Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

bady infected [CLOSED]


  • This topic is locked This topic is locked

#1
taz_26

taz_26

    New Member

  • Member
  • Pip
  • 4 posts
I all hope someone can help. Popups and rogue spyware, can barely use the internet

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:59 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svdhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: {f18fbbf5-7993-1618-2634-1615bbd91be0} - {0eb19dbb-5161-4362-8161-39975fbbf81f} - C:\WINDOWS\system32\nrssbbqp.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\gesplvtv.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} - (no file)
O2 - BHO: (no name) - {D4DAF13F-C8B6-40DC-8EE0-0A9C9A019AE9} - (no file)
O2 - BHO: (no name) - {E23136A1-1AC4-4D1B-926F-5D537CFFF359} - C:\WINDOWS\system32\jkkLCvUK.dll
O2 - BHO: (no name) - {FC2281FA-E7B2-4CC6-BC6E-8C4E5C777629} - C:\WINDOWS\system32\rqRIxurO.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Sound] svdhost.exe
O4 - HKLM\..\Run: [BMff8b010f] Rundll32.exe "C:\WINDOWS\system32\huxpitqe.dll",s
O4 - HKLM\..\Run: [fcb83293] rundll32.exe "C:\WINDOWS\system32\illjyyly.dll",b
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKLM\..\RunServices: [Windows Sound] svdhost.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4329] command /c del "C:\WINDOWS\system32\rqRIxurO.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1628] cmd /c del "C:\WINDOWS\system32\rqRIxurO.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingB8115] command /c del "C:\WINDOWS\system32\rqRIxurO.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5887] cmd /c del "C:\WINDOWS\system32\rqRIxurO.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: jkkLCvUK - C:\WINDOWS\SYSTEM32\jkkLCvUK.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8116 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
taz_26

taz_26

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi Rorschach112
the internet has got faster since scanning with Combofix. Kasperspy is still scanning taking a while.

ComboFix 08-05-29.1 - Admin 2008-06-01 20:26:52.1 - NTFSx86
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMff8b010f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aiuxhdsm.dll
C:\WINDOWS\system32\akavukec.dll
C:\WINDOWS\system32\bnmloady.ini
C:\WINDOWS\system32\bowoljhf.dll
C:\WINDOWS\system32\bslfxouj.ini
C:\WINDOWS\system32\cdmekvhy.ini
C:\WINDOWS\system32\ciuhcwhd.dll
C:\WINDOWS\system32\cnwfelrl.ini
C:\WINDOWS\system32\cxasxjel.dll
C:\WINDOWS\system32\dhwchuic.tmp
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\edncppjt.dll
C:\WINDOWS\system32\emphuhdy.ini
C:\WINDOWS\system32\eqspcieq.dll
C:\WINDOWS\system32\foinaxom.ini
C:\WINDOWS\system32\fpowphin.ini
C:\WINDOWS\system32\gnhxjspj.dll
C:\WINDOWS\system32\gowqsiee.dll
C:\WINDOWS\system32\grwgxmai.dll
C:\WINDOWS\system32\gwnqwuvl.dll
C:\WINDOWS\system32\gygoeujg.dll
C:\WINDOWS\system32\hqlexgxm.ini
C:\WINDOWS\system32\humtidym.ini
C:\WINDOWS\system32\huxpitqe.dll
C:\WINDOWS\system32\iamubgib.ini
C:\WINDOWS\system32\illjyyly.dll
C:\WINDOWS\system32\imletvoi.dll
C:\WINDOWS\system32\iosdneqc.dll
C:\WINDOWS\system32\isdjysjw.ini
C:\WINDOWS\system32\iulusrco.ini
C:\WINDOWS\system32\jdqvycdl.dll
C:\WINDOWS\system32\jljexaxc.dll
C:\WINDOWS\system32\jokurwho.ini
C:\WINDOWS\system32\jtchdifh.ini
C:\WINDOWS\system32\kddbsdix.dll
C:\WINDOWS\system32\kphwgefx.ini
C:\WINDOWS\system32\ktoojxrs.ini
C:\WINDOWS\system32\lahdlfyg.ini
C:\WINDOWS\system32\ljJYOfdA.dll
C:\WINDOWS\system32\lmgeafrk.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhdujddu.dll
C:\WINDOWS\system32\mplsdggi.dll
C:\WINDOWS\system32\msnhdjjs.ini
C:\WINDOWS\system32\mspoeftb.ini
C:\WINDOWS\system32\myeocsdv.ini
C:\WINDOWS\system32\nfuoffse.ini
C:\WINDOWS\system32\nrssbbqp.dll
C:\WINDOWS\system32\ntbhnwxh.dll
C:\WINDOWS\system32\ofejtjtk.ini
C:\WINDOWS\system32\ombgcgis.dll
C:\WINDOWS\system32\oogaiwct.ini
C:\WINDOWS\system32\OruxIRqr.ini
C:\WINDOWS\system32\OruxIRqr.ini2
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pauveaww.ini
C:\WINDOWS\system32\pepavlpx.ini
C:\WINDOWS\system32\pknfpwvo.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\qbglpokl.dll
C:\WINDOWS\system32\qbnwcxvq.dll
C:\WINDOWS\system32\qxtwccvb.dll
C:\WINDOWS\system32\ratjtufy.ini
C:\WINDOWS\system32\rfdtrwsl.ini
C:\WINDOWS\system32\rjsdgmoh.ini
C:\WINDOWS\system32\rkqykpvp.ini
C:\WINDOWS\system32\rlcaosyv.ini
C:\WINDOWS\system32\rldvorpy.ini
C:\WINDOWS\system32\rreajlbp.dll
C:\WINDOWS\system32\rtqibafj.dll
C:\WINDOWS\system32\sffwshsa.ini
C:\WINDOWS\system32\svdhost.exe
C:\WINDOWS\system32\thlbfeop.ini
C:\WINDOWS\system32\ucyuddol.dll
C:\WINDOWS\system32\uDNUxGgh.ini
C:\WINDOWS\system32\uDNUxGgh.ini2
C:\WINDOWS\system32\uiaxcjlp.ini
C:\WINDOWS\system32\ukhqkpmp.dll
C:\WINDOWS\system32\uuaqhlbt.ini
C:\WINDOWS\system32\UvGNonmp.ini
C:\WINDOWS\system32\UvGNonmp.ini2
C:\WINDOWS\system32\vlbvfseg.dll
C:\WINDOWS\system32\vnsnoxmb.dll
C:\WINDOWS\system32\vxxdrprn.ini
C:\WINDOWS\system32\wHklmnmp.ini
C:\WINDOWS\system32\wHklmnmp.ini2
C:\WINDOWS\system32\wjxwpjsr.ini
C:\WINDOWS\system32\wnoxiglh.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\xkmcjgum.ini
C:\WINDOWS\system32\xppanpsx.ini
C:\WINDOWS\system32\ylyyjlli.ini
C:\WINDOWS\system32\yvpoysaq.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 18:20 . 2008-06-01 18:21 <DIR> d-------- C:\hijackthis
2008-06-01 18:03 . 2008-06-01 18:03 95 --a------ C:\WINDOWS\wininit.ini
2008-06-01 17:04 . 2008-06-01 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 17:04 . 2008-06-01 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 10:53 . 2008-06-01 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-06-01 10:51 . 2008-06-01 10:53 <DIR> d-------- C:\Program Files\Pastry Passion
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\Admin\Saved Games
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Flood Light Games
2008-06-01 10:12 . 2008-06-01 10:25 <DIR> d-------- C:\Program Files\Womens Murder Club Death In Scarlet
2008-06-01 10:11 . 2008-06-01 10:11 92,160 --a------ C:\WINDOWS\system32\gesplvtv.dll
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Meridian93
2008-05-31 13:57 . 2008-05-31 14:11 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
2008-05-31 13:56 . 2008-05-31 23:18 <DIR> d-------- C:\Program Files\Unicorn Castle
2008-05-31 12:06 . 2008-05-31 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-05-31 12:06 . 2008-05-31 12:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ludia
2008-05-31 12:02 . 2008-05-31 12:02 <DIR> d-------- C:\WINDOWS\[bleep]'s Kitchen
2008-05-31 12:02 . 2008-05-31 12:03 <DIR> d-------- C:\Program Files\[bleep]'s Kitchen
2008-05-31 10:09 . 2008-05-31 10:09 92,160 --a------ C:\WINDOWS\system32\sjohcevg.dll
2008-05-31 09:54 . 2008-05-31 09:54 92,160 --a------ C:\WINDOWS\system32\qmujqpsy.dll
2008-05-30 20:15 . 2008-05-30 20:16 <DIR> d-------- C:\Program Files\Virtual Villagers The Secret City
2008-05-30 19:46 . 2008-05-30 19:46 92,160 --a------ C:\WINDOWS\system32\wmhakoci.dll
2008-05-30 18:39 . 2008-05-30 18:39 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-29 20:56 . 2008-05-29 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Awem
2008-05-29 19:44 . 2008-05-29 19:44 92,160 --a------ C:\WINDOWS\system32\pfkmnavd.dll
2008-05-29 18:34 . 2008-05-29 20:56 <DIR> d-------- C:\Program Files\Cradle Of Persia
2008-05-29 18:33 . 2008-05-29 18:36 <DIR> d-------- C:\Program Files\Cradle Of Rome
2008-05-28 18:43 . 2008-05-28 18:44 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\7Wonders
2008-05-28 18:42 . 2008-05-28 18:42 92,160 --a------ C:\WINDOWS\system32\fytayusn.dll
2008-05-28 18:41 . 2008-05-28 18:43 <DIR> d-------- C:\Program Files\7 Wonders
2008-05-28 15:08 . 2008-05-28 15:08 92,160 --a------ C:\WINDOWS\system32\gqruigqt.dll
2008-05-28 13:53 . 2008-05-28 13:53 92,160 --a------ C:\WINDOWS\system32\qhieubit.dll
2008-05-27 20:35 . 2008-05-27 20:35 92,160 --a------ C:\WINDOWS\system32\yexvpefo.dll
2008-05-26 20:32 . 2008-05-26 20:32 92,160 --a------ C:\WINDOWS\system32\lqfcdtki.dll
2008-05-26 03:49 . 2008-05-26 03:50 92,160 --a------ C:\WINDOWS\system32\tkxybife.dll
2008-05-26 02:49 . 2008-05-26 02:49 92,160 --a------ C:\WINDOWS\system32\kknggttx.dll
2008-05-25 02:46 . 2008-05-25 02:46 92,160 --a------ C:\WINDOWS\system32\eaecrkpv.dll
2008-05-24 02:42 . 2008-05-24 02:42 92,160 --a------ C:\WINDOWS\system32\oulnkgch.dll
2008-05-23 02:41 . 2008-05-23 02:41 92,160 --a------ C:\WINDOWS\system32\wurjeugr.dll
2008-05-22 23:20 . 2008-05-22 23:20 92,160 --a------ C:\WINDOWS\system32\jieiejqj.dll
2008-05-22 11:42 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-22 11:42 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-22 11:42 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-22 11:42 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-22 01:04 . 2008-05-22 01:11 <DIR> d-------- C:\Program Files\Image Mender
2008-05-21 23:17 . 2008-05-21 23:17 92,160 --a------ C:\WINDOWS\system32\sdolscys.dll
2008-05-20 23:17 . 2008-05-20 23:17 92,160 --a------ C:\WINDOWS\system32\jdigwssa.dll
2008-05-19 23:17 . 2008-05-19 23:17 92,160 --a------ C:\WINDOWS\system32\wrbysxwn.dll
2008-05-19 22:14 . 2008-05-19 22:15 50,812 --a------ C:\WINDOWS\system32\ochjqujq.dll
2008-05-19 16:55 . 2008-05-19 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii Games
2008-05-19 16:55 . 2008-05-19 16:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Gogii Games
2008-05-19 02:39 . 2008-05-19 02:39 <DIR> d-------- C:\WINDOWS\Womens Murder Club
2008-05-18 22:09 . 2008-05-18 22:09 49,356 --a------ C:\WINDOWS\system32\udvoiqts.dll
2008-05-18 22:08 . 2008-05-18 22:08 371,200 --a------ C:\WINDOWS\system32\rqRIxurO.dll_old
2008-05-18 22:04 . 2008-05-18 22:04 <DIR> d-------- C:\WINDOWS\Mystery Museum
2008-05-18 22:04 . 2008-05-19 20:01 <DIR> d-------- C:\Program Files\Mystery Museum
2008-05-18 22:04 . 2008-05-18 22:04 472,576 --a------ C:\Temp\irsetup.exe
2008-05-18 22:04 . 2008-05-18 22:04 56,320 --a------ C:\WINDOWS\system32\efcCspOF.dll
2008-05-18 22:03 . 2008-05-18 22:03 56,320 --a------ C:\WINDOWS\system32\jkkLCvUK.dll
2008-05-18 13:48 . 2008-05-18 13:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SultanofPersia
2008-05-18 13:47 . <DIR> C:\WINDOWS\Sultan of Persia
2008-05-18 13:47 . <DIR> C:\Program Files\Sultan of Persia
2008-05-17 14:34 . 2008-05-17 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-17 03:02 . 2008-05-17 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 16:06 . 2008-05-16 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-16 16:05 . 2008-05-16 16:05 <DIR> d-------- C:\WINDOWS\Lara Johns
2008-05-16 16:05 . 2008-05-16 16:06 <DIR> d-------- C:\Program Files\Lara Johns
2008-05-16 12:21 . 2008-05-16 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterAction studios
2008-05-16 12:20 . 2008-05-16 12:24 <DIR> d-------- C:\Program Files\Chicken Invaders 3
2008-05-12 23:24 . 2008-05-12 23:24 7,076 --a------ C:\WINDOWS\system32\waogxmqv.dll
2008-05-12 14:44 . 2008-05-12 14:44 1,505,304 --ahs---- C:\WINDOWS\system32\hqlexgxm.tmp
2008-05-11 15:22 . 2008-05-11 15:22 1,507,320 --ahs---- C:\WINDOWS\system32\alwgyxey.tmp
2008-05-11 14:29 . 2008-05-11 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-05-11 14:28 . 2008-05-12 10:21 <DIR> d-------- C:\Program Files\Elf Bowling The Last Insult
2008-05-08 23:52 . 2008-05-08 23:52 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Cat's Eye Games
2008-05-08 23:50 . 2008-05-10 03:21 <DIR> d-------- C:\Program Files\Luckys Rainbow
2008-05-08 09:18 . 2008-05-08 09:18 52,272 --a------ C:\WINDOWS\system32\jqxqumxf.dll
2008-05-07 05:23 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-05-07 05:23 . 2005-07-06 18:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-05-07 05:23 . 2005-07-06 18:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-05-05 22:41 . 2008-05-05 22:41 <DIR> d-------- C:\Program Files\CleanMyPC
2008-05-03 16:27 . 2008-05-03 16:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Intenium
2008-05-03 16:26 . <DIR> C:\WINDOWS\Chicken Attack Deluxe
2008-05-03 16:26 . <DIR> C:\Program Files\Chicken Attack Deluxe
2008-05-03 16:26 . 2008-06-01 21:08 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-03 14:01 . 2008-05-04 14:28 886 --ahs---- C:\WINDOWS\system32\epvniswg.ini
2008-05-02 18:23 . 2008-05-02 18:23 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-02 18:23 . 2008-05-02 18:23 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-01 10:01 . 2008-05-01 10:01 <DIR> d-------- C:\WINDOWS\OceaniX
2008-05-01 10:01 . 2008-05-01 10:01 <DIR> d-------- C:\Program Files\OceaniX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 20:05 --------- d-----w C:\Documents and Settings\Admin\Application Data\DNA
2008-06-01 20:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-01 15:43 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-05-28 17:36 --------- d-----w C:\Program Files\In Living Colors
2008-05-26 08:14 --------- d-----w C:\Program Files\DNA
2008-05-24 16:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Vso
2008-05-17 14:10 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-17 14:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-30 23:44 --------- d-----w C:\Program Files\Astro Avenger 2
2008-04-30 16:34 88 --sh--r C:\Documents and Settings\All Users\Application Data\C5172F7015.sys
2008-04-30 16:34 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-04-30 16:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\Corel
2008-04-24 03:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-24 03:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-24 03:06 --------- d-----w C:\Program Files\Cheetah Burner
2008-04-21 15:36 --------- d-----w C:\Program Files\Cooking Academy
2008-04-21 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-21 11:02 --------- d-----w C:\Documents and Settings\Admin\Application Data\Sahmon Games
2008-04-19 15:16 --------- d-----w C:\Program Files\Zuma Deluxe
2008-04-17 22:38 --------- d-----w C:\Program Files\Fishing Craze
2008-04-15 23:58 --------- d-----w C:\Program Files\Hidden Mysteries Civil War
2008-04-12 03:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\Restorer
2008-04-10 19:16 532,480 ----a-w C:\WINDOWS\system32\kidzone_screensaver.scr
2008-04-08 22:30 --------- d-----w C:\Program Files\Mystery Cookbook
2008-04-08 22:30 --------- d-----w C:\Documents and Settings\Admin\Application Data\Gaijin Ent
2008-04-08 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-05 21:54 --------- d-----w C:\Program Files\Escape the Museum
2008-04-04 22:57 --------- d-----w C:\Program Files\Alawar
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\dllcache\msltus40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-15 15:43 126,976 ----a-w C:\WINDOWS\system32\keymaker.exe
2008-02-10 22:04 87,608 ----a-w C:\Documents and Settings\Admin\Application Data\ezpinst.exe
2008-02-10 22:04 47,360 ----a-w C:\Documents and Settings\Admin\Application Data\pcouffin.sys
2008-02-10 21:06 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-02-10 21:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-02-10 21:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008021020080211\index.dat
2008-02-10 21:06 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-13 19:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-10-08 05:55 2223616 95e8b55443bd91dab5632924d2616a1e C:\WINDOWS\system32\ntkrnlpa.exe

2008-04-13 20:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-10-08 05:48 2346752 24fcd8fb0c6bd0e5f3b1203769948336 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
2008-06-01 10:11 92160 --a------ C:\WINDOWS\system32\gesplvtv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-11 01:45 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
2008-05-18 22:03 56320 --a------ C:\WINDOWS\system32\jkkLCvUK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC2281FA-E7B2-4CC6-BC6E-8C4E5C777629}]
C:\WINDOWS\system32\rqRIxurO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 06:11 68856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 04:12 289088]
"Registry Cleaner Scheduler"="C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2008-04-02 04:27 913664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 22:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-05-18 09:30 1230848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 14:03 124928 C:\WINDOWS\system32\advpack.dll]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"= C:\WINDOWS\system32\jkkLCvUK.dll [2008-05-18 22:03 56320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLCvUK]
jkkLCvUK.dll 2008-05-18 22:03 56320 C:\WINDOWS\system32\jkkLCvUK.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 cmipci;CMI8738/8768 Audio Driver;C:\WINDOWS\system32\drivers\cmipci.sys [2007-07-24 00:52]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
HIDEC /W "%VAIOTOOLS%\regtlib.exe" "%ProgramFiles%\Windows Sidebar\sidebar.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 08:07:18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Admin.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 21:08:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkLCvUK.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\khfEWNgH.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-01 21:13:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 20:13:28

Pre-Run: 21,994,766,336 bytes free
Post-Run: 21,868,568,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

356 --- E O F --- 2008-05-17 02:06:57



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:48 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BMff8b010f] Rundll32.exe "C:\WINDOWS\system32\iwovthdn.dll",s
O4 - HKLM\..\Run: [fcb83293] rundll32.exe "C:\WINDOWS\system32\emmlcdon.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6119 bytes
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this after Kaspersky


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\gesplvtv.dll
C:\WINDOWS\system32\sjohcevg.dll
C:\WINDOWS\system32\qmujqpsy.dll
C:\WINDOWS\system32\wmhakoci.dll
C:\WINDOWS\system32\pfkmnavd.dll
C:\WINDOWS\system32\fytayusn.dll
C:\WINDOWS\system32\gqruigqt.dll
C:\WINDOWS\system32\qhieubit.dll
C:\WINDOWS\system32\yexvpefo.dll
C:\WINDOWS\system32\lqfcdtki.dll
C:\WINDOWS\system32\tkxybife.dll
C:\WINDOWS\system32\kknggttx.dll
C:\WINDOWS\system32\eaecrkpv.dll
C:\WINDOWS\system32\oulnkgch.dll
C:\WINDOWS\system32\wurjeugr.dll
C:\WINDOWS\system32\jieiejqj.dll
C:\WINDOWS\system32\sdolscys.dll
C:\WINDOWS\system32\jdigwssa.dll
C:\WINDOWS\system32\wrbysxwn.dll
C:\WINDOWS\system32\ochjqujq.dll
C:\WINDOWS\system32\udvoiqts.dll
C:\WINDOWS\system32\rqRIxurO.dll_old
C:\Temp\irsetup.exe
C:\WINDOWS\system32\efcCspOF.dll
C:\WINDOWS\system32\jkkLCvUK.dll
C:\WINDOWS\system32\waogxmqv.dll
C:\WINDOWS\system32\hqlexgxm.tmp
C:\WINDOWS\system32\alwgyxey.tmp
C:\WINDOWS\system32\epvniswg.ini

Folder::

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLCvUK]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#5
taz_26

taz_26

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
completed combfix scComboFix 08-05-29.1 - Admin 2008-06-01 22:57:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.200 [GMT 1:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\Temp\irsetup.exe
C:\WINDOWS\system32\alwgyxey.tmp
C:\WINDOWS\system32\eaecrkpv.dll
C:\WINDOWS\system32\efcCspOF.dll
C:\WINDOWS\system32\epvniswg.ini
C:\WINDOWS\system32\fytayusn.dll
C:\WINDOWS\system32\gesplvtv.dll
C:\WINDOWS\system32\gqruigqt.dll
C:\WINDOWS\system32\hqlexgxm.tmp
C:\WINDOWS\system32\jdigwssa.dll
C:\WINDOWS\system32\jieiejqj.dll
C:\WINDOWS\system32\jkkLCvUK.dll
C:\WINDOWS\system32\kknggttx.dll
C:\WINDOWS\system32\lqfcdtki.dll
C:\WINDOWS\system32\ochjqujq.dll
C:\WINDOWS\system32\oulnkgch.dll
C:\WINDOWS\system32\pfkmnavd.dll
C:\WINDOWS\system32\qhieubit.dll
C:\WINDOWS\system32\qmujqpsy.dll
C:\WINDOWS\system32\rqRIxurO.dll_old
C:\WINDOWS\system32\sdolscys.dll
C:\WINDOWS\system32\sjohcevg.dll
C:\WINDOWS\system32\tkxybife.dll
C:\WINDOWS\system32\udvoiqts.dll
C:\WINDOWS\system32\waogxmqv.dll
C:\WINDOWS\system32\wmhakoci.dll
C:\WINDOWS\system32\wrbysxwn.dll
C:\WINDOWS\system32\wurjeugr.dll
C:\WINDOWS\system32\yexvpefo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\irsetup.exe
C:\WINDOWS\BMff8b010f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\alwgyxey.tmp
C:\WINDOWS\system32\eaecrkpv.dll
C:\WINDOWS\system32\efcCspOF.dll
C:\WINDOWS\system32\emmlcdon.dll
C:\WINDOWS\system32\epvniswg.ini
C:\WINDOWS\system32\fytayusn.dll
C:\WINDOWS\system32\gesplvtv.dll
C:\WINDOWS\system32\gqruigqt.dll
C:\WINDOWS\system32\HgNWEfhk.ini
C:\WINDOWS\system32\HgNWEfhk.ini2
C:\WINDOWS\system32\hqlexgxm.tmp
C:\WINDOWS\system32\iwovthdn.dll
C:\WINDOWS\system32\jdigwssa.dll
C:\WINDOWS\system32\jieiejqj.dll
C:\WINDOWS\system32\jkkLCvUK.dll
C:\WINDOWS\system32\khfEWNgH.dll
C:\WINDOWS\system32\kknggttx.dll
C:\WINDOWS\system32\lqfcdtki.dll
C:\WINDOWS\system32\nodclmme.ini
C:\WINDOWS\system32\ochjqujq.dll
C:\WINDOWS\system32\oulnkgch.dll
C:\WINDOWS\system32\pctsgkhk.dll
C:\WINDOWS\system32\pfkmnavd.dll
C:\WINDOWS\system32\qhieubit.dll
C:\WINDOWS\system32\qmujqpsy.dll
C:\WINDOWS\system32\rqRIxurO.dll_old
C:\WINDOWS\system32\sdolscys.dll
C:\WINDOWS\system32\sjohcevg.dll
C:\WINDOWS\system32\tkxybife.dll
C:\WINDOWS\system32\udvoiqts.dll
C:\WINDOWS\system32\waogxmqv.dll
C:\WINDOWS\system32\wmhakoci.dll
C:\WINDOWS\system32\wrbysxwn.dll
C:\WINDOWS\system32\wurjeugr.dll
C:\WINDOWS\system32\yexvpefo.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 21:19 . 2008-06-01 21:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 21:19 . 2008-06-01 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 21:14 . 2008-06-01 21:14 92,160 --a------ C:\WINDOWS\system32\vwbvivjs.dll
2008-06-01 18:20 . 2008-06-01 22:01 <DIR> d-------- C:\hijackthis
2008-06-01 18:03 . 2008-06-01 18:03 95 --a------ C:\WINDOWS\wininit.ini
2008-06-01 17:04 . 2008-06-01 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 17:04 . 2008-06-01 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 10:53 . 2008-06-01 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-06-01 10:51 . 2008-06-01 10:53 <DIR> d-------- C:\Program Files\Pastry Passion
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\Admin\Saved Games
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Flood Light Games
2008-06-01 10:12 . 2008-06-01 10:25 <DIR> d-------- C:\Program Files\Womens Murder Club Death In Scarlet
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Meridian93
2008-05-31 13:57 . 2008-05-31 14:11 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
2008-05-31 13:56 . 2008-05-31 23:18 <DIR> d-------- C:\Program Files\Unicorn Castle
2008-05-31 12:06 . 2008-05-31 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-05-31 12:06 . 2008-05-31 12:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ludia
2008-05-31 12:02 . 2008-05-31 12:02 <DIR> d-------- C:\WINDOWS\[bleep]'s Kitchen
2008-05-31 12:02 . 2008-05-31 12:03 <DIR> d-------- C:\Program Files\[bleep]'s Kitchen
2008-05-30 20:15 . 2008-05-30 20:16 <DIR> d-------- C:\Program Files\Virtual Villagers The Secret City
2008-05-30 18:39 . 2008-05-30 18:39 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-29 20:56 . 2008-05-29 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Awem
2008-05-29 18:34 . 2008-05-29 20:56 <DIR> d-------- C:\Program Files\Cradle Of Persia
2008-05-29 18:33 . 2008-05-29 18:36 <DIR> d-------- C:\Program Files\Cradle Of Rome
2008-05-28 18:43 . 2008-05-28 18:44 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\7Wonders
2008-05-28 18:41 . 2008-05-28 18:43 <DIR> d-------- C:\Program Files\7 Wonders
2008-05-22 11:42 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-22 11:42 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-22 11:42 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-22 11:42 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-22 01:04 . 2008-05-22 01:11 <DIR> d-------- C:\Program Files\Image Mender
2008-05-19 16:55 . 2008-05-19 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii Games
2008-05-19 16:55 . 2008-05-19 16:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Gogii Games
2008-05-19 02:39 . 2008-05-19 02:39 <DIR> d-------- C:\WINDOWS\Womens Murder Club
2008-05-18 22:04 . 2008-05-18 22:04 <DIR> d-------- C:\WINDOWS\Mystery Museum
2008-05-18 22:04 . 2008-05-19 20:01 <DIR> d-------- C:\Program Files\Mystery Museum
2008-05-18 13:48 . 2008-05-18 13:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SultanofPersia
2008-05-18 13:47 . <DIR> C:\WINDOWS\Sultan of Persia
2008-05-18 13:47 . <DIR> C:\Program Files\Sultan of Persia
2008-05-17 14:34 . 2008-05-17 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-17 03:02 . 2008-05-17 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 16:06 . 2008-05-16 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-16 16:05 . 2008-05-16 16:05 <DIR> d-------- C:\WINDOWS\Lara Johns
2008-05-16 16:05 . 2008-05-16 16:06 <DIR> d-------- C:\Program Files\Lara Johns
2008-05-16 12:21 . 2008-05-16 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterAction studios
2008-05-16 12:20 . 2008-05-16 12:24 <DIR> d-------- C:\Program Files\Chicken Invaders 3
2008-05-11 14:29 . 2008-05-11 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-05-11 14:28 . 2008-05-12 10:21 <DIR> d-------- C:\Program Files\Elf Bowling The Last Insult
2008-05-08 23:52 . 2008-05-08 23:52 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Cat's Eye Games
2008-05-08 23:50 . 2008-05-10 03:21 <DIR> d-------- C:\Program Files\Luckys Rainbow
2008-05-08 09:18 . 2008-05-08 09:18 52,272 --a------ C:\WINDOWS\system32\jqxqumxf.dll
2008-05-07 05:23 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-05-07 05:23 . 2005-07-06 18:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-05-07 05:23 . 2005-07-06 18:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-05-05 22:41 . 2008-05-05 22:41 <DIR> d-------- C:\Program Files\CleanMyPC
2008-05-03 16:27 . 2008-05-03 16:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Intenium
2008-05-03 16:26 . <DIR> C:\WINDOWS\Chicken Attack Deluxe
2008-05-03 16:26 . <DIR> C:\Program Files\Chicken Attack Deluxe
2008-05-03 16:26 . 2008-06-01 23:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 18:23 . 2008-05-02 18:23 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-02 18:23 . 2008-05-02 18:23 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-01 10:01 . 2008-05-01 10:01 <DIR> d-------- C:\WINDOWS\OceaniX
2008-05-01 10:01 . 2008-05-01 10:01 <DIR> d-------- C:\Program Files\OceaniX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 22:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\DNA
2008-06-01 20:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-01 15:43 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-05-28 17:36 --------- d-----w C:\Program Files\In Living Colors
2008-05-26 08:14 --------- d-----w C:\Program Files\DNA
2008-05-24 16:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Vso
2008-05-17 14:10 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-17 14:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-30 23:44 --------- d-----w C:\Program Files\Astro Avenger 2
2008-04-30 16:34 88 --sh--r C:\Documents and Settings\All Users\Application Data\C5172F7015.sys
2008-04-30 16:34 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-04-30 16:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\Corel
2008-04-24 03:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-24 03:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-24 03:06 --------- d-----w C:\Program Files\Cheetah Burner
2008-04-21 15:36 --------- d-----w C:\Program Files\Cooking Academy
2008-04-21 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-21 11:02 --------- d-----w C:\Documents and Settings\Admin\Application Data\Sahmon Games
2008-04-19 15:16 --------- d-----w C:\Program Files\Zuma Deluxe
2008-04-17 22:38 --------- d-----w C:\Program Files\Fishing Craze
2008-04-15 23:58 --------- d-----w C:\Program Files\Hidden Mysteries Civil War
2008-04-12 03:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\Restorer
2008-04-10 19:16 532,480 ----a-w C:\WINDOWS\system32\kidzone_screensaver.scr
2008-04-08 22:30 --------- d-----w C:\Program Files\Mystery Cookbook
2008-04-08 22:30 --------- d-----w C:\Documents and Settings\Admin\Application Data\Gaijin Ent
2008-04-08 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-05 21:54 --------- d-----w C:\Program Files\Escape the Museum
2008-04-04 22:57 --------- d-----w C:\Program Files\Alawar
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\dllcache\msltus40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-15 15:43 126,976 ----a-w C:\WINDOWS\system32\keymaker.exe
2008-02-10 22:04 87,608 ----a-w C:\Documents and Settings\Admin\Application Data\ezpinst.exe
2008-02-10 22:04 47,360 ----a-w C:\Documents and Settings\Admin\Application Data\pcouffin.sys
2008-02-10 21:06 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-02-10 21:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-02-10 21:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008021020080211\index.dat
2008-02-10 21:06 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-13 19:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-10-08 05:55 2223616 95e8b55443bd91dab5632924d2616a1e C:\WINDOWS\system32\ntkrnlpa.exe

2008-04-13 20:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-10-08 05:48 2346752 24fcd8fb0c6bd0e5f3b1203769948336 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( [email protected]_21.12.39.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 20:06:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 22:09:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-07 04:26:34 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-01 20:12:10 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-07 04:26:34 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-01 20:12:10 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
2008-06-01 21:14 92160 --a------ C:\WINDOWS\system32\vwbvivjs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-11 01:45 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC2281FA-E7B2-4CC6-BC6E-8C4E5C777629}]
C:\WINDOWS\system32\rqRIxurO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 06:11 68856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 04:12 289088]
"Registry Cleaner Scheduler"="C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2008-04-02 04:27 913664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 22:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-05-18 09:30 1230848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 14:03 124928 C:\WINDOWS\system32\advpack.dll]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 cmipci;CMI8738/8768 Audio Driver;C:\WINDOWS\system32\drivers\cmipci.sys [2007-07-24 00:52]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
HIDEC /W "%VAIOTOOLS%\regtlib.exe" "%ProgramFiles%\Windows Sidebar\sidebar.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 08:07:18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Admin.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:31 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\vwbvivjs.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FC2281FA-E7B2-4CC6-BC6E-8C4E5C777629} - C:\WINDOWS\system32\rqRIxurO.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6498 bytes


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 23:10:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-06-01 23:14:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 22:14:10
ComboFix2.txt 2008-06-01 20:13:57

Pre-Run: 21,823,275,008 bytes free
Post-Run: 21,814,947,840 bytes free

290 --- E O F --- 2008-05-17 02:06:57
an i will post scaned log and hijack this log
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do this after Kaspersky


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\vwbvivjs.dll
C:\WINDOWS\system32\jqxqumxf.dll

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#7
taz_26

taz_26

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
please read pasted scans..i lefted kaspersky running over night but did not show any log file.


ComboFix 08-05-29.1 - Admin 2008-06-02 16:23:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.257 [GMT 1:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\jqxqumxf.dll
C:\WINDOWS\system32\vwbvivjs.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jqxqumxf.dll
C:\WINDOWS\system32\vwbvivjs.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-01 21:19 . 2008-06-01 21:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 21:19 . 2008-06-01 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 18:20 . 2008-06-01 23:30 <DIR> d-------- C:\hijackthis
2008-06-01 18:03 . 2008-06-01 18:03 95 --a------ C:\WINDOWS\wininit.ini
2008-06-01 17:04 . 2008-06-01 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 17:04 . 2008-06-01 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 10:53 . 2008-06-01 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-06-01 10:51 . 2008-06-01 10:53 <DIR> d-------- C:\Program Files\Pastry Passion
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\Admin\Saved Games
2008-06-01 10:26 . 2008-06-01 10:26 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Flood Light Games
2008-06-01 10:12 . 2008-06-01 10:25 <DIR> d-------- C:\Program Files\Womens Murder Club Death In Scarlet
2008-05-31 13:59 . 2008-05-31 13:59 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Meridian93
2008-05-31 13:57 . 2008-05-31 14:11 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
2008-05-31 13:56 . 2008-05-31 23:18 <DIR> d-------- C:\Program Files\Unicorn Castle
2008-05-31 12:06 . 2008-05-31 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-05-31 12:06 . 2008-05-31 12:06 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Ludia
2008-05-31 12:02 . 2008-05-31 12:02 <DIR> d-------- C:\WINDOWS\[bleep]'s Kitchen
2008-05-31 12:02 . 2008-05-31 12:03 <DIR> d-------- C:\Program Files\[bleep]'s Kitchen
2008-05-30 20:15 . 2008-05-30 20:16 <DIR> d-------- C:\Program Files\Virtual Villagers The Secret City
2008-05-30 18:39 . 2008-05-30 18:39 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-29 20:56 . 2008-05-29 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Awem
2008-05-29 18:34 . 2008-05-29 20:56 <DIR> d-------- C:\Program Files\Cradle Of Persia
2008-05-29 18:33 . 2008-05-29 18:36 <DIR> d-------- C:\Program Files\Cradle Of Rome
2008-05-28 18:43 . 2008-05-28 18:44 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\7Wonders
2008-05-28 18:41 . 2008-05-28 18:43 <DIR> d-------- C:\Program Files\7 Wonders
2008-05-22 11:42 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-22 11:42 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-22 11:42 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-22 11:42 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-22 01:04 . 2008-05-22 01:11 <DIR> d-------- C:\Program Files\Image Mender
2008-05-19 16:55 . 2008-05-19 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii Games
2008-05-19 16:55 . 2008-05-19 16:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Gogii Games
2008-05-19 02:39 . 2008-05-19 02:39 <DIR> d-------- C:\WINDOWS\Womens Murder Club
2008-05-18 22:04 . 2008-05-18 22:04 <DIR> d-------- C:\WINDOWS\Mystery Museum
2008-05-18 22:04 . 2008-05-19 20:01 <DIR> d-------- C:\Program Files\Mystery Museum
2008-05-18 13:48 . 2008-05-18 13:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SultanofPersia
2008-05-18 13:47 . <DIR> C:\WINDOWS\Sultan of Persia
2008-05-18 13:47 . <DIR> C:\Program Files\Sultan of Persia
2008-05-17 14:34 . 2008-05-17 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-17 03:02 . 2008-05-17 03:02 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 16:06 . 2008-05-16 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-16 16:05 . 2008-05-16 16:05 <DIR> d-------- C:\WINDOWS\Lara Johns
2008-05-16 16:05 . 2008-05-16 16:06 <DIR> d-------- C:\Program Files\Lara Johns
2008-05-16 12:21 . 2008-05-16 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterAction studios
2008-05-16 12:20 . 2008-05-16 12:24 <DIR> d-------- C:\Program Files\Chicken Invaders 3
2008-05-11 14:29 . 2008-05-11 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-05-11 14:28 . 2008-05-12 10:21 <DIR> d-------- C:\Program Files\Elf Bowling The Last Insult
2008-05-08 23:52 . 2008-05-08 23:52 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Cat's Eye Games
2008-05-08 23:50 . 2008-05-10 03:21 <DIR> d-------- C:\Program Files\Luckys Rainbow
2008-05-07 05:23 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-05-07 05:23 . 2005-07-06 18:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-05-07 05:23 . 2005-07-06 18:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-05-05 22:41 . 2008-05-05 22:41 <DIR> d-------- C:\Program Files\CleanMyPC
2008-05-03 16:27 . 2008-05-03 16:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Intenium
2008-05-03 16:26 . <DIR> C:\WINDOWS\Chicken Attack Deluxe
2008-05-03 16:26 . <DIR> C:\Program Files\Chicken Attack Deluxe
2008-05-03 16:26 . 2008-06-01 23:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 18:23 . 2008-05-02 18:23 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-02 18:23 . 2008-05-02 18:23 <DIR> d-------- C:\Program Files\microsoft frontpage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 15:22 --------- d-----w C:\Documents and Settings\Admin\Application Data\DNA
2008-06-02 15:12 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-06-01 20:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 17:36 --------- d-----w C:\Program Files\In Living Colors
2008-05-26 08:14 --------- d-----w C:\Program Files\DNA
2008-05-24 16:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Vso
2008-05-17 14:10 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-17 14:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-01 09:01 --------- d-----w C:\Program Files\OceaniX
2008-04-30 23:44 --------- d-----w C:\Program Files\Astro Avenger 2
2008-04-30 16:34 88 --sh--r C:\Documents and Settings\All Users\Application Data\C5172F7015.sys
2008-04-30 16:34 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-04-30 16:21 --------- d-----w C:\Documents and Settings\Admin\Application Data\Corel
2008-04-24 03:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-24 03:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-24 03:06 --------- d-----w C:\Program Files\Cheetah Burner
2008-04-21 15:36 --------- d-----w C:\Program Files\Cooking Academy
2008-04-21 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-21 11:02 --------- d-----w C:\Documents and Settings\Admin\Application Data\Sahmon Games
2008-04-19 15:16 --------- d-----w C:\Program Files\Zuma Deluxe
2008-04-17 22:38 --------- d-----w C:\Program Files\Fishing Craze
2008-04-15 23:58 --------- d-----w C:\Program Files\Hidden Mysteries Civil War
2008-04-12 03:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\Restorer
2008-04-10 19:16 532,480 ----a-w C:\WINDOWS\system32\kidzone_screensaver.scr
2008-04-08 22:30 --------- d-----w C:\Program Files\Mystery Cookbook
2008-04-08 22:30 --------- d-----w C:\Documents and Settings\Admin\Application Data\Gaijin Ent
2008-04-08 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-05 21:54 --------- d-----w C:\Program Files\Escape the Museum
2008-04-04 22:57 --------- d-----w C:\Program Files\Alawar
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\dllcache\msltus40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-15 15:43 126,976 ----a-w C:\WINDOWS\system32\keymaker.exe
2008-02-10 22:04 87,608 ----a-w C:\Documents and Settings\Admin\Application Data\ezpinst.exe
2008-02-10 22:04 47,360 ----a-w C:\Documents and Settings\Admin\Application Data\pcouffin.sys
2008-02-10 21:06 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-02-10 21:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-02-10 21:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008021020080211\index.dat
2008-02-10 21:06 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-13 19:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-10-08 05:55 2223616 95e8b55443bd91dab5632924d2616a1e C:\WINDOWS\system32\ntkrnlpa.exe

2008-04-13 20:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-10-08 05:48 2346752 24fcd8fb0c6bd0e5f3b1203769948336 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( [email protected]_21.12.39.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 20:06:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 22:09:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-07 04:26:34 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-01 20:12:10 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-07 04:26:34 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-01 20:12:10 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-11 01:45 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC2281FA-E7B2-4CC6-BC6E-8C4E5C777629}]
C:\WINDOWS\system32\rqRIxurO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 06:11 68856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 04:12 289088]
"Registry Cleaner Scheduler"="C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2008-04-02 04:27 913664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 22:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 04:42 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-05-18 09:30 1230848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 14:03 124928 C:\WINDOWS\system32\advpack.dll]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 cmipci;CMI8738/8768 Audio Driver;C:\WINDOWS\system32\drivers\cmipci.sys [2007-07-24 00:52]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
HIDEC /W "%VAIOTOOLS%\regtlib.exe" "%ProgramFiles%\Windows Sidebar\sidebar.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 02:41:36 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Admin.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 16:26:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-02 16:27:44
ComboFix-quarantined-files.txt 2008-06-02 15:27:19
ComboFix2.txt 2008-06-01 22:14:19
ComboFix3.txt 2008-06-01 20:13:57

Pre-Run: 21,819,236,352 bytes free
Post-Run: 21,825,155,072 bytes free

216 --- E O F --- 2008-05-17 02:06:57



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:11 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FC2281FA-E7B2-4CC6-BC6E-8C4E5C777629} - C:\WINDOWS\system32\rqRIxurO.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6469 bytes
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {FC2281FA-E7B2-4CC6-BC6E-8C4E5C777629} - C:\WINDOWS\system32\rqRIxurO.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and post a new HijackThis log
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP