Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Something Wrong, Don't know what.. [CLOSED]

Started by Simore , May 28 2008 04:29 PM

  • This topic is locked This topic is locked

#1
Simore
Posted 28 May 2008 - 04:29 PM

Simore

    Member

  • Member
  • PipPip
  • 16 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:08 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {1c068f37-ccee-a27b-3dc4-3c7b7b5baf29} - {92fab5b7-b7c3-4cd3-b72a-eecc73f860c1} - C:\WINDOWS\system32\oswdpofm.dll
O2 - BHO: (no name) - {C03ABB45-519F-4B59-9BB0-79306B19E887} - C:\WINDOWS\system32\eFWOExYS.dll
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189685780812
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://www.cogeco.ca...LS3.3/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O20 - Winlogon Notify: __c002DDD4 - C:\WINDOWS\system32\__c002DDD4.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3909 bytes
  • 0

Advertisements

#2
greyknight17
Posted 29 May 2008 - 11:02 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Viewpoint

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: {1c068f37-ccee-a27b-3dc4-3c7b7b5baf29} - {92fab5b7-b7c3-4cd3-b72a-eecc73f860c1} - C:\WINDOWS\system32\oswdpofm.dll
O2 - BHO: (no name) - {C03ABB45-519F-4B59-9BB0-79306B19E887} - C:\WINDOWS\system32\eFWOExYS.dll
O20 - Winlogon Notify: __c002DDD4 - C:\WINDOWS\system32\__c002DDD4.dat
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\oswdpofm.dll
C:\WINDOWS\system32\eFWOExYS.dll
C:\WINDOWS\system32\__c002DDD4.dat
C:\Program Files\Viewpoint\

Don't worry if you can't delete any of the files above...

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Simore
Posted 29 May 2008 - 02:45 PM

Simore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks a lot


ComboFix 08-05-29.1 - Tienny 2008-05-29 16:32:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2523 [GMT -4:00]
Running from: C:\Documents and Settings\Tienny\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tienny\Application Data\WeatherDPA
C:\Documents and Settings\Tienny\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\Tienny\Application Data\Zango
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\3893245.sdf
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\24098
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\271868
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\27503
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34123
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\427075
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\52335
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\541147
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\639731
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738022
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\753300
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\80657
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\83463
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\dynamic\ustat\36cb.dat
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\avatar.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\components.cdf
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\cursors.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bar.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_logos.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_other.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\default.cdf
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\editblbuttons.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\icons2.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\ie_video.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\keywords.idx
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\layout.cdf
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\progress.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\top7.cdf
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\progress.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
C:\Documents and Settings\Tienny\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
C:\Documents and Settings\Tienny\cftmon.exe
C:\Documents and Settings\Tienny\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe
C:\Documents and Settings\Tienny\Local Settings\Temporary Internet Files\sph264.dll
C:\Documents and Settings\Tienny\Local Settings\Temporary Internet Files\spmpeg4.dll
C:\Documents and Settings\Tienny\Local Settings\Temporary Internet Files\sptheo.dll
C:\Documents and Settings\Tienny\Local Settings\Temporary Internet Files\StreamPlug.dll
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oswdpofm.dll
C:\WINDOWS\system32\SYxEOWFe.ini
C:\WINDOWS\system32\SYxEOWFe.ini2
C:\WINDOWS\system32\uplrwukb.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POWERMANAGER


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 16:35 . 2008-05-28 16:35 <DIR> d-------- C:\VundoFix Backups
2008-05-28 16:31 . 2008-05-28 16:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 16:29 . 2008-05-28 16:29 <DIR> d-------- C:\Documents and Settings\Tienny\Application Data\Malwarebytes
2008-05-28 16:28 . 2008-05-28 16:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 16:28 . 2008-05-28 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 16:28 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 16:28 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 16:27 . 2008-05-28 16:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-28 16:19 . 2008-05-28 16:19 5,120 --a------ C:\WINDOWS\system32\config\systemprofile\ftp34.dll
2008-05-28 08:39 . 2008-05-28 16:19 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-27 16:29 . 2008-05-27 16:29 <DIR> d-------- C:\fsaua.data
2008-05-27 16:28 . 2008-05-28 18:22 59,904 --a------ C:\WINDOWS\system32\iifcCtRL.dll.vir
2008-05-27 16:00 . 2008-05-27 16:01 480,768 --a------ C:\8.tmp
2008-05-27 15:00 . 2008-05-28 16:18 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-26 18:28 . 2008-05-28 13:14 5,120 --a------ C:\Documents and Settings\Tienny\ftp34.dll
2008-05-25 18:29 . 2008-05-25 18:29 <DIR> d-------- C:\Documents and Settings\Tienny\Application Data\Thinstall
2008-05-25 17:43 . 2008-05-25 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-22 22:56 . 2008-05-22 22:57 <DIR> d-------- C:\Program Files\WM Converter
2008-05-21 15:08 . 2004-08-04 01:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-21 15:08 . 2004-08-04 01:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-20 22:34 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-20 22:34 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-15 20:58 . 2008-05-15 20:58 <DIR> d-------- C:\Program Files\Bonjour
2008-05-15 20:48 . 2008-05-15 20:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-10 04:09 . 2008-05-10 04:09 <DIR> d-------- C:\Iron_Man_USA_XBOX360-VORTEX
2008-05-05 19:53 . 2008-05-28 08:47 <DIR> d-------- C:\Program Files\SlySoft
2008-05-05 19:53 . 2008-05-05 19:58 24 ---hs---- C:\WINDOWS\SE28D96A8.tmp
2008-05-04 14:07 . 2008-05-04 14:07 19,464 --a------ C:\Documents and Settings\Tienny\Application Data\GDIPFONTCACHEV1.DAT
2008-04-29 14:15 . 2008-04-29 14:22 106,525,784 --a------ C:\[7] Xrated Beats [Electro] [MIXTAPE] FEB 08.mp3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 19:08 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-28 18:24 --------- d-----w C:\Program Files\Steam
2008-05-26 22:36 --------- d-----w C:\Program Files\Real
2008-05-26 22:35 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-25 21:32 --------- d-----w C:\Documents and Settings\Tienny\Application Data\mIRC
2008-05-25 18:08 --------- d-----w C:\Program Files\mIRC
2008-05-18 04:31 --------- d-----w C:\Documents and Settings\Tienny\Application Data\LimeWire
2008-05-16 00:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 21:05 --------- d-----w C:\Documents and Settings\Tienny\Application Data\dvdcss
2008-04-22 20:14 --------- d-----w C:\Program Files\ASIO4ALL v2
2008-04-09 10:48 1,343,592 ----a-w C:\WINDOWS\msvnc32.exe
2008-04-06 04:59 --------- d-----w C:\Documents and Settings\Tienny\Application Data\ATI
2008-03-31 21:16 --------- d-----w C:\Documents and Settings\Tienny\Application Data\Media Player Classic
2008-03-29 16:28 1,343,592 ----a-w C:\WINDOWS\msvnc64.exe
2008-03-02 20:50 1,363,184 ----a-w C:\WINDOWS\pic0382.zip
2007-11-23 22:30 22,328 ----a-w C:\Documents and Settings\Tienny\Application Data\PnkBstrK.sys
2004-08-04 07:56 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\ijji\\ENGLISH\\u_skid.exe"=
"C:\\Program Files\\DriftCity\\DriftCity.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Nexon\\KartRider\\NMService.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\frontline46804\\counter-strike\\hl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 17:10]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 02:44:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 16:38:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-29 16:44:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 20:43:59

Pre-Run: 32,387,702,784 bytes free
Post-Run: 33,503,825,920 bytes free

268 --- E O F --- 2008-05-15 21:47:43
  • 0

#4
greyknight17
Posted 30 May 2008 - 09:19 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\config\systemprofile\ftp34.dll
C:\WINDOWS\system32\ftp34.dll
C:\fsaua.data
C:\WINDOWS\system32\iifcCtRL.dll.vir
C:\8.tmp
C:\Documents and Settings\LocalService\ftp34.dll
C:\Documents and Settings\Tienny\ftp34.dll
C:\WINDOWS\msvnc64.exe
C:\WINDOWS\system32\1112.dat

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#5
Simore
Posted 31 May 2008 - 02:09 PM

Simore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
The computer works good now but i have these images that are created from no where. It says somethingsomethingmp3.jpg
  • 0

#6
greyknight17
Posted 01 June 2008 - 11:42 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please post the new combofix log as requested...

Where are these images located at?
  • 0

#7
Simore
Posted 02 June 2008 - 07:08 PM

Simore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I ran the CFScript.txt with Combofix but i forgot to save the log so, here is the latest log..

The images are located where ever there are mp3s in this computer.

ComboFix 08-05-29.1 - Tienny 2008-06-02 20:58:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2445 [GMT -4:00]
Running from: C:\Documents and Settings\Tienny\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\svchost.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POWERMANAGER
-------\Service_PowerManager


((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-02 18:09 . 2008-06-02 18:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-02 18:09 . 2008-06-02 18:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-01 17:50 . 2008-06-01 20:17 <DIR> d-------- C:\Shared
2008-05-28 16:35 . 2008-05-28 16:35 <DIR> d-------- C:\VundoFix Backups
2008-05-28 16:31 . 2008-05-28 16:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 16:29 . 2008-05-28 16:29 <DIR> d-------- C:\Documents and Settings\Tienny\Application Data\Malwarebytes
2008-05-28 16:28 . 2008-05-28 16:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 16:28 . 2008-05-28 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 16:28 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 16:28 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 16:27 . 2008-05-28 16:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-27 16:29 . 2008-05-27 16:29 <DIR> d-------- C:\fsaua.data
2008-05-25 18:29 . 2008-05-25 18:29 <DIR> d-------- C:\Documents and Settings\Tienny\Application Data\Thinstall
2008-05-25 17:43 . 2008-05-25 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-22 22:56 . 2008-05-22 22:57 <DIR> d-------- C:\Program Files\WM Converter
2008-05-21 15:08 . 2004-08-04 01:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-21 15:08 . 2004-08-04 01:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-20 22:34 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-20 22:34 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-15 20:58 . 2008-05-15 20:58 <DIR> d-------- C:\Program Files\Bonjour
2008-05-15 20:48 . 2008-05-15 20:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-10 04:09 . 2008-05-10 04:09 <DIR> d-------- C:\Iron_Man_USA_XBOX360-VORTEX
2008-05-05 19:53 . 2008-05-28 08:47 <DIR> d-------- C:\Program Files\SlySoft
2008-05-05 19:53 . 2008-05-05 19:58 24 ---hs---- C:\WINDOWS\SE28D96A8.tmp
2008-05-04 14:07 . 2008-05-04 14:07 19,464 --a------ C:\Documents and Settings\Tienny\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 21:58 --------- d-----w C:\Program Files\Steam
2008-06-02 02:53 --------- d-----w C:\Documents and Settings\Tienny\Application Data\mIRC
2008-06-02 01:42 --------- d-----w C:\Program Files\mIRC
2008-06-02 00:17 --------- d-----w C:\Documents and Settings\Tienny\Application Data\LimeWire
2008-06-01 20:02 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-26 22:36 --------- d-----w C:\Program Files\Real
2008-05-26 22:35 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-16 00:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 21:05 --------- d-----w C:\Documents and Settings\Tienny\Application Data\dvdcss
2008-04-22 20:14 --------- d-----w C:\Program Files\ASIO4ALL v2
2008-04-09 10:48 1,343,592 ----a-w C:\WINDOWS\msvnc32.exe
2008-04-06 04:59 --------- d-----w C:\Documents and Settings\Tienny\Application Data\ATI
2007-11-23 22:30 22,328 ----a-w C:\Documents and Settings\Tienny\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_16.43.47.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 20:37:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-03 01:01:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\ijji\\ENGLISH\\u_skid.exe"=
"C:\\Program Files\\DriftCity\\DriftCity.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Nexon\\KartRider\\NMService.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\frontline46804\\counter-strike\\hl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 17:10]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 02:44:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 21:01:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2008-06-02 21:07:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-03 01:07:36
ComboFix2.txt 2008-05-31 20:08:26
ComboFix3.txt 2008-05-29 20:44:20

Pre-Run: 33,348,341,760 bytes free
Post-Run: 33,443,975,168 bytes free

143 --- E O F --- 2008-05-15 21:47:43

Edited by Simore, 02 June 2008 - 07:10 PM.

  • 0

#8
greyknight17
Posted 04 June 2008 - 01:31 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you still get those random images? If so, you still haven't told me where they were located. If they are gone now, it should be good.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hti OK to remove it. You should be set to go.
  • 0

#9
greyknight17
Posted 11 June 2008 - 09:47 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP