Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

eset wont delete or clean .dll file [CLOSED]


  • This topic is locked This topic is locked

#1
killjoy21

killjoy21

    New Member

  • Member
  • Pip
  • 5 posts
hello. 2 days ago i ran my weekly scan and eset smart security detected an infultration.



object:
C:\WINDOWS\system32\dpwsockn.dll

threat:
Win32.BHO.NDC trojan

comment:
error while cleaning or deleting (Access denied)
event occurred during an attempt to run the file by the application:
C:\WINDOWS\EXPLORER.EXE



i tried finding solutions on the internet. so far i tried.....
-scaning and deleting through eset & windows defender.
-renaming the file
-changing attributes
-used dll removers
-tried removing in safe mode
-did a system restore but cannot restore

i don't know what to do next.
im using windows xp sp2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:35 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\everglow\My Documents\iadd ons\tt\TrueTransparency\TrueTransparency.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {75A6C187-2104-4D58-9A3E-D3AE4F25D40C} - C:\WINDOWS\System32\dpwsockn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {DDCAA75E-7A6D-4879-9D5A-92D98B7AEDE7} - C:\WINDOWS\system32\hgGaWPGA.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BM0ff4758f] Rundll32.exe "C:\WINDOWS\system32\etlebwrg.dll",s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\everglow\lsass.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdVantage] "C:\Program Files\AdVantage\AdVantage.exe"
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Documents and Settings\everglow\My Documents\iadd ons\tt\TrueTransparency\TrueTransparency.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202871735561
O20 - Winlogon Notify: efcbbbx - efcbbbx.dll (file missing)
O20 - Winlogon Notify: opnkjIXo - opnkjIXo.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5894 bytes

Edited by killjoy21, 14 June 2008 - 03:23 PM.

  • 0

Advertisements


#2
killjoy21

killjoy21

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
i also tried system restore and but it cannot restore my computer to a previous time.
  • 0

#3
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#4
killjoy21

killjoy21

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
thank you:)


combofix
-------------------------------------------------------------------------

Start Time= Mon 06/16/2008 16:01:53.54

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-06-15 22:52:20 4094976 ( A.... ) "C:\WINDOWS\system32\logonuiX.exe"
2008-06-15 22:51:02 ( .D... ) "C:\Program Files\WinCustomize"
2008-06-15 21:43:02 ( .D... ) "C:\Program Files\ViStart"
2008-06-15 21:37:42 ( .D... ) "C:\Program Files\ESTsoft"
2008-06-15 21:37:42 ( .D... ) "C:\Documents and Settings\everglow\Application Data\ESTsoft"
2008-06-15 21:01:04 ( .D... ) "C:\Program Files\Common Files\Stardock"
2008-06-15 20:26:32 ( .D... ) "C:\Program Files\Mozilla Firefox"
2008-06-14 19:16:56 ( .D... ) "C:\Program Files\CCleaner"
2008-06-14 14:24:26 ( .D... ) "C:\Program Files\Trend Micro"
2008-06-14 14:21:22 ( .D... ) "C:\Program Files\Hijackthis"
2008-06-14 12:05:12 0 ( A.... ) "C:\WINDOWS\system32\CMMGR32.EXE"
2008-06-14 12:01:30 ( .D... ) "C:\Documents and Settings\everglow\Application Data\SuperAdBlocker.com"
2008-06-14 11:44:08 ( .D... ) "C:\Documents and Settings\everglow\Application Data\Desktopicon"
2008-06-13 21:53:38 ( .D... ) "C:\Program Files\msn gaming zone"
2008-06-13 21:41:38 ( .D... ) "C:\Documents and Settings\everglow\Application Data\Styler"
2008-06-13 19:41:58 ( .D... ) "C:\Program Files\ESET"
2008-06-13 16:26:14 ( .D... ) "C:\Documents and Settings\everglow\Application Data\MSN6"
2008-06-13 16:02:24 ( .D... ) "C:\Program Files\DivX"
2008-06-13 14:42:48 2560 ( A.... ) "C:\WINDOWS\_MSRSTRT.EXE"
2008-06-12 17:16:18 ( .D... ) "C:\Program Files\Windows Defender"
2008-06-12 15:43:44 65536 ( A.... ) "C:\WINDOWS\IFinst27.exe"
2008-06-12 15:19:00 67274 ( A.... ) "C:\WINDOWS\BricoPackUninst.cmd"
2008-06-12 15:19:00 6120 ( A.... ) "C:\WINDOWS\BricoPackFoldersDelete.cmd"
2008-06-12 14:54:06 ( .D... ) "C:\Program Files\TrueTransparency"
2008-06-10 13:37:36 ( .D... ) "C:\Documents and Settings\everglow\Application Data\SUPERAntiSpyware.com"
2008-06-10 13:24:44 ( .D... ) "C:\Program Files\Microsoft.NET"
2008-06-03 20:32:44 ( .D... ) "C:\Documents and Settings\everglow\Application Data\TuneUp Software"
2008-06-02 17:29:14 ( .D... ) "C:\Documents and Settings\everglow\Application Data\ESET"
2008-06-02 16:43:18 ( .D... ) "C:\Documents and Settings\everglow\Application Data\ViStart"
2008-06-01 22:02:56 ( .D... ) "C:\Program Files\Google"
2008-05-31 23:29:38 ( .D... ) "C:\Documents and Settings\everglow\Application Data\Sun"
2008-05-31 18:47:22 96832 ( A.... ) "C:\WINDOWS\system32\igdhkqcv.dll"
2008-05-31 18:47:20 117760 ( A.... ) "C:\WINDOWS\system32\qkujxfpd.dll"
2008-05-29 16:35:12 17486968 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2008-05-25 20:53:42 147456 ( A.... ) "C:\WINDOWS\system32\vbzip10.dll"
2008-05-19 21:48:54 ( .D... ) "C:\Documents and Settings\everglow\Application Data\FogelSoft"
2008-05-17 16:47:14 ( .D... ) "C:\Program Files\LimeWire"
2008-05-16 20:38:06 ( .D... ) "C:\Documents and Settings\everglow\Application Data\zweitgeist"
2008-05-14 22:12:36 ( .D... ) "C:\Program Files\Windows Media Connect 2"
2008-05-11 20:33:18 ( .D... ) "C:\Program Files\Devious Codeworks"
2008-05-06 22:18:48 1287680 ( A.... ) "C:\WINDOWS\system32\quartz.dll"
2008-05-04 00:13:20 ( .D... ) "C:\Documents and Settings\everglow\Application Data\Search Settings"
2008-05-03 13:52:14 ( .D... ) "C:\Documents and Settings\everglow\Application Data\Mozilla"
2008-04-30 19:25:38 ( .D... ) "C:\Program Files\Common Files\Adobe Systems Shared"
2008-04-30 19:22:48 ( .D... ) "C:\Program Files\Adobe"
2008-04-30 17:45:04 ( .D... ) "C:\Documents and Settings\everglow\Application Data\WinRAR"
2008-04-30 16:12:18 ( .D... ) "C:\Program Files\Common Files\Adobe"
2008-04-27 17:32:26 ( .D... ) "C:\Documents and Settings\everglow\Application Data\ErrorSmart"
2008-04-27 13:47:22 ( .D... ) "C:\Documents and Settings\everglow\Application Data\GlobalSCAPE"
2008-04-25 20:50:06 ( .D... ) "C:\Documents and Settings\everglow\Application Data\Apple Computer"
2008-04-25 19:24:54 ( .D... ) "C:\Documents and Settings\everglow\Application Data\CoffeeCup Software"
2008-04-25 19:14:44 ( .D... ) "C:\Documents and Settings\everglow\Application Data\SmartFTP"
2008-04-25 16:10:08 ( .D... ) "C:\Documents and Settings\everglow\Application Data\FileZilla"
2008-04-23 22:16:30 3591680 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2008-04-22 21:16:30 1159680 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2008-04-22 21:16:30 826368 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2008-04-22 21:16:30 233472 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2008-04-22 21:16:28 6066176 ( A.... ) "C:\WINDOWS\system32\ieframe.dll"
2008-04-22 21:16:28 671232 ( ..... ) "C:\WINDOWS\system32\mstime.dll"
2008-04-22 21:16:28 478208 ( ..... ) "C:\WINDOWS\system32\mshtmled.dll"
2008-04-22 21:16:28 459264 ( A.... ) "C:\WINDOWS\system32\msfeeds.dll"
2008-04-22 21:16:28 384512 ( ..... ) "C:\WINDOWS\system32\iedkcs32.dll"
2008-04-22 21:16:28 383488 ( A.... ) "C:\WINDOWS\system32\ieapfltr.dll"
2008-04-22 21:16:28 347136 ( ..... ) "C:\WINDOWS\system32\dxtmsft.dll"
2008-04-22 21:16:28 267776 ( A.... ) "C:\WINDOWS\system32\iertutil.dll"
2008-04-22 21:16:28 230400 ( ..... ) "C:\WINDOWS\system32\ieaksie.dll"
2008-04-22 21:16:28 214528 ( ..... ) "C:\WINDOWS\system32\dxtrans.dll"
2008-04-22 21:16:28 193024 ( ..... ) "C:\WINDOWS\system32\msrating.dll"
2008-04-22 21:16:28 153088 ( ..... ) "C:\WINDOWS\system32\ieakeng.dll"
2008-04-22 21:16:28 133120 ( ..... ) "C:\WINDOWS\system32\extmgr.dll"
2008-04-22 21:16:28 124928 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2008-04-22 21:16:28 105984 ( A.... ) "C:\WINDOWS\system32\url.dll"
2008-04-22 21:16:28 102912 ( ..... ) "C:\WINDOWS\system32\occache.dll"
2008-04-22 21:16:28 63488 ( A.... ) "C:\WINDOWS\system32\icardie.dll"
2008-04-22 21:16:28 52224 ( A.... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2008-04-22 21:16:28 44544 ( ..... ) "C:\WINDOWS\system32\pngfilt.dll"
2008-04-22 21:16:28 44544 ( ..... ) "C:\WINDOWS\system32\iernonce.dll"
2008-04-22 21:16:28 27648 ( ..... ) "C:\WINDOWS\system32\jsproxy.dll"
2008-04-22 19:38:44 0 ( A.... ) "C:\WINDOWS\system32\awvtu.exe"
2008-04-22 19:15:02 47564 ( A.SHR ) "C:\NTDETECT.COM"
2008-04-22 00:39:58 70656 ( ..... ) "C:\WINDOWS\system32\ie4uinit.exe"
2008-04-22 00:39:58 13824 ( A.... ) "C:\WINDOWS\system32\ieudinit.exe"
2008-04-19 22:07:52 161792 ( ..... ) "C:\WINDOWS\system32\ieakui.dll"
2008-03-27 01:12:54 151583 ( A.... ) "C:\WINDOWS\system32\msjint40.dll"
2008-03-24 21:50:58 838432 ( A.... ) "C:\WINDOWS\system32\mswdat10.dll"
2008-03-24 21:50:58 621344 ( A.... ) "C:\WINDOWS\system32\mswstr10.dll"
2008-03-24 21:50:58 355104 ( A.... ) "C:\WINDOWS\system32\msxbde40.dll"
2008-03-24 21:50:56 264992 ( A.... ) "C:\WINDOWS\system32\mstext40.dll"
2008-03-24 21:50:52 559904 ( A.... ) "C:\WINDOWS\system32\msrepl40.dll"
2008-03-24 21:50:50 322336 ( A.... ) "C:\WINDOWS\system32\msrd3x40.dll"
2008-03-24 21:50:48 432928 ( A.... ) "C:\WINDOWS\system32\msrd2x40.dll"
2008-03-24 21:50:46 355104 ( A.... ) "C:\WINDOWS\system32\mspbde40.dll"
2008-03-24 21:50:44 219936 ( A.... ) "C:\WINDOWS\system32\msltus40.dll"
2008-03-24 21:50:42 248608 ( A.... ) "C:\WINDOWS\system32\msjtes40.dll"
2008-03-24 21:50:42 60192 ( A.... ) "C:\WINDOWS\system32\msjter40.dll"
2008-03-24 21:50:40 355112 ( A.... ) "C:\WINDOWS\system32\msjetoledb40.dll"
2008-03-24 21:50:34 1516568 ( A.... ) "C:\WINDOWS\system32\msjet40.dll"
2008-03-24 21:50:30 326432 ( A.... ) "C:\WINDOWS\system32\msexcl40.dll"
2008-03-24 21:50:28 518944 ( A.... ) "C:\WINDOWS\system32\msexch40.dll"
2008-03-20 18:06:36 1480232 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.DLL"
2008-03-19 02:47:00 1845248 ( A.... ) "C:\WINDOWS\system32\win32k.sys"
2008-03-18 21:33:16 103168 ( A.... ) "C:\WINDOWS\system32\dpwsockn.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"iconcache"=""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"egui"="\"C:\\Program Files\\ESET\\ESET Smart Security\\egui.exe\" /hide /waitservice"
"LogonStudio"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TrueTransparency"="\"C:\\Documents and Settings\\everglow\\My Documents\\iadd ons\\tt\\TrueTransparency\\TrueTransparency.exe\""
"ViStart"="C:\\Program Files\\ViStart\\ViStart"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ErrorSmart Scheduled Scan.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Mon 06/16/2008 16:02:41.23
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt








hijackthis
------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:12 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Documents and Settings\everglow\My Documents\iadd ons\tt\TrueTransparency\TrueTransparency.exe
C:\Program Files\ViStart\ViStart.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {75A6C187-2104-4D58-9A3E-D3AE4F25D40C} - C:\WINDOWS\System32\dpwsockn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {DDCAA75E-7A6D-4879-9D5A-92D98B7AEDE7} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Documents and Settings\everglow\My Documents\iadd ons\tt\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202871735561
O20 - Winlogon Notify: efcbbbx - efcbbbx.dll (file missing)
O20 - Winlogon Notify: opnkjIXo - opnkjIXo.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5588 bytes

Edited by killjoy21, 16 June 2008 - 05:09 PM.

  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Delete ComboFix.exe and download it again from

http://www.bleepingc...to-use-combofix


And re-run it
  • 0

#6
killjoy21

killjoy21

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
combofix
---------------------------------------------------
ComboFix 08-06-16.5 - everglow 2008-06-17 11:54:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.129 [GMT -7:00]
Running from: C:\Documents and Settings\everglow\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\everglow\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\vtmp2
C:\WINDOWS\BM0ff4758f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AGPWaGgh.ini
C:\WINDOWS\system32\AGPWaGgh.ini2
C:\WINDOWS\system32\akbllvbt.ini
C:\WINDOWS\system32\bvnuactw.ini
C:\WINDOWS\system32\gmfvgasj.ini
C:\WINDOWS\system32\gnjpoafy.ini
C:\WINDOWS\system32\jbsfvice.ini
C:\WINDOWS\system32\jebyndpk.ini
C:\WINDOWS\system32\kjicgybu.ini
C:\WINDOWS\system32\mabeqiql.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\occpldxk.ini
C:\WINDOWS\system32\pexwfsum.ini
C:\WINDOWS\system32\prmrrtkp.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\rauopasv.ini
C:\WINDOWS\system32\sauajfyj.ini
C:\WINDOWS\system32\shiyfglm.ini
C:\WINDOWS\system32\svCLRqss.ini
C:\WINDOWS\system32\svCLRqss.ini2
C:\WINDOWS\system32\sysdm.exe
C:\WINDOWS\system32\tehmhqaw.ini
C:\WINDOWS\system32\wvpspaml.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 23:46 . 2008-06-17 09:29 <DIR> d-------- C:\Program Files\Microsoft .NET Compact Framework 1.0 SP3
2008-06-16 23:31 . 2008-06-16 23:31 525,312 --a------ C:\WINDOWS\logonui.exe
2008-06-16 23:30 . 2008-06-17 09:29 <DIR> d-------- C:\Program Files\ChameleonXP
2008-06-16 18:47 . 2008-06-17 09:29 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\uTorrent
2008-06-15 22:51 . 2008-06-15 22:51 <DIR> d-------- C:\Program Files\WinCustomize
2008-06-15 21:37 . 2008-06-15 21:37 <DIR> d-------- C:\Program Files\ESTsoft
2008-06-15 21:37 . 2008-06-15 21:38 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\ESTsoft
2008-06-15 21:01 . 2008-06-15 21:01 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-06-15 21:01 . 2004-04-26 13:47 163,456 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2008-06-14 19:16 . 2008-06-14 19:16 <DIR> d-------- C:\Program Files\CCleaner
2008-06-14 13:01 . 2008-06-14 13:01 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-06-14 12:05 . 2008-06-14 12:05 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-06-14 12:01 . 2008-06-14 12:01 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\SuperAdBlocker.com
2008-06-14 11:44 . 2008-06-14 11:44 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\Desktopicon
2008-06-13 21:42 . 2008-06-13 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-06-13 21:41 . 2008-06-13 21:41 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2008-06-13 21:41 . 2008-06-13 21:41 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\Styler
2008-06-13 21:12 . 2008-06-17 09:29 <DIR> d-------- C:\Documents and Settings\Administrator.ADMIN-IW4W1DRKL
2008-06-13 19:54 . 2008-01-07 14:29 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-13 19:41 . 2008-06-13 21:43 <DIR> d-------- C:\Program Files\ESET
2008-06-13 16:26 . 2008-06-13 16:26 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\MSN6
2008-06-13 16:02 . 2008-06-14 11:36 <DIR> d-------- C:\Program Files\DivX
2008-06-13 14:42 . 2008-06-13 14:42 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-06-13 14:34 . 2007-07-11 15:06 42,672 --------- C:\WINDOWS\system32\wbsys.dll
2008-06-12 17:16 . 2008-06-13 21:36 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-12 15:43 . 2008-06-12 15:43 65,536 --a------ C:\WINDOWS\IFinst27.exe
2008-06-12 15:18 . 2008-06-12 15:18 67,274 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-06-12 15:16 . 2008-06-12 15:18 6,120 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-06-12 15:15 . 2008-06-13 21:41 <DIR> d-------- C:\WINDOWS\BricoPacks
2008-06-12 14:50 . 2008-06-13 21:41 <DIR> d-------- C:\WINDOWS\system32\VITrans
2008-06-12 14:50 . 2008-06-13 21:41 <DIR> d-------- C:\VTPFiles
2008-06-12 14:50 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2008-06-12 14:50 . 2008-06-12 14:50 78,942 --a------ C:\WINDOWS\Icon_1.ico
2008-06-12 14:50 . 2006-12-03 17:15 69,632 --a------ C:\WINDOWS\system32\moveex.exe
2008-06-12 14:50 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2008-06-12 14:50 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2008-06-12 13:50 . 2007-10-25 20:34 49,981,952 --a------ C:\WINDOWS\system32\shell32.backup
2008-06-12 13:50 . 2004-08-04 00:56 15,177,728 --a------ C:\WINDOWS\system32\xpsp2res.backup
2008-06-12 13:50 . 2001-11-08 06:56 6,094,336 --a------ C:\WINDOWS\system32\logonui.backup
2008-06-12 13:50 . 2004-08-04 00:56 2,376,192 --a------ C:\WINDOWS\system32\shimgvw.backup
2008-06-12 13:50 . 2004-08-04 00:56 1,671,680 --a------ C:\WINDOWS\system32\msgina.backup
2008-06-12 13:50 . 2004-08-04 00:56 847,360 --a------ C:\WINDOWS\system32\mydocs.backup
2008-06-12 13:50 . 2004-08-04 00:56 726,016 --a------ C:\WINDOWS\system32\mspaint.backup
2008-06-12 13:50 . 2001-09-01 16:15 465,408 --a------ C:\WINDOWS\system32\charmap.backup
2008-06-12 13:50 . 2001-09-01 16:15 117,760 --a------ C:\WINDOWS\system32\calc.backup
2008-06-12 13:50 . 2006-10-04 01:48 72,704 --a------ C:\WINDOWS\system32\magnify.backup
2008-06-10 19:17 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-10 13:37 . 2008-06-13 21:41 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\SUPERAntiSpyware.com
2008-06-10 13:37 . 2008-06-10 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-10 13:24 . 2008-06-10 13:24 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-10 13:18 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-09 21:25 . 2004-03-09 00:00 609,824 --a------ C:\WINDOWS\system32\COMCTL32.OCX
2008-06-09 21:25 . 2007-07-11 03:43 241,664 --a------ C:\WINDOWS\system32\COMCTL32.OCA
2008-06-09 21:25 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-06-09 21:25 . 2007-05-22 19:20 65,024 --a------ C:\WINDOWS\system32\RICHTX32.OCA
2008-06-08 21:39 . 2008-06-08 21:50 <DIR> d-------- C:\WINDOWS\VCP_TEMP
2008-06-08 21:39 . 2008-06-13 21:38 <DIR> d-------- C:\WINDOWS\VCP_SAVE
2008-06-08 21:39 . 2005-09-28 02:31 49,152 --a------ C:\WINDOWS\system32\icon.exe
2008-06-07 19:26 . 2008-06-14 11:30 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-03 20:32 . 2008-06-03 20:32 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\TuneUp Software
2008-06-03 20:30 . 2008-06-03 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-06-03 19:57 . 2008-06-17 12:02 24 --a------ C:\WINDOWS\LogonStudio.ini
2008-06-03 19:00 . 2000-05-17 09:52 187,392 --a------ C:\WINDOWS\system32\JPGUtils.dll
2008-06-02 17:29 . 2008-06-02 17:29 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\ESET
2008-06-02 17:26 . 2008-06-09 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-02 16:43 . 2008-06-02 16:43 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\ViStart
2008-06-01 22:02 . 2008-06-01 22:02 <DIR> d-------- C:\Program Files\Google
2008-06-01 22:02 . 2008-06-01 22:02 <DIR> d--hs---- C:\found.000
2008-05-31 23:33 . 2008-06-01 22:02 <DIR> d----c--- C:\WINDOWS\ie7(3)
2008-05-31 23:22 . 2008-06-01 22:02 <DIR> d-------- C:\63c3a829a8adea9d859b838d
2008-05-25 21:00 . 2008-05-31 18:47 117,760 --a------ C:\WINDOWS\system32\qkujxfpd.dll
2008-05-25 20:53 . 2008-05-25 20:53 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-25 20:50 . 2008-05-25 20:50 <DIR> d-------- C:\WINDOWS\system32\vntiho18
2008-05-25 20:50 . 2008-06-17 11:54 <DIR> d-------- C:\Temp
2008-05-24 20:35 . 2006-04-14 23:05 9,952 --a------ C:\regxpcom.exe
2008-05-21 20:22 . 2008-06-12 15:18 2,359,350 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-05-21 16:50 . 2008-06-11 17:28 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-19 21:48 . 2008-05-19 21:48 <DIR> d-------- C:\Documents and Settings\everglow\Application Data\FogelSoft
2008-05-18 17:18 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-18 16:57 . 2008-05-18 17:17 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-05-18 16:57 . 2008-05-18 17:17 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-05-17 16:47 . 2008-05-25 20:55 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 00:24 --------- d-----w C:\Documents and Settings\everglow\Application Data\LimeWire
2008-06-14 01:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-07 01:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-19 00:15 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-17 03:40 --------- d-----w C:\Documents and Settings\everglow\Application Data\zweitgeist
2008-05-12 03:33 --------- d-----w C:\Program Files\Devious Codeworks
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 07:13 --------- d-----w C:\Documents and Settings\everglow\Application Data\Search Settings
2008-05-04 06:42 --------- d-----w C:\Documents and Settings\everglow\Application Data\Apple Computer
2008-05-01 02:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-01 02:25 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-05-01 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-30 23:51 --------- d-----w C:\Documents and Settings\everglow\Application Data\FileZilla
2008-04-30 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-28 00:32 --------- d-----w C:\Documents and Settings\everglow\Application Data\ErrorSmart
2008-04-27 20:47 --------- d-----w C:\Documents and Settings\everglow\Application Data\GlobalSCAPE
2008-04-27 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-04-26 02:24 --------- d-----w C:\Documents and Settings\everglow\Application Data\CoffeeCup Software
2008-04-26 02:14 --------- d-----w C:\Documents and Settings\everglow\Application Data\SmartFTP
2008-04-23 01:48 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-23 23:42 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
.

------- Sigcheck -------

2007-06-13 03:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2001-09-01 16:15 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 03:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\VCP_SAVE\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75A6C187-2104-4D58-9A3E-D3AE4F25D40C}]
2008-03-18 21:33 103168 --a------ C:\WINDOWS\System32\dpwsockn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDCAA75E-7A6D-4879-9D5A-92D98B7AEDE7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"ViStart"="C:\Program Files\ViStart\ViStart" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-09-18 09:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 09:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-09-18 11:32 86016]
"iconcache"="" []
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 18:38 987187]

C:\Documents and Settings\everglow\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 15:05:02 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 12:41:18 65536]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 00:43:08 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 00:43:14 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbbbx]
efcbbbx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjIXo]
opnkjIXo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11825:TCP"= 11825:TCP:BitComet 11825 TCP
"11825:UDP"= 11825:UDP:BitComet 11825 UDP

R0 fimapnic;fimapnic;C:\WINDOWS\system32\drivers\tecqrbjy.dat []
S1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d81b0df-310e-11dd-ac4a-0040caaf6676}]
\Shell\Auto\command - I:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 10:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2008-06-17 19:00:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 12:02:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fimapnic]
"ImagePath"="system32\drivers\tecqrbjy.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-06-17 12:05:39 - machine was rebooted [everglow]
ComboFix-quarantined-files.txt 2008-06-17 19:05:33
ComboFix2.txt 2008-06-16 23:02:41

Pre-Run: 93,140,271,104 bytes free
Post-Run: 93,098,369,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

252 --- E O F --- 2008-06-10 23:39:27







hijackthis
---------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:57 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {75A6C187-2104-4D58-9A3E-D3AE4F25D40C} - C:\WINDOWS\System32\dpwsockn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {DDCAA75E-7A6D-4879-9D5A-92D98B7AEDE7} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202871735561
O20 - Winlogon Notify: efcbbbx - efcbbbx.dll (file missing)
O20 - Winlogon Notify: opnkjIXo - opnkjIXo.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5172 bytes
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\Uharc.exe
C:\WINDOWS\Icon_1.ico
C:\WINDOWS\system32\moveex.exe
C:\WINDOWS\system32\reico.exe
C:\WINDOWS\system32\modifype.exe
C:\WINDOWS\system32\icon.exe
C:\WINDOWS\system32\qkujxfpd.dll
C:\WINDOWS\System32\dpwsockn.dll
I:\Start.exe

Folder::
C:\found.000
C:\WINDOWS\system32\vntiho18

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d81b0df-310e-11dd-ac4a-0040caaf6676}]

Driver::
fimapnic

DirLook::
C:\WINDOWS\ie7(3)


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#8
killjoy21

killjoy21

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
the virus is gone. thank you so much! :)
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post the logs
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP