Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HijackThis Log - Several Malware stuff [CLOSED]

Started by Apocalypse_VC , May 17 2008 02:00 AM

  • This topic is locked This topic is locked

#1
Apocalypse_VC
Posted 17 May 2008 - 02:00 AM

Apocalypse_VC

    Member

  • Member
  • PipPipPip
  • 169 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:42 PM, on 5/17/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
E:\program files\FlashGet\flashget.exe
E:\program files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\Mouse32A.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Flashget] "E:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Power Mixer] "C:\Program Files\Power Mixer\pwmixer.exe" /m
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\mapcom\AppData\Local\Temp\yayvVLFv.dll,c
O4 - HKCU\..\Run: [10adb9f1] rundll32.exe "C:\Users\mapcom\AppData\Local\Temp\kwbnpcda.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - E:\program files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\program files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxda_device - - C:\Windows\system32\lxdacoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe

--
End of file - 7381 bytes
  • 0

Advertisements

#2
greyknight17
Posted 17 May 2008 - 01:54 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\mapcom\AppData\Local\Temp\yayvVLFv.dll,c
O4 - HKCU\..\Run: [10adb9f1] rundll32.exe "C:\Users\mapcom\AppData\Local\Temp\kwbnpcda.dll",b

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Users\mapcom\AppData\Local\Temp\ - Delete everything inside this folder

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Apocalypse_VC
Posted 17 May 2008 - 10:55 PM

Apocalypse_VC

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
I couldnt delete any of the files as it says that I need permission.

As for the combodix log here it is :

ComboFix 08-05-15.3 - mapcom 2008-05-18 10:17:39.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1261 [GMT 5.5:30]
Running from: C:\Users\mapcom\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\ddcAtusR.dll
C:\Windows\system32\mlJaaXoL.dll
C:\Windows\system32\UpMedia
C:\Windows\system32\UpMedia\ContentTool.dll
C:\Windows\system32\UpMedia\SearchTool.dll
C:\Windows\system32\UpMedia\uninstallSE.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-17 16:55 . 2008-05-18 09:50 <DIR> d----c--- C:\Program Files\Common Files\Steam
2008-05-17 16:46 . 2008-05-17 16:46 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-05-17 16:46 . 2008-05-17 16:46 <DIR> d-------- C:\ProgramData\NVIDIA
2008-05-17 16:40 . 2008-05-17 16:40 <DIR> d-------- C:\Windows\nvidia icons
2008-05-17 16:39 . 2008-05-02 22:46 768,544 --a------ C:\Windows\System32\nvcplui.exe
2008-05-17 16:39 . 2008-05-02 22:46 420,384 --a------ C:\Windows\System32\nvcpl.cpl
2008-05-17 16:39 . 2008-05-02 22:46 313,888 --a------ C:\Windows\System32\nvexpbar.dll
2008-05-17 16:38 . 2008-04-30 17:27 442,368 --a------ C:\Windows\System32\NVUNINST.EXE
2008-05-17 16:37 . 2008-05-17 16:37 <DIR> d----c--- C:\NVIDIA
2008-05-17 16:23 . 2008-05-17 16:23 <DIR> d----c--- C:\Program Files\SystemRequirementsLab
2008-05-17 13:21 . 2008-05-17 13:21 <DIR> d----c--- C:\Program Files\Trend Micro
2008-05-17 08:59 . 2008-05-17 08:59 <DIR> d----c--- C:\Program Files\MSN Password Recovery
2008-05-17 08:57 . 2008-05-17 08:57 118 --a------ C:\Windows\System32\MRT.INI
2008-05-08 01:35 . 2008-05-08 01:35 <DIR> d-------- C:\Users\mapcom\AppData\Roaming\SystemRequirementsLab
2008-05-07 23:26 . 2008-05-07 23:26 2,337,865 --a------ C:\Windows\System32\pbsvc.exe
2008-05-07 23:26 . 2008-05-07 23:26 22,328 --a------ C:\Users\mapcom\AppData\Roaming\PnkBstrK.sys
2008-05-06 10:28 . 2008-05-06 10:28 <DIR> d----c--- C:\Program Files\Browser Mouse
2008-05-06 10:28 . 2000-05-10 10:59 6,205 --a------ C:\Windows\System32\LWBHMVXD.VXD
2008-05-06 10:27 . 2008-05-06 10:27 <DIR> d----c--- C:\Memorex
2008-05-05 18:14 . 2008-05-05 18:14 <DIR> d-------- C:\Users\All Users\TechSmith
2008-05-05 18:14 . 2008-05-05 18:14 <DIR> d-------- C:\ProgramData\TechSmith
2008-05-05 18:14 . 2008-05-05 18:14 <DIR> d-------- C:\Program Files\TechSmith
2008-05-02 15:42 . 2008-05-02 15:42 <DIR> d----c--- C:\Program Files\Apple Software Update
2008-04-26 16:29 . 2008-04-26 16:29 <DIR> d-------- C:\Program Files\Investintech.com Inc
2008-04-25 21:42 . 2008-04-25 21:43 <DIR> d-------- C:\Program Files\OpenTTD
2008-04-25 21:36 . 2008-04-25 21:36 <DIR> d----c--- C:\MPS
2008-04-25 21:36 . 1996-09-30 19:46 24,576 --------- C:\Windows\UniFISH.exe
2008-04-20 14:45 . 2008-04-27 12:07 294 --a------ C:\Windows\ODBC.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 04:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 07:02 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-17 03:41 --------- d-----w C:\Users\mapcom\AppData\Roaming\uTorrent
2008-05-15 17:11 --------- d-----w C:\Users\mapcom\AppData\Roaming\LimeWire
2008-05-14 21:31 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-14 21:31 --------- d-----w C:\Program Files\Windows Mail
2008-05-08 08:37 --------- d-----w C:\Program Files\VstPlugins
2008-05-08 08:37 --------- d-----w C:\Program Files\Image-Line
2008-05-07 20:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-07 17:56 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-05-07 17:56 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-05-02 10:48 --------- d-----w C:\Program Files\Safari
2008-04-25 16:58 --------- d-----w C:\Users\mapcom\AppData\Roaming\Skype
2008-04-25 16:49 --------- d-----w C:\Users\mapcom\AppData\Roaming\skypePM
2008-04-20 03:51 --------- d-----w C:\Program Files\Java
2008-04-15 09:42 271,360 ----a-w C:\Windows\system32\drivers\atksgt.sys
2008-04-15 09:42 --------- dc----w C:\Program Files\AGEIA Technologies
2008-04-15 09:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 09:41 18,048 ----a-w C:\Windows\system32\drivers\lirsgt.sys
2008-04-10 08:31 --------- d-----w C:\ProgramData\Musicnotes
2008-04-06 10:09 --------- d-----w C:\Users\other\AppData\Roaming\FlashGet
2008-04-06 04:02 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-29 10:24 --------- d-----w C:\ProgramData\Apple Computer
2008-03-29 10:24 --------- d-----w C:\Program Files\iTunes
2008-03-29 10:24 --------- d-----w C:\Program Files\iPod
2008-03-28 18:27 --------- d-----w C:\Program Files\HP
2008-03-26 11:13 --------- d-----w C:\Program Files\Web Publish
2008-03-21 12:26 --------- d-----w C:\Users\mapcom\AppData\Roaming\Apple Computer
2008-03-21 12:20 --------- dc----w C:\Program Files\Bonjour
2008-03-21 12:19 19,522,352 ----a-w C:\Users\mapcom\SafariSetup.exe
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-01 04:31 374 ----a-w C:\Users\mapcom\AppData\Roaming\internaldb6334.dat
2008-02-01 04:28 555 ----a-w C:\Users\mapcom\AppData\Roaming\internaldb8467.dat
2008-02-01 04:28 18,432 ----a-w C:\Users\mapcom\AppData\Roaming\internaldb41.dat
2008-01-27 18:24 1,535,323 ----a-w C:\Users\mapcom\InstallWinUAE1440.exe
2008-01-27 18:23 566,156 ----a-w C:\Users\mapcom\WinEMU050.zip
2007-11-17 07:20 1,919,944 ----a-w C:\Users\Public\daemon410-x86.exe
2007-11-16 17:16 32 ----a-w C:\Users\All Users\ezsid.dat
2007-11-16 17:16 32 ----a-w C:\ProgramData\ezsid.dat
2007-10-31 01:25 174 --sha-w C:\Program Files\desktop.ini
2007-10-30 13:37 4,921,080 ----a-w C:\Users\mapcom\Opera_9.24_Eng_Setup.exe
2007-10-24 10:53 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-24 10:53 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-24 10:53 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:03 1232896]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 19:46 171464]
"Power Mixer"="C:\Program Files\Power Mixer\pwmixer.exe" [2007-10-25 01:30 368266]
"Steam"="D:\Program Files\Steam\Steam.exe" [2008-05-17 16:56 1271032]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 18:03 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-31 00:22 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 04:10 155648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 15:15 222208]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-25 12:21 4435968 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-05-25 12:21 1822720 C:\Windows\SkyTel.exe]
"Flashget"="E:\Program Files\FlashGet\FlashGet.exe" [2007-09-25 13:40 2007088]
"PWRISOVM.EXE"="E:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 05:35 200704]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE" [2001-11-20 16:21 356352]
"MRT"="C:\Windows\system32\MRT.exe" [2008-05-10 03:05 16863864]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C1F0F422-9D01-404B-9B8B-92E5B12ECCD7}D:\\program files\\ubisoft\\ghost recon advanced warfighter\\graw.exe"= UDP:D:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW
"UDP Query User{D799CC55-9557-45A3-AC05-7C8A653C1D01}D:\\program files\\ubisoft\\ghost recon advanced warfighter\\graw.exe"= TCP:D:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW
"TCP Query User{38B4676F-49C0-4A9B-B235-33B78A09F400}D:\\program files\\warcraft iii\\war3.exe"= UDP:D:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{0D6E0F69-96B0-41AC-BD74-5CABD3879B5D}D:\\program files\\warcraft iii\\war3.exe"= TCP:D:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{60F6B057-ED72-496B-A698-3578800755C2}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{7BAD24E5-9B26-42FE-ABF1-7531EA902E3A}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{92EA0A20-A549-4FE7-8E35-AF8F91B58F63}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{5BFCE862-D305-4921-9A80-E8EB718457DE}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{6EA0CA7C-0F15-4659-856C-5F8F460B9F1D}C:\\program files\\sopcast\\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{6B8681E9-FE60-4353-8429-335B24CC93A0}C:\\program files\\sopcast\\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{E6CC1040-442D-4AFC-82DC-AC381D55CA23}C:\\users\\mapcom\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= UDP:C:\users\mapcom\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"UDP Query User{B7EEAFC6-55BE-4349-A46C-00E57756EF07}C:\\users\\mapcom\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= TCP:C:\users\mapcom\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"TCP Query User{0FA3A4DE-C759-43BE-AEBA-67A90021E968}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{9CC736C3-0E77-4C3E-B9F5-4D85C283E22D}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{FF29A457-2B7A-4C5F-B18E-07491B5B1C83}"= UDP:C:\Windows\System32\lxdacoms.exe:Lexmark Communications System
"{68034C1F-4DB1-4F5B-915C-8132F8D3477B}"= TCP:C:\Windows\System32\lxdacoms.exe:Lexmark Communications System
"{0CFFC1DB-F01A-48D9-BCEB-F247B3EB88EE}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxdapswx.exe:Printer Status Window
"{36013C78-6B11-4B40-A03C-FE619830BD5D}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxdapswx.exe:Printer Status Window
"TCP Query User{0EB1F924-AB65-4257-9AEA-DA5C1A53B89B}E:\\program files\\ea games\\battlefield 2\\bf2_w32ded.exe"= UDP:E:\program files\ea games\battlefield 2\bf2_w32ded.exe:bf2_w32ded
"UDP Query User{67833D44-606E-4331-A551-7D8787B8DBCC}E:\\program files\\ea games\\battlefield 2\\bf2_w32ded.exe"= TCP:E:\program files\ea games\battlefield 2\bf2_w32ded.exe:bf2_w32ded
"TCP Query User{08A8934D-BD45-43B8-B3C0-0398AE660964}E:\\program files\\flashget\\flashget.exe"= UDP:E:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{CC3CB6C9-72D7-4D08-9134-0B98AE23D187}E:\\program files\\flashget\\flashget.exe"= TCP:E:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{51815A19-A13F-4AB9-A6AA-459A3194F338}E:\\program files\\counter-strike\\hl.exe"= UDP:E:\program files\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{1C71B797-1008-4001-B666-5513BCBD8EA2}E:\\program files\\counter-strike\\hl.exe"= TCP:E:\program files\counter-strike\hl.exe:Half-Life Launcher
"{D9596F7E-DBDF-43C9-A733-ECB14CC1FF2A}"= UDP:E:\program files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{3DBFD06C-5507-4A8A-B4E1-9BE8F7B7F6FD}"= TCP:E:\program files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"TCP Query User{C8525CEC-136C-481A-8786-198A1835652B}C:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:C:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{B847698B-A588-444F-85BD-4160C0A025C9}C:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:C:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"{7ADACE68-EA88-4434-91A0-AAAF7671FBF3}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{484ABF22-0379-47DB-9867-0A4AE1959EC3}C:\\program files\\ocean technology\\gg e-sports platform\\ggclient.exe"= UDP:C:\program files\ocean technology\gg e-sports platform\ggclient.exe:GG E-Sports Platform Client
"UDP Query User{E3523825-9DE1-4EAE-A1FA-9A29BDB1D4DD}C:\\program files\\ocean technology\\gg e-sports platform\\ggclient.exe"= TCP:C:\program files\ocean technology\gg e-sports platform\ggclient.exe:GG E-Sports Platform Client
"TCP Query User{A79D87A9-54EA-4313-95A2-3AEF4B9041BD}C:\\program files\\ocean technologies & media\\gg e-sports platform\\ggclient.exe"= UDP:C:\program files\ocean technologies & media\gg e-sports platform\ggclient.exe:GG E-Sports Platform Client
"UDP Query User{8ED9E951-2EE1-4B51-ADE4-858422818912}C:\\program files\\ocean technologies & media\\gg e-sports platform\\ggclient.exe"= TCP:C:\program files\ocean technologies & media\gg e-sports platform\ggclient.exe:GG E-Sports Platform Client
"TCP Query User{275D6493-0D65-4885-AD67-C8F6835AC0AD}C:\\users\\mapcom\\program files\\utorrent\\utorrent.exe"= UDP:C:\users\mapcom\program files\utorrent\utorrent.exe:utorrent.exe
"UDP Query User{EE6D9D2D-0949-4058-9D2E-DEEE821623CF}C:\\users\\mapcom\\program files\\utorrent\\utorrent.exe"= TCP:C:\users\mapcom\program files\utorrent\utorrent.exe:utorrent.exe
"TCP Query User{C84D47EB-C4FE-4784-B4E9-745E33819CF8}C:\\program files\\ocean technology\\gg e-sports platform\\garena.exe"= UDP:C:\program files\ocean technology\gg e-sports platform\garena.exe:Garena
"UDP Query User{1E5C0EC8-94FE-4A25-826F-099179B0F9E5}C:\\program files\\ocean technology\\gg e-sports platform\\garena.exe"= TCP:C:\program files\ocean technology\gg e-sports platform\garena.exe:Garena
"TCP Query User{320F3805-A836-420D-9418-7CD23C27B420}C:\\program files\\ocean technologies & media\\gg e-sports platform\\garena.exe"= UDP:C:\program files\ocean technologies & media\gg e-sports platform\garena.exe:Garena
"UDP Query User{704EDCD3-1176-4851-A3D2-7ABF6CF31D1D}C:\\program files\\ocean technologies & media\\gg e-sports platform\\garena.exe"= TCP:C:\program files\ocean technologies & media\gg e-sports platform\garena.exe:Garena
"{C15E6927-9F24-4A7D-8CA6-1556C6F1287B}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{D7B4046B-9B6B-4878-8E94-A6FF91B6AECE}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{26C0A18D-BEF5-42A1-9F69-497E4E9917D3}C:\\program files\\safari\\safari.exe"= UDP:C:\program files\safari\safari.exe:Safari Web Browser
"UDP Query User{B854CB1D-5CD2-4BEB-9E5F-688015CAC103}C:\\program files\\safari\\safari.exe"= TCP:C:\program files\safari\safari.exe:Safari Web Browser
"{DCBFADB8-01F3-48D0-865A-8F4D47A60376}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{BAA6E467-D33A-485A-961A-E245F67658A9}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{A59A3E85-23B7-4BAF-B088-EE99A988897F}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{A8DAC786-C28F-4D96-8902-E0234C5EA0A9}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{2A4D7D11-07FB-4876-9855-DC3DC0BC8869}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{43630760-F053-447E-8CE3-855CD16102DF}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{ADFA3347-BAFC-4616-8645-6C0D8DFA028C}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{52041B7C-E706-47A0-8869-AAECA2FC7919}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{C84B47B5-F99B-4A4B-BEFE-71837369F647}"= UDP:27349:Limewire
"{B8201A09-BBA2-4D13-A3A7-1D9FA2E24ACE}"= TCP:27349:Limewire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 lxda_device;lxda_device;C:\Windows\system32\lxdacoms.exe [2007-03-21 12:28]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\Windows\system32\drivers\ScreamingBAudio.sys [2007-08-24 15:44]
R3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-05-17 17:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2cf91ef-1264-11dd-9c94-0019d19e044f}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MntDrCore.exe
\shell\Open\command - MntDrCore.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c272871b-81d3-11dc-ad47-0019d19e044f}]
\shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c272871e-81d3-11dc-ad47-0019d19e044f}]
\shell\AutoRun\command - H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2728728-81d3-11dc-ad47-0019d19e044f}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c272872b-81d3-11dc-ad47-0019d19e044f}]
\shell\AutoRun\command - H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6888ba0-89e2-11dc-bb55-0019d19e044f}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6888ba8-89e2-11dc-bb55-0019d19e044f}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb5cf2d6-91c5-11dc-9cb7-0019d19e044f}]
\shell\AutoRun\command - L:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb5cf2db-91c5-11dc-9cb7-0019d19e044f}]
\shell\AutoRun\command - H:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 12:56:48 C:\Windows\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-05-17 12:12:36 C:\Windows\Tasks\User_Feed_Synchronization-{313AAF3D-4AA9-4E28-AB3F-4FF236B64FA7}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 10:21:13
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-18 10:23:40
ComboFix-quarantined-files.txt 2008-05-18 04:52:37

Pre-Run: 5,208,297,472 bytes free
Post-Run: 5,295,341,568 bytes free

242 --- E O F --- 2008-05-17 03:27:46
  • 0

#4
greyknight17
Posted 18 May 2008 - 08:35 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Boot into Safe Mode and delete all the contents in this folder:

C:\Users\mapcom\AppData\Local\Temp\

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#5
greyknight17
Posted 24 May 2008 - 06:38 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP