:49]
S2 xo2leiau;Print Spooler Service;C:\WINDOWS\system32\kd.exe [2008-03-19 20:24]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 16:22]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

*Newly Created Service* - NUA1AE7UOYDPI5Z7
.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 00:00:01 C:\WINDOWS\Tasks\2D5EA867B43686F3.job"
- c:\docume~1\chris\applic~1\downlo~1\admin live curb.exe
"2008-05-03 23:25:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 20:20:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 18

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
Completion time: 2008-05-03 20:23:09
ComboFix-quarantined-files.txt  2008-05-04 00:22:56
ComboFix2.txt  2008-05-04 00:04:35

Pre-Run: 22,855,331,840 bytes free
Post-Run: 22,841,729,024 bytes free

244	--- E O F ---	2008-04-22 07:04:21

Any help is appreciated.
  • 0

Advertisements

#2
kahdah
Posted 03 May 2008 - 06:31 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello w00tOwnage

Welcome to G2Go. :)
=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#3
w00tOwnage
Posted 03 May 2008 - 07:06 PM

w00tOwnage

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Well...I would, except my computer refuses to go into Safemode....I tried and a bunch of lines of code come up on the screen, and then it doesn't do anything.
  • 0

#4
kahdah
Posted 03 May 2008 - 07:32 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok please there is no need to put tjis in Code boxes just post it how it is.
Thanks.
============
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP