Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack this log [CLOSED]


  • This topic is locked This topic is locked

#1
7amo0dy

7amo0dy

    New Member

  • Member
  • Pip
  • 3 posts
hello

help me , i have a trojan




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:38:04 م, on 20/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zindy.zon...orial_index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [www.shark-project.info] "C:\WINDOWS\SharK Server.cmd"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [c400c8a1] rundll32.exe "C:\WINDOWS\system32\oeykfyma.dll",b
O4 - HKLM\..\Run: [BMc733fb3d] Rundll32.exe "C:\WINDOWS\system32\acscrike.dll",s
O4 - HKCU\..\Run: [Runonce] C:\WINDOWS\smss.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The sharK Project] "C:\WINDOWS\SharK Server.cmd"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1547161642-2052111302-725345543-1004\..\Run: [www.shark-project.info] "C:\WINDOWS\SharK Server.cmd" (User 'home')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shortcut to New Text Document.lnk = C:\Documents and Settings\ABC\Desktop\New Text Document.txt
O4 - Global Startup: lsass.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4398 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
7amo0dy

7amo0dy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hijack This :-

sorry for the late reply ... here's the log :-



ComboFix 08-05-15.3 - ABC 05/16/2008 16:32:48.1 - NTFSx86
Running from: C:\Documents and Settings\ABC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ABC\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\ABC\Application Data\ShoppingReport
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\home\Application Data\ShoppingReport
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Funny UST Scandal.avi.exe
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\smss.exe
C:\WINDOWS\.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\cookies.ini
C:\WINDOWS\Funny UST Scandal.exe
C:\WINDOWS\killer.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\28463
C:\WINDOWS\system32\28463\AKV.exe
C:\WINDOWS\system32\28463\YMGY.001
C:\WINDOWS\system32\28463\YMGY.003
C:\WINDOWS\system32\28463\YMGY.004
C:\WINDOWS\system32\28463\YMGY.006
C:\WINDOWS\system32\28463\YMGY.007
C:\WINDOWS\system32\28463\YMGY.009
C:\WINDOWS\system32\28463\YMGY.chm
C:\WINDOWS\system32\28463\YMGY.exe
C:\WINDOWS\system32\abbfkmvp.exe
C:\WINDOWS\system32\acscrike.dll
C:\WINDOWS\system32\amjyvenm.exe
C:\WINDOWS\system32\amyfkyeo.ini
C:\WINDOWS\system32\appbsxaw.ini
C:\WINDOWS\system32\aqmhppms.exe
C:\WINDOWS\system32\asmsjuia.exe
C:\WINDOWS\system32\atwjcxlr.exe
C:\WINDOWS\system32\bebclxpn.dll
C:\WINDOWS\system32\bngbmqrw.ini
C:\WINDOWS\system32\bntvpjgj.ini
C:\WINDOWS\system32\btvlenxu.ini
C:\WINDOWS\system32\caibnoso.ini
C:\WINDOWS\system32\ckmjbxsm.dll
C:\WINDOWS\system32\cmnihapc.dll
C:\WINDOWS\system32\cmqlreuv.dll
C:\WINDOWS\system32\daelovrk.dll
C:\WINDOWS\system32\dcvpwyyp.ini
C:\WINDOWS\system32\ddcYsRJC.dll
C:\WINDOWS\system32\dplqxvju.dll
C:\WINDOWS\system32\dtbwosdo.ini
C:\WINDOWS\system32\duajqwts.dll
C:\WINDOWS\system32\dweuxerk.ini
C:\WINDOWS\system32\edxhxsjl.exe
C:\WINDOWS\system32\eotxflga.exe
C:\WINDOWS\system32\eoygivkj.dll
C:\WINDOWS\system32\epajjoxn.dll
C:\WINDOWS\system32\eqsvanul.dll
C:\WINDOWS\system32\eqyjoauk.exe
C:\WINDOWS\system32\ervagcjs.ini
C:\WINDOWS\system32\foinefvt.ini
C:\WINDOWS\system32\gbodpmja.dll
C:\WINDOWS\system32\goallloy.exe
C:\WINDOWS\system32\grqqtthv.ini
C:\WINDOWS\system32\ibwaxktv.dll
C:\WINDOWS\system32\ilgexioa.dll
C:\WINDOWS\system32\jcorlpnm.ini
C:\WINDOWS\system32\jgjpvtnb.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jolsuhqs.dll
C:\WINDOWS\system32\jtlufpgk.exe
C:\WINDOWS\system32\jxhfiaaf.exe
C:\WINDOWS\system32\kgkpbrql.ini
C:\WINDOWS\system32\knxpnslg.exe
C:\WINDOWS\system32\krexuewd.dll
C:\WINDOWS\system32\krvolead.ini
C:\WINDOWS\system32\lobqmnsc.dll
C:\WINDOWS\system32\lqhhpjfh.exe
C:\WINDOWS\system32\lujwfwbm.dll
C:\WINDOWS\system32\lunavsqe.ini
C:\WINDOWS\system32\lvaniymx.dll
C:\WINDOWS\system32\mbwfwjul.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\misviuii.exe
C:\WINDOWS\system32\mivdoaox.dll
C:\WINDOWS\system32\mkmfiwfi.dll
C:\WINDOWS\system32\nyslnfef.exe
C:\WINDOWS\system32\odsowbtd.dll
C:\WINDOWS\system32\oeykfyma.dll
C:\WINDOWS\system32\orcnrppt.ini
C:\WINDOWS\system32\oxocarsu.dll
C:\WINDOWS\system32\oycstlje.dll
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\pqstv.ini2
C:\WINDOWS\system32\pyejrrwg.dll
C:\WINDOWS\system32\pyywpvcd.dll
C:\WINDOWS\system32\qhaddpja.exe
C:\WINDOWS\system32\qymmnwyc.ini
C:\WINDOWS\system32\remjpqno.dll
C:\WINDOWS\system32\rkoncchj.exe
C:\WINDOWS\system32\sjcgavre.dll
C:\WINDOWS\system32\sjtdpmbo.dll
C:\WINDOWS\system32\skrfwruk.dll
C:\WINDOWS\system32\sntrmwal.exe
C:\WINDOWS\system32\sqhusloj.ini
C:\WINDOWS\system32\svareiau.dll
C:\WINDOWS\system32\swyxhgjl.exe
C:\WINDOWS\system32\ttbttgqd.dll
C:\WINDOWS\system32\tvfeniof.dll
C:\WINDOWS\system32\udoywfxc.exe
C:\WINDOWS\system32\ukkfftol.dll
C:\WINDOWS\system32\uotndely.dll
C:\WINDOWS\system32\uxnelvtb.dll
C:\WINDOWS\system32\vfduwnje.dll
C:\WINDOWS\system32\vhttqqrg.dll
C:\WINDOWS\system32\vojjoppg.exe
C:\WINDOWS\system32\vtkxawbi.ini
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vuerlqmc.ini
C:\WINDOWS\system32\wccclgvl.exe
C:\WINDOWS\system32\winkve32.dll
C:\WINDOWS\system32\wrqmbgnb.dll
C:\WINDOWS\system32\xeenkwyx.exe
C:\WINDOWS\system32\xjeoslsg.ini
C:\WINDOWS\system32\xuikdacx.ini
C:\WINDOWS\system32\ydqwyjbb.dll
C:\WINDOWS\system32\ymhqhyjj.dll
C:\WINDOWS\system32\yycucngm.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 23:29 --------- d-----w C:\Documents and Settings\ABC\Application Data\MegauploadToolbar
2008-04-21 00:01 --------- d-----w C:\Program Files\Trend Micro
2008-04-20 22:05 --------- d-----w C:\Documents and Settings\ABC\Application Data\LimeWire
2008-04-19 22:39 --------- d-----w C:\Documents and Settings\ABC\Application Data\uTorrent
2008-04-19 22:36 --------- d-----w C:\Program Files\eRightSoft
2008-04-19 18:20 --------- d-----w C:\Program Files\Mad Cars
2008-04-18 20:34 --------- d-----w C:\Program Files\Total Video Converter
2008-04-16 02:07 --------- d-----w C:\Program Files\Games-Masters.com
2008-04-15 21:26 --------- d-----w C:\Documents and Settings\home\Application Data\LimeWire
2008-04-15 19:26 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-04-14 21:18 26,624 ----a-w C:\WINDOWS\system32\winhoq32.dll
2008-04-14 21:14 --------- d-----w C:\Program Files\Xilisoft
2008-04-14 21:02 --------- d-----w C:\Program Files\ImTOO
2008-04-14 21:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-14 20:07 --------- d-----w C:\Documents and Settings\ABC\Application Data\Talkback
2008-04-14 18:27 --------- d-----w C:\Documents and Settings\home\Application Data\uTorrent
2008-04-13 21:31 --------- d-----w C:\Documents and Settings\home\Application Data\Talkback
2008-04-11 18:08 --------- d-----w C:\Program Files\ReflexiveArcade
2008-04-08 18:35 984,576 ----a-w C:\Documents and Settings\home\Application Data\kernel33.dll
2008-04-05 21:16 104,000 ----a-w C:\WINDOWS\system32\iuimiuas.dll
2008-04-05 18:43 --------- d-----w C:\Program Files\GameTribe
2008-04-03 21:53 346,112 ----a-w C:\WINDOWS\system32\rqropnk.dll
2008-04-01 14:29 --------- d-----w C:\Program Files\LimeWire
2008-04-01 14:10 --------- d-----w C:\Program Files\7-Zip
2008-03-25 18:10 --------- d-----w C:\Program Files\Windows Live
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 05:41 --------- d-----w C:\Program Files\QuickTime
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-13 02:46 983,552 ----a-w C:\Documents and Settings\ABC\Application Data\kernel33.dll
2008-01-13 02:46 303,791 ----a-w C:\Documents and Settings\ABC\Application Data\1.exe
2008-01-12 21:21 22,040 ---h--w C:\Documents and Settings\ABC\Application Data\addon.dat
2008-01-12 21:21 1,140,362 ---h--w C:\Documents and Settings\ABC\Application Data\svhost.exe
2001-08-23 15:00 332,463 --sh--w C:\WINDOWS\BoredCoders.pif
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
04/03/2008 02:53 PM 346112 --a------ C:\WINDOWS\system32\rqropnk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [11/07/2007 03:34 PM 3739672]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM 1694208]
"The sharK Project"="C:\WINDOWS\SharK Server.cmd" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"www.shark-project.info"="C:\WINDOWS\SharK Server.cmd" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/28/2005 02:01 AM 7286784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/05/2008 07:55 PM 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/18/2008 10:41 PM 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/03/2004 04:56 PM 15360]

C:\Documents and Settings\ABC\Start Menu\Programs\Startup\
Shortcut to New Text Document.lnk - C:\Documents and Settings\ABC\Desktop\New Text Document.txt [2008-02-02 18:37:59 496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
lsass.exe [2007-11-06 22:11:50 229621]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\rqropnk.dll [04/03/2008 02:53 PM 346112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqropnk]
rqropnk.dll 04/03/2008 02:53 PM 346112 C:\WINDOWS\system32\rqropnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Silkroad\\SilkErrSender.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\ABC\\My Documents\\Downloads\\AgBot(SILKROAD)\\nuConnector.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Documents and Settings\\ABC\\Desktop\\srosrosro\\srobot.exe"=
"C:\\Documents and Settings\\home\\Desktop\\SROBotEn1.89\\srobot.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Program Files\\Games-Masters.com\\CABAL Online (Europe)\\launcher\\update\\ESTdnheadless.exe"=

S3 NTProcDrv;Process creation detector for NT.;C:\Documents and Settings\ABC\Desktop\srosrosro\NtProcDrv.sys [02/23/2005 04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{074a542a-bfba-11dc-bed7-001111cff734}]
\Shell\AutoRun\command - K:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cb19b6a-bfb6-11dc-bed6-d13c5397dfd4}]
\Shell\AutoRun\command - K:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fcfc1e0-cd20-11dc-bf03-001111cff734}]
\Shell\Autoplay\Command - L:\smss.exe
\Shell\AutoRun\command - L:\smss.exe
\Shell\Explore\Command - L:\smss.exe
\Shell\Open\Command - L:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{519734ca-c47c-11dc-beed-001111cff734}]
\Shell\AutoRun\command - L:\ntde1ect.com
\Shell\explore\Command - L:\ntde1ect.com
\Shell\open\Command - L:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5465bd88-e3ca-11dc-bf50-001111cff734}]
\Shell\Autoplay\Command - K:\smss.exe
\Shell\AutoRun\command - K:\smss.exe
\Shell\Explore\Command - K:\smss.exe
\Shell\Open\Command - K:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81ffdf18-c498-11dc-beef-001111cff734}]
\Shell\Autoplay\Command - L:\smss.exe
\Shell\AutoRun\command - L:\smss.exe
\Shell\Explore\Command - L:\smss.exe
\Shell\Open\Command - L:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88d38703-c0a8-11dc-beda-001111cff734}]
\Shell\Autoplay\Command - M:\smss.exe
\Shell\AutoRun\command - M:\smss.exe
\Shell\Explore\Command - M:\smss.exe
\Shell\Open\Command - M:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88d3871c-c0a8-11dc-beda-001111cff734}]
\Shell\Autoplay\Command - K:\smss.exe
\Shell\AutoRun\command - K:\smss.exe
\Shell\Explore\Command - K:\smss.exe
\Shell\Open\Command - K:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8e90132-fe86-11dc-bfa6-001111cff734}]
\Shell\Autoplay\Command - K:\smss.exe
\Shell\AutoRun\command - K:\smss.exe
\Shell\Explore\Command - K:\smss.exe
\Shell\Open\Command - K:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19fd75e-c7a1-11dc-bef7-001111cff734}]
\Shell\Autoplay\Command - K:\smss.exe
\Shell\AutoRun\command - K:\smss.exe
\Shell\Explore\Command - K:\smss.exe
\Shell\Open\Command - K:\smss.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C0D040F0-C7F0-CCC1-B55C-B59B897B73AA}]
C:\WINDOWS\system32\win32svc.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 16:38:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rqropnk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 05/16/2008 16:43:24 - machine was rebooted [ABC]
ComboFix-quarantined-files.txt 2008-05-16 23:43:14

Pre-Run: 31,362,846,720 bytes free
Post-Run: 31,753,867,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ = "Unidentified operating system on drive H."
H:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

316 --- E O F --- 2008-03-17 23:01:04
  • 0

#4
7amo0dy

7amo0dy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hijack This :-

sorry for the late reply ... here's the log :-



ComboFix 08-05-15.3 - ABC 05/16/2008 16:32:48.1 - NTFSx86
Running from: C:\Documents and Settings\ABC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ABC\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\ABC\Application Data\ShoppingReport
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\ABC\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\home\Application Data\ShoppingReport
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\home\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Funny UST Scandal.avi.exe
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\smss.exe
C:\WINDOWS\.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\cookies.ini
C:\WINDOWS\Funny UST Scandal.exe
C:\WINDOWS\killer.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\28463
C:\WINDOWS\system32\28463\AKV.exe
C:\WINDOWS\system32\28463\YMGY.001
C:\WINDOWS\system32\28463\YMGY.003
C:\WINDOWS\system32\28463\YMGY.004
C:\WINDOWS\system32\28463\YMGY.006
C:\WINDOWS\system32\28463\YMGY.007
C:\WINDOWS\system32\28463\YMGY.009
C:\WINDOWS\system32\28463\YMGY.chm
C:\WINDOWS\system32\28463\YMGY.exe
C:\WINDOWS\system32\abbfkmvp.exe
C:\WINDOWS\system32\acscrike.dll
C:\WINDOWS\system32\amjyvenm.exe
C:\WINDOWS\system32\amyfkyeo.ini
C:\WINDOWS\system32\appbsxaw.ini
C:\WINDOWS\system32\aqmhppms.exe
C:\WINDOWS\system32\asmsjuia.exe
C:\WINDOWS\system32\atwjcxlr.exe
C:\WINDOWS\system32\bebclxpn.dll
C:\WINDOWS\system32\bngbmqrw.ini
C:\WINDOWS\system32\bntvpjgj.ini
C:\WINDOWS\system32\btvlenxu.ini
C:\WINDOWS\system32\caibnoso.ini
C:\WINDOWS\system32\ckmjbxsm.dll
C:\WINDOWS\system32\cmnihapc.dll
C:\WINDOWS\system32\cmqlreuv.dll
C:\WINDOWS\system32\daelovrk.dll
C:\WINDOWS\system32\dcvpwyyp.ini
C:\WINDOWS\system32\ddcYsRJC.dll
C:\WINDOWS\system32\dplqxvju.dll
C:\WINDOWS\system32\dtbwosdo.ini
C:\WINDOWS\system32\duajqwts.dll
C:\WINDOWS\system32\dweuxerk.ini
C:\WINDOWS\system32\edxhxsjl.exe
C:\WINDOWS\system32\eotxflga.exe
C:\WINDOWS\system32\eoygivkj.dll
C:\WINDOWS\system32\epajjoxn.dll
C:\WINDOWS\system32\eqsvanul.dll
C:\WINDOWS\system32\eqyjoauk.exe
C:\WINDOWS\system32\ervagcjs.ini
C:\WINDOWS\system32\foinefvt.ini
C:\WINDOWS\system32\gbodpmja.dll
C:\WINDOWS\system32\goallloy.exe
C:\WINDOWS\system32\grqqtthv.ini
C:\WINDOWS\system32\ibwaxktv.dll
C:\WINDOWS\system32\ilgexioa.dll
C:\WINDOWS\system32\jcorlpnm.ini
C:\WINDOWS\system32\jgjpvtnb.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jolsuhqs.dll
C:\WINDOWS\system32\jtlufpgk.exe
C:\WINDOWS\system32\jxhfiaaf.exe
C:\WINDOWS\system32\kgkpbrql.ini
C:\WINDOWS\system32\knxpnslg.exe
C:\WINDOWS\system32\krexuewd.dll
C:\WINDOWS\system32\krvolead.ini
C:\WINDOWS\system32\lobqmnsc.dll
C:\WINDOWS\system32\lqhhpjfh.exe
C:\WINDOWS\system32\lujwfwbm.dll
C:\WINDOWS\system32\lunavsqe.ini
C:\WINDOWS\system32\lvaniymx.dll
C:\WINDOWS\system32\mbwfwjul.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\misviuii.exe
C:\WINDOWS\system32\mivdoaox.dll
C:\WINDOWS\system32\mkmfiwfi.dll
C:\WINDOWS\system32\nyslnfef.exe
C:\WINDOWS\system32\odsowbtd.dll
C:\WINDOWS\system32\oeykfyma.dll
C:\WINDOWS\system32\orcnrppt.ini
C:\WINDOWS\system32\oxocarsu.dll
C:\WINDOWS\system32\oycstlje.dll
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\pqstv.ini2
C:\WINDOWS\system32\pyejrrwg.dll
C:\WINDOWS\system32\pyywpvcd.dll
C:\WINDOWS\system32\qhaddpja.exe
C:\WINDOWS\system32\qymmnwyc.ini
C:\WINDOWS\system32\remjpqno.dll
C:\WINDOWS\system32\rkoncchj.exe
C:\WINDOWS\system32\sjcgavre.dll
C:\WINDOWS\system32\sjtdpmbo.dll
C:\WINDOWS\system32\skrfwruk.dll
C:\WINDOWS\system32\sntrmwal.exe
C:\WINDOWS\system32\sqhusloj.ini
C:\WINDOWS\system32\svareiau.dll
C:\WINDOWS\system32\swyxhgjl.exe
C:\WINDOWS\system32\ttbttgqd.dll
C:\WINDOWS\system32\tvfeniof.dll
C:\WINDOWS\system32\udoywfxc.exe
C:\WINDOWS\system32\ukkfftol.dll
C:\WINDOWS\system32\uotndely.dll
C:\WINDOWS\system32\uxnelvtb.dll
C:\WINDOWS\system32\vfduwnje.dll
C:\WINDOWS\system32\vhttqqrg.dll
C:\WINDOWS\system32\vojjoppg.exe
C:\WINDOWS\system32\vtkxawbi.ini
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vuerlqmc.ini
C:\WINDOWS\system32\wccclgvl.exe
C:\WINDOWS\system32\winkve32.dll
C:\WINDOWS\system32\wrqmbgnb.dll
C:\WINDOWS\system32\xeenkwyx.exe
C:\WINDOWS\system32\xjeoslsg.ini
C:\WINDOWS\system32\xuikdacx.ini
C:\WINDOWS\system32\ydqwyjbb.dll
C:\WINDOWS\system32\ymhqhyjj.dll
C:\WINDOWS\system32\yycucngm.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 23:29 --------- d-----w C:\Documents and Settings\ABC\Application Data\MegauploadToolbar
2008-04-21 00:01 --------- d-----w C:\Program Files\Trend Micro
2008-04-20 22:05 --------- d-----w C:\Documents and Settings\ABC\Application Data\LimeWire
2008-04-19 22:39 --------- d-----w C:\Documents and Settings\ABC\Application Data\uTorrent
2008-04-19 22:36 --------- d-----w C:\Program Files\eRightSoft
2008-04-19 18:20 --------- d-----w C:\Program Files\Mad Cars
2008-04-18 20:34 --------- d-----w C:\Program Files\Total Video Converter
2008-04-16 02:07 --------- d-----w C:\Program Files\Games-Masters.com
2008-04-15 21:26 --------- d-----w C:\Documents and Settings\home\Application Data\LimeWire
2008-04-15 19:26 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-04-14 21:18 26,624 ----a-w C:\WINDOWS\system32\winhoq32.dll
2008-04-14 21:14 --------- d-----w C:\Program Files\Xilisoft
2008-04-14 21:02 --------- d-----w C:\Program Files\ImTOO
2008-04-14 21:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-14 20:07 --------- d-----w C:\Documents and Settings\ABC\Application Data\Talkback
2008-04-14 18:27 --------- d-----w C:\Documents and Settings\home\Application Data\uTorrent
2008-04-13 21:31 --------- d-----w C:\Documents and Settings\home\Application Data\Talkback
2008-04-11 18:08 --------- d-----w C:\Program Files\ReflexiveArcade
2008-04-08 18:35 984,576 ----a-w C:\Documents and Settings\home\Application Data\kernel33.dll
2008-04-05 21:16 104,000 ----a-w C:\WINDOWS\system32\iuimiuas.dll
2008-04-05 18:43 --------- d-----w C:\Program Files\GameTribe
2008-04-03 21:53 346,112 ----a-w C:\WINDOWS\system32\rqropnk.dll
2008-04-01 14:29 --------- d-----w C:\Program Files\LimeWire
2008-04-01 14:10 --------- d-----w C:\Program Files\7-Zip
2008-03-25 18:10 --------- d-----w C:\Program Files\Windows Live
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 05:41 --------- d-----w C:\Program Files\QuickTime
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-13 02:46 983,552 ----a-w C:\Documents and Settings\ABC\Application Data\kernel33.dll
2008-01-13 02:46 303,791 ----a-w C:\Documents and Settings\ABC\Application Data\1.exe
2008-01-12 21:21 22,040 ---h--w C:\Documents and Settings\ABC\Application Data\addon.dat
2008-01-12 21:21 1,140,362 ---h--w C:\Documents and Settings\ABC\Application Data\svhost.exe
2001-08-23 15:00 332,463 --sh--w C:\WINDOWS\BoredCoders.pif
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
04/03/2008 02:53 PM 346112 --a------ C:\WINDOWS\system32\rqropnk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [11/07/2007 03:34 PM 3739672]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM 1694208]
"The sharK Project"="C:\WINDOWS\SharK Server.cmd" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"www.shark-project.info"="C:\WINDOWS\SharK Server.cmd" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/28/2005 02:01 AM 7286784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/05/2008 07:55 PM 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/18/2008 10:41 PM 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/03/2004 04:56 PM 15360]

C:\Documents and Settings\ABC\Start Menu\Programs\Startup\
Shortcut to New Text Document.lnk - C:\Documents and Settings\ABC\Desktop\New Text Document.txt [2008-02-02 18:37:59 496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
lsass.exe [2007-11-06 22:11:50 229621]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\rqropnk.dll [04/03/2008 02:53 PM 346112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqropnk]
rqropnk.dll 04/03/2008 02:53 PM 346112 C:\WINDOWS\system32\rqropnk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Silkroad\\SilkErrSender.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and Settings\\ABC\\My Documents\\Downloads\\AgBot(SILKROAD)\\nuConnector.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Documents and Settings\\ABC\\Desktop\\srosrosro\\srobot.exe"=
"C:\\Documents and Settings\\home\\Desktop\\SROBotEn1.89\\srobot.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Program Files\\Games-Masters.com\\CABAL Online (Europe)\\launcher\\update\\ESTdnheadless.exe"=

S3 NTProcDrv;Process creation detector for NT.;C:\Documents and Settings\ABC\Desktop\srosrosro\NtProcDrv.sys [02/23/2005 04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{074a542a-bfba-11dc-bed7-001111cff734}]
\Shell\AutoRun\command - K:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cb19b6a-bfb6-11dc-bed6-d13c5397dfd4}]
\Shell\AutoRun\command - K:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fcfc1e0-cd20-11dc-bf03-001111cff734}]
\Shell\Autoplay\Command - L:\smss.exe
\Shell\AutoRun\command - L:\smss.exe
\Shell\Explore\Command - L:\smss.exe
\Shell\Open\Command - L:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{519734ca-c47c-11dc-beed-001111cff734}]
\Shell\AutoRun\command - L:\ntde1ect.com
\Shell\explore\Command - L:\ntde1ect.com
\Shell\open\Command - L:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5465bd88-e3ca-11dc-bf50-001111cff734}]
\Shell\Autoplay\Command - K:\smss.exe
\Shell\AutoRun\command - K:\smss.exe
\Shell\Explore\Command - K:\smss.exe
\Shell\Open\Command - K:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81ffdf18-c498-11dc-beef-001111cff734}]
\Shell\Autoplay\Command - L:\smss.exe
\Shell\AutoRun\command - L:\smss.exe
\Shell\Explore\Command - L:\smss.exe
\Shell\Open\Command - L:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88d38703-c0a8-11dc-beda-001111cff734}]
\Shell\Autoplay\Command - M:\smss.exe
\Shell\AutoRun\command - M:\smss.exe
\Shell\Explore\Command - M:\smss.exe
\Shell\Open\Command - M:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88d3871c-c0a8-11dc-beda-001111cff734}]
\Shell\Autoplay\Command - K:\smss.exe
\Shell\AutoRun\command - K:\smss.exe
\Shell\Explore\Command - K:\smss.exe
\Shell\Open\Command - K:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8e90132-fe86-11dc-bfa6-001111cff734}]
\Shell\Autoplay\Command - K:\smss.exe
\Shell\AutoRun\command - K:\smss.exe
\Shell\Explore\Command - K:\smss.exe
\Shell\Open\Command - K:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19fd75e-c7a1-11dc-bef7-001111cff734}]
\Shell\Autoplay\Command - K:\smss.exe
\Shell\AutoRun\command - K:\smss.exe
\Shell\Explore\Command - K:\smss.exe
\Shell\Open\Command - K:\smss.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C0D040F0-C7F0-CCC1-B55C-B59B897B73AA}]
C:\WINDOWS\system32\win32svc.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 16:38:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rqropnk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 05/16/2008 16:43:24 - machine was rebooted [ABC]
ComboFix-quarantined-files.txt 2008-05-16 23:43:14

Pre-Run: 31,362,846,720 bytes free
Post-Run: 31,753,867,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ = "Unidentified operating system on drive H."
H:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

316 --- E O F --- 2008-03-17 23:01:04
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\winhoq32.dll
C:\Documents and Settings\home\Application Data\kernel33.dll
C:\WINDOWS\system32\iuimiuas.dll
C:\WINDOWS\system32\rqropnk.dll
C:\Documents and Settings\ABC\Application Data\kernel33.dll
C:\Documents and Settings\ABC\Application Data\1.exe
C:\Documents and Settings\ABC\Application Data\addon.dat
C:\Documents and Settings\ABC\Application Data\svhost.exe
K:\AutoRun.exe
L:\smss.exe
L:\ntde1ect.com
K:\smss.exe
M:\smss.exe
C:\WINDOWS\system32\win32svc.exe

Folder::

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{074a542a-bfba-11dc-bed7-001111cff734}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cb19b6a-bfb6-11dc-bed6-d13c5397dfd4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fcfc1e0-cd20-11dc-bf03-001111cff734}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{519734ca-c47c-11dc-beed-001111cff734}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5465bd88-e3ca-11dc-bf50-001111cff734}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81ffdf18-c498-11dc-beef-001111cff734}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88d38703-c0a8-11dc-beda-001111cff734}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88d3871c-c0a8-11dc-beda-001111cff734}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8e90132-fe86-11dc-bfa6-001111cff734}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19fd75e-c7a1-11dc-bef7-001111cff734}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C0D040F0-C7F0-CCC1-B55C-B59B897B73AA}]
[-HKEY_CLASSES_ROOT\CLSID\{C0D040F0-C7F0-CCC1-B55C-B59B897B73AA}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



Also post a new HijackThis log
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP