Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

need help! [RESOLVED]


  • This topic is locked This topic is locked

#1
michaelsdin

michaelsdin

    Member

  • Member
  • PipPip
  • 12 posts
Hello, I seem to have problems with my computer. I am having pop ups popping up that never used to pop up. My automatic updater for microsoft keeps turning it self off. I think i downloaded something bad through limewire and now im paying for it. Any idea's on what to do?

I am so so with computers and just really need help cleaning up my system.
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi michaelsdin

welcome to geekstogo :)

lets to a scan for me to work with.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
andrewuk
  • 0

#3
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
here it is!!!.

Deckard's System Scanner v20071014.68
Run by Michael S Din on 2008-07-06 11:34:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
64: 2008-07-06 18:34:31 UTC - RP253 - Deckard's System Scanner Restore Point
63: 2008-07-05 21:56:30 UTC - RP252 - Last known good configuration
62: 2008-07-05 21:56:25 UTC - RP251 - ComboFix created restore point
61: 2008-07-05 21:56:25 UTC - RP250 - Last known good configuration
60: 2008-07-05 21:56:25 UTC - RP249 - Restore Operation


-- First Restore Point --
1: 2008-07-05 21:56:13 UTC - RP190 - Removed Bonjour


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-06 11:36:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Michael S Din\winlogon.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Documents and Settings\Michael S Din\Desktop\dss.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {06A1F910-762A-4660-B534-55B82571851C} - C:\WINDOWS\system32\urqRJYqn.dll (file missing)
O2 - BHO: (no name) - {2F466B55-B519-40B7-A6EB-8C573EA524E3} - C:\WINDOWS\system32\opnlIbAr.dll (file missing)
O2 - BHO: (no name) - {33E3AFD8-E665-4F83-AF9D-5ED62761EBD2} - C:\WINDOWS\system32\ddcApqOI.dll (file missing)
O2 - BHO: (no name) - {53F58BE0-B99F-41E9-BFC7-0EB4026733A6} - C:\WINDOWS\system32\pmnnKdAS.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {85891CF5-118E-44AF-8682-A7B08D33A9E7} - C:\WINDOWS\system32\wvUlMfFY.dll
O2 - BHO: {5854fb62-0166-c05b-e9c4-9c39ffa39f6c} - {c6f93aff-93c9-4c9e-b50c-661026bf4585} - C:\WINDOWS\system32\kjgvnf.dll
O2 - BHO: (no name) - {DDBB96A3-6C75-472F-BCF8-B58E223FA4E4} - C:\WINDOWS\system32\opnnklkl.dll
O2 - BHO: (no name) - {E054B668-AC87-4AD3-BD52-C785C800F4AF} - C:\WINDOWS\system32\yayaARhG.dll (file missing)
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Michael S Din\winlogon.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [6876f787] rundll32.exe "C:\WINDOWS\system32\gowfghyg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202868210000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202871325187
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: wvUlMfFY - C:\WINDOWS\system32\wvUlMfFY.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe


--
End of file - 7781 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 asyncmacc - c:\windows\system32\drivers\asyncmacc.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1039&DEV_0180&SUBSYS_810E1043&REV_01\3&267A616A&0&28
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1039&DEV_0180&SUBSYS_810E1043&REV_01\3&267A616A&0&28
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-07-03 11:15:59 356 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-07-03 11:15:58 348 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-06-18 09:08:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-06 08:42:00 286 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-07 08:42:23 408 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-06 11:37:34 101888 --a------ C:\WINDOWS\system32\ixjwgd.dll
2008-07-06 11:37:22 101888 --a------ C:\WINDOWS\system32\anedoxnp.dll
2008-07-06 11:35:27 81408 --a------ C:\WINDOWS\system32\gowfghyg.dll
2008-07-06 11:34:15 647669 --ahs---- C:\WINDOWS\system32\lklknnpo.ini2
2008-07-06 11:34:03 281600 --a------ C:\WINDOWS\system32\opnnklkl.dll
2008-07-06 11:31:20 31232 --a------ C:\WINDOWS\system32\ssqPfcyY.dll
2008-07-05 14:59:04 80896 -----n--- C:\WINDOWS\system32\xgbtjsfj.dll
2008-07-05 14:57:05 101888 --a------ C:\WINDOWS\system32\kjgvnf.dll
2008-07-05 14:57:01 101888 --a------ C:\WINDOWS\system32\julixysr.dll
2008-07-05 14:56:03 654202 --ahs---- C:\WINDOWS\system32\GhRAayay.ini2
2008-07-05 14:47:20 31232 --a------ C:\WINDOWS\system32\wvUlMfFY.dll
2008-07-05 14:29:31 68096 --a------ C:\WINDOWS\zip.exe
2008-07-05 14:29:31 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-05 14:29:31 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-05 14:29:31 98816 --a------ C:\WINDOWS\sed.exe
2008-07-05 14:29:31 80412 --a------ C:\WINDOWS\grep.exe
2008-07-05 14:29:31 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-05 14:29:30 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-05 14:29:30 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-03 11:57:59 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-07-03 11:39:50 0 d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Sun
2008-07-03 11:39:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Macromedia
2008-07-03 11:39:42 0 d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Adobe
2008-07-03 11:39:27 0 d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Talkback
2008-07-03 11:39:07 0 d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Mozilla
2008-07-03 11:36:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Templates
2008-07-03 11:36:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Start Menu
2008-07-03 11:36:25 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\SendTo
2008-07-03 11:36:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Recent
2008-07-03 11:36:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\PrintHood
2008-07-03 11:36:25 1048576 --ah----- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\NTUSER.DAT
2008-07-03 11:36:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\NetHood
2008-07-03 11:36:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\My Documents
2008-07-03 11:36:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Local Settings
2008-07-03 11:36:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Favorites
2008-07-03 11:36:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Desktop
2008-07-03 11:36:25 0 d--hs---- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Cookies
2008-07-03 11:36:25 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data
2008-07-03 11:36:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Microsoft
2008-07-03 11:25:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-07-03 11:24:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-03 11:22:19 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-07-03 11:22:19 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-03 11:22:19 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-07-03 11:22:19 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-07-03 11:22:19 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-07-03 11:22:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-03 11:14:49 0 d-------- C:\Program Files\McAfee.com
2008-07-03 11:14:16 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-03 11:14:06 0 d-------- C:\Program Files\McAfee
2008-07-03 10:53:34 3817472 --a------ C:\Documents and Settings\Michael S Din\ntuser.dat
2008-07-03 10:53:33 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-03 10:49:18 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-03 10:49:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-07-03 10:49:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-07-03 10:48:16 0 d--hs---- C:\WINDOWS\WW91ciBVc2VyIE5hbWU
2008-07-03 10:48:09 0 d-------- C:\WINDOWS\system32\vec3
2008-07-03 10:48:09 0 d-------- C:\WINDOWS\system32\bam
2008-07-03 10:48:06 0 d-------- C:\WINDOWS\system32\modtrux18
2008-07-03 10:48:06 0 d-------- C:\Temp
2008-06-27 18:38:32 53248 ---hs---- C:\Documents and Settings\Michael S Din\winlogon.exe
2008-06-22 16:10:17 0 d-------- C:\Documents and Settings\Michael S Din\Application Data\CDBurnerXP_Soft
2008-06-22 16:08:56 0 d-------- C:\Program Files\CDBurnerXP


-- Find3M Report ---------------------------------------------------------------

2008-07-06 11:30:42 0 d-------- C:\Program Files\Steam
2008-07-05 15:14:43 0 d-------- C:\Documents and Settings\Michael S Din\Application Data\LimeWire
2008-07-03 11:14:16 0 d-------- C:\Program Files\Common Files
2008-06-22 19:12:20 4096 --a----c- C:\WINDOWS\system32\crash
2008-06-22 16:14:50 0 d-------- C:\Program Files\DivX
2008-06-18 12:19:08 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-11 15:25:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-07 19:47:59 0 d-------- C:\Program Files\World of Warcraft
2008-06-02 20:42:15 0 d-------- C:\Program Files\Common Files\DirectX
2008-05-30 16:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 16:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 16:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 16:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-05-30 16:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-24 00:08:24 0 d-------- C:\Documents and Settings\Michael S Din\Application Data\ATI
2008-05-24 00:05:25 0 d-------- C:\Program Files\ATI Technologies
2008-05-24 00:04:26 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-22 15:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 15:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 15:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 15:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-17 08:42:04 0 d-------- C:\Documents and Settings\Michael S Din\Application Data\Uniblue
2008-05-12 10:49:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-11 19:43:55 0 d-------- C:\Program Files\Driver Sweeper
2008-04-20 14:06:02 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2008-04-20 14:06:02 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2008-04-20 14:06:02 12067 --a------ C:\WINDOWS\system32\SIntf16.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06A1F910-762A-4660-B534-55B82571851C}]
C:\WINDOWS\system32\urqRJYqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F466B55-B519-40B7-A6EB-8C573EA524E3}]
C:\WINDOWS\system32\opnlIbAr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33E3AFD8-E665-4F83-AF9D-5ED62761EBD2}]
C:\WINDOWS\system32\ddcApqOI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53F58BE0-B99F-41E9-BFC7-0EB4026733A6}]
C:\WINDOWS\system32\pmnnKdAS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f8d4373-6177-4d1d-bdeb-a274a779a198}]
07/06/2008 11:37 AM 101888 --a------ C:\WINDOWS\system32\ixjwgd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85891CF5-118E-44AF-8682-A7B08D33A9E7}]
07/05/2008 02:47 PM 31232 --a------ C:\WINDOWS\system32\wvUlMfFY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBB96A3-6C75-472F-BCF8-B58E223FA4E4}]
07/06/2008 11:34 AM 281600 --a------ C:\WINDOWS\system32\opnnklkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E054B668-AC87-4AD3-BD52-C785C800F4AF}]
C:\WINDOWS\system32\yayaARhG.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\Michael S Din\winlogon.exe" [06/27/2008 06:38 PM]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [02/14/2007 12:15 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"6876f787"="C:\WINDOWS\system32\gowfghyg.dll" [07/06/2008 11:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Steam"="C:\Program Files\Steam\Steam.exe" [03/29/2008 08:58 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [02/01/2008 01:32 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{06A1F910-762A-4660-B534-55B82571851C}"= C:\WINDOWS\system32\urqRJYqn.dll [ ]
"{85891CF5-118E-44AF-8682-A7B08D33A9E7}"= C:\WINDOWS\system32\wvUlMfFY.dll [07/05/2008 02:47 PM 31232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlMfFY]
wvUlMfFY.dll 07/05/2008 02:47 PM 31232 C:\WINDOWS\system32\wvUlMfFY.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnnklkl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background




-- End of Deckard's System Scanner: finished at 2008-07-06 11:40:09 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
CPU 1: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 2047.23 MiB / 1586.17 MiB
Pagefile Memory (total/avail): 3943.9 MiB / 3512.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.95 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.78 GiB total, 84.12 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3120024A - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.78 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Steam\\steamapps\\liqwiddancin\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\liqwiddancin\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Michael S Din\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-VS9D6DWP03
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Michael S Din
LOGONSERVER=\\YOUR-VS9D6DWP03
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
sourcesdk=c:\program files\steam\steamapps\liqwiddancin\sourcesdk
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp
USERDOMAIN=YOUR-VS9D6DWP03
USERNAME=Michael S Din
USERPROFILE=C:\Documents and Settings\Michael S Din
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Michael S Din (admin)
Administrator.YOUR-VS9D6DWP03 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CDBurnerXP --> "C:\Program Files\CDBurnerXP\unins000.exe"
Counter-Strike: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/240
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Driver Sweeper 1.0 --> "C:\Program Files\Driver Sweeper\unins000.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Prison Tycoon 3: Lockdown --> "C:\Program Files\Steam\steam.exe" steam://uninstall/12510
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Razer Diamondback --> C:\Program Files\InstallShield Installation Information\{DE4CF159-4AD2-4754-BDA0-5FB088C8B58B}\setup.exe -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Videora iPod Converter 3.07 --> C:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
ViewSonic Windows XP Signed Files --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC47C7A5-BE63-11D5-B7C9-005004566E4D}\Setup.exe" -l0x9
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type1822 / Error
Event Submitted/Written: 07/05/2008 04:46:35 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ad-Aware2007.exe, version 7.0.2.6, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1820 / Error
Event Submitted/Written: 07/05/2008 02:48:24 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application MySpaceIM.exe, version 1.0.754.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1787 / Warning
Event Submitted/Written: 07/03/2008 11:37:47 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type1786 / Warning
Event Submitted/Written: 07/03/2008 11:37:47 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90280409-6000-11D3-8CFE-0050048383C9}', feature 'WordUserData', component '{8ADD2C93-C8B7-11D1-9C67-0000F81F1B38}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\UserData' does not exist.

Event Record #/Type1785 / Warning
Event Submitted/Written: 07/03/2008 11:37:47 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10475 / Error
Event Submitted/Written: 07/06/2008 11:28:57 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.102 for the Network Card with network address 0018F312C3D9 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type10467 / Error
Event Submitted/Written: 07/05/2008 03:20:45 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type10463 / Error
Event Submitted/Written: 07/05/2008 02:59:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type10392 / Error
Event Submitted/Written: 07/05/2008 02:13:23 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.

Event Record #/Type10385 / Warning
Event Submitted/Written: 07/04/2008 00:39:51 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-06 11:40:09 ------------
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will use a tool to clear out some of the infections i can see, though we will also use it in the next post as well.

if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.micro...com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Whats the hijack this file stuff u speak of? O and it wouldn't let me do the recovery console. in either form for some reason. so if everything goes bad here. ill just reinstall windows.

ComboFix 08-07-05.1 - Michael S Din 2008-07-06 13:20:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1554 [GMT -7:00]
Running from: C:\Documents and Settings\Michael S Din\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\anedoxnp.dll
C:\WINDOWS\system32\GhRAayay.ini
C:\WINDOWS\system32\GhRAayay.ini2
C:\WINDOWS\system32\gowfghyg.dll
C:\WINDOWS\system32\gyhgfwog.ini
C:\WINDOWS\system32\ixjwgd.dll
C:\WINDOWS\system32\jfsjtbgx.ini
C:\WINDOWS\system32\julixysr.dll
C:\WINDOWS\system32\kjgvnf.dll
C:\WINDOWS\system32\lklknnpo.ini
C:\WINDOWS\system32\lklknnpo.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\opnnklkl.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ssqPfcyY.dll
C:\WINDOWS\system32\wvUlMfFY.dll
C:\WINDOWS\system32\xgbtjsfj.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-06 11:33 . 2008-07-06 11:33 <DIR> d-------- C:\Deckard
2008-07-03 14:25 . 2008-07-06 13:27 3,775 --a------ C:\WINDOWS\system32\Config.MPF
2008-07-03 11:57 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-07-03 11:48 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-03 11:48 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-03 11:48 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-03 11:48 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-03 11:48 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-03 11:48 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-03 11:39 . 2008-07-03 11:39 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Talkback
2008-07-03 11:36 . 2008-07-03 11:36 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03
2008-07-03 11:25 . 2008-07-03 11:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-07-03 11:22 . 2008-07-03 11:28 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-07-03 11:14 . 2008-07-03 11:47 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-03 11:14 . 2008-07-03 11:57 <DIR> d-------- C:\Program Files\McAfee
2008-07-03 11:14 . 2008-07-03 11:48 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-03 10:49 . 2008-07-03 10:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-07-03 10:48 . 2008-07-03 14:18 <DIR> d--hs---- C:\WINDOWS\WW91ciBVc2VyIE5hbWU
2008-07-03 10:48 . 2008-07-03 14:18 <DIR> d-------- C:\WINDOWS\system32\vec3
2008-07-03 10:48 . 2008-07-05 14:47 <DIR> d-------- C:\WINDOWS\system32\modtrux18
2008-07-03 10:48 . 2008-07-03 10:48 <DIR> d-------- C:\WINDOWS\system32\bam
2008-07-03 10:48 . 2008-07-03 10:48 <DIR> d-------- C:\Temp\syschk3
2008-07-03 10:48 . 2008-07-05 14:33 <DIR> d-------- C:\Temp
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Michael S Din\winlogon.exe
2008-06-22 16:10 . 2008-06-22 16:10 <DIR> d-------- C:\Documents and Settings\Michael S Din\Application Data\CDBurnerXP_Soft
2008-06-22 16:08 . 2008-06-22 16:09 <DIR> d-------- C:\Program Files\CDBurnerXP
2008-06-11 15:25 . 2004-12-21 16:51 7,794 --a------ C:\WINDOWS\vp171b-2.cat
2008-06-11 15:25 . 2005-03-04 05:41 7,786 --a------ C:\WINDOWS\g90f-3.cat
2008-06-11 15:25 . 2005-03-03 04:36 7,782 --a------ C:\WINDOWS\q51-9.cat
2008-06-11 15:25 . 2004-12-20 11:38 1,224 --a------ C:\WINDOWS\VP171b-2.inf
2008-06-11 15:25 . 2005-03-01 16:43 1,204 --a------ C:\WINDOWS\Q51-9.inf
2008-06-11 15:25 . 2005-03-01 16:43 1,164 --a------ C:\WINDOWS\G90f-3.inf
2008-06-11 15:25 . 2004-09-16 06:18 512 --a------ C:\WINDOWS\VP171b-2.icm
2008-06-11 15:25 . 2004-11-04 01:00 512 --a------ C:\WINDOWS\Q51-9.icm
2008-06-11 15:25 . 2004-07-23 01:00 512 --a------ C:\WINDOWS\G90f-3.icm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 18:30 --------- d-----w C:\Program Files\Steam
2008-07-05 22:14 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\LimeWire
2008-07-03 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-03 18:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-22 23:14 --------- d-----w C:\Program Files\DivX
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 02:47 --------- d-----w C:\Program Files\World of Warcraft
2008-06-03 03:42 --------- d-----w C:\Program Files\Common Files\DirectX
2008-05-24 07:08 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\ATI
2008-05-24 07:05 --------- d-----w C:\Program Files\ATI Technologies
2008-05-24 07:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-17 15:42 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\Uniblue
2008-05-12 16:30 3,007,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-12 15:02 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-05-12 02:43 --------- d-----w C:\Program Files\Driver Sweeper
2008-05-11 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 02:49 22,328 ----a-w C:\Documents and Settings\Michael S Din\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( [email protected]_14.49.40.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-05 21:44:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-06 20:25:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-05 21:19:42 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-06 18:36:09 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-05 21:19:42 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-06 18:36:09 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06A1F910-762A-4660-B534-55B82571851C}]
C:\WINDOWS\system32\urqRJYqn.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F466B55-B519-40B7-A6EB-8C573EA524E3}]
C:\WINDOWS\system32\opnlIbAr.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33E3AFD8-E665-4F83-AF9D-5ED62761EBD2}]
C:\WINDOWS\system32\ddcApqOI.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53F58BE0-B99F-41E9-BFC7-0EB4026733A6}]
C:\WINDOWS\system32\pmnnKdAS.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\Michael S Din\winlogon.exe" [2008-06-27 18:38 53248]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 12:15 147456]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{06A1F910-762A-4660-B534-55B82571851C}"= "C:\WINDOWS\system32\urqRJYqn.dll" [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-02-01 13:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-29 08:58 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Steam\\steamapps\\liqwiddancin\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 23:43]
S1 asyncmacc;asyncmacc;C:\WINDOWS\system32\drivers\asyncmacc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 16:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-03 18:15:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-03 18:15:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-06 15:42:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-07 15:42:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{E054B668-AC87-4AD3-BD52-C785C800F4AF} - C:\WINDOWS\system32\yayaARhG.dll
MSConfigStartUp-6876f787 - C:\WINDOWS\system32\gowfghyg.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 13:26:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Documents and Settings\Michael S Din\winlogon.exe
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-07-06 13:29:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-06 20:29:53
ComboFix2.txt 2008-07-05 21:50:28

Pre-Run: 90,277,314,560 bytes free
Post-Run: 90,262,278,144 bytes free

213 --- E O F --- 2008-06-19 22:30:48

Edited by michaelsdin, 06 July 2008 - 02:34 PM.

  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Whats the hijack this file stuff u speak of?

oops, my mistake, we will download that in this post.


====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\urqRJYqn.dll
C:\WINDOWS\system32\opnlIbAr.dll
C:\WINDOWS\system32\ddcApqOI.dll
C:\WINDOWS\system32\pmnnKdAS.dll
C:\WINDOWS\system32\drivers\asyncmacc.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06A1F910-762A-4660-B534-55B82571851C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F466B55-B519-40B7-A6EB-8C573EA524E3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33E3AFD8-E665-4F83-AF9D-5ED62761EBD2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53F58BE0-B99F-41E9-BFC7-0EB4026733A6}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{06A1F910-762A-4660-B534-55B82571851C}"=-

Driver::
asyncmacc


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt



====STEP 2====
Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

In your next reply could i see:
1. the combofix log
2. the hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#7
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix 08-07-05.1 - Michael S Din 2008-07-06 15:43:58.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1565 [GMT -7:00]
Running from: C:\Documents and Settings\Michael S Din\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael S Din\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ddcApqOI.dll
C:\WINDOWS\system32\drivers\asyncmacc.sys
C:\WINDOWS\system32\opnlIbAr.dll
C:\WINDOWS\system32\pmnnKdAS.dll
C:\WINDOWS\system32\urqRJYqn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASYNCMACC
-------\Service_asyncmacc


((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-06 11:33 . 2008-07-06 11:33 <DIR> d-------- C:\Deckard
2008-07-03 14:25 . 2008-07-06 15:49 3,923 --a------ C:\WINDOWS\system32\Config.MPF
2008-07-03 11:57 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-07-03 11:48 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-03 11:48 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-03 11:48 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-03 11:48 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-03 11:48 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-03 11:48 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-03 11:39 . 2008-07-03 11:39 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Talkback
2008-07-03 11:36 . 2008-07-03 11:36 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03
2008-07-03 11:25 . 2008-07-03 11:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-07-03 11:22 . 2008-07-03 11:28 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-07-03 11:14 . 2008-07-03 11:47 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-03 11:14 . 2008-07-03 11:57 <DIR> d-------- C:\Program Files\McAfee
2008-07-03 11:14 . 2008-07-03 11:48 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-03 10:49 . 2008-07-03 10:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-07-03 10:48 . 2008-07-03 14:18 <DIR> d--hs---- C:\WINDOWS\WW91ciBVc2VyIE5hbWU
2008-07-03 10:48 . 2008-07-03 14:18 <DIR> d-------- C:\WINDOWS\system32\vec3
2008-07-03 10:48 . 2008-07-05 14:47 <DIR> d-------- C:\WINDOWS\system32\modtrux18
2008-07-03 10:48 . 2008-07-03 10:48 <DIR> d-------- C:\WINDOWS\system32\bam
2008-07-03 10:48 . 2008-07-03 10:48 <DIR> d-------- C:\Temp\syschk3
2008-07-03 10:48 . 2008-07-05 14:33 <DIR> d-------- C:\Temp
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Michael S Din\winlogon.exe
2008-06-22 16:10 . 2008-06-22 16:10 <DIR> d-------- C:\Documents and Settings\Michael S Din\Application Data\CDBurnerXP_Soft
2008-06-22 16:08 . 2008-06-22 16:09 <DIR> d-------- C:\Program Files\CDBurnerXP
2008-06-11 15:25 . 2004-12-21 16:51 7,794 --a------ C:\WINDOWS\vp171b-2.cat
2008-06-11 15:25 . 2005-03-04 05:41 7,786 --a------ C:\WINDOWS\g90f-3.cat
2008-06-11 15:25 . 2005-03-03 04:36 7,782 --a------ C:\WINDOWS\q51-9.cat
2008-06-11 15:25 . 2004-12-20 11:38 1,224 --a------ C:\WINDOWS\VP171b-2.inf
2008-06-11 15:25 . 2005-03-01 16:43 1,204 --a------ C:\WINDOWS\Q51-9.inf
2008-06-11 15:25 . 2005-03-01 16:43 1,164 --a------ C:\WINDOWS\G90f-3.inf
2008-06-11 15:25 . 2004-09-16 06:18 512 --a------ C:\WINDOWS\VP171b-2.icm
2008-06-11 15:25 . 2004-11-04 01:00 512 --a------ C:\WINDOWS\Q51-9.icm
2008-06-11 15:25 . 2004-07-23 01:00 512 --a------ C:\WINDOWS\G90f-3.icm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 22:49 46,592 ----a-w C:\services.exe
2008-07-06 22:11 --------- d-----w C:\Program Files\World of Warcraft
2008-07-06 21:40 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\LimeWire
2008-07-06 18:30 --------- d-----w C:\Program Files\Steam
2008-07-03 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-03 18:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-22 23:14 --------- d-----w C:\Program Files\DivX
2008-06-18 19:19 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 03:42 --------- d-----w C:\Program Files\Common Files\DirectX
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-24 07:08 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\ATI
2008-05-24 07:05 --------- d-----w C:\Program Files\ATI Technologies
2008-05-24 07:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-17 15:42 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\Uniblue
2008-05-12 17:49 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-05-12 16:30 3,007,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-12 15:56 397,312 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-12 15:54 305,152 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-05-12 15:53 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-05-12 15:45 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-05-12 15:45 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-05-12 15:45 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-05-12 15:45 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-05-12 15:44 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-05-12 15:43 540,672 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-05-12 15:43 10,153,984 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-05-12 15:41 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-05-12 15:32 3,203,168 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-05-12 15:22 1,999,616 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-05-12 15:09 47,104 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-05-12 15:05 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-05-12 15:05 327,680 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-05-12 15:03 19,968 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-05-12 15:03 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-05-12 15:02 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-05-12 15:02 241,664 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-05-12 14:57 548,864 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-05-12 02:43 --------- d-----w C:\Program Files\Driver Sweeper
2008-05-11 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 02:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-05 02:49 22,328 ----a-w C:\Documents and Settings\Michael S Din\Application Data\PnkBstrK.sys
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-20 21:06 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-04-20 21:06 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-04-20 21:06 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
.

((((((((((((((((((((((((((((( [email protected]_14.49.40.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-05 21:44:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-06 22:47:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-05 21:19:42 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-06 18:36:09 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-05 21:19:42 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-06 18:36:09 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\Michael S Din\winlogon.exe" [2008-06-27 18:38 53248]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 12:15 147456]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 00:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{85891CF5-118E-44AF-8682-A7B08D33A9E7}"= "C:\WINDOWS\system32\vtUomlIx.dll" [2008-07-06 15:49 31232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUomlIx]
2008-07-06 15:49 31232 C:\WINDOWS\system32\vtUomlIx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-02-01 13:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-29 08:58 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Steam\\steamapps\\liqwiddancin\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 23:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 16:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-03 18:15:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-03 18:15:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-06 15:42:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-07 15:42:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 15:47:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\vtUomlIx.dll
-> C:\Documents and Settings\Michael S Din\winlogon.exe
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsmap.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-07-06 15:52:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-06 22:52:02
ComboFix2.txt 2008-07-06 20:30:00
ComboFix3.txt 2008-07-05 21:50:28

Pre-Run: 90,231,631,872 bytes free
Post-Run: 90,221,228,032 bytes free

249 --- E O F --- 2008-06-19 22:30:48
  • 0

#8
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:28 PM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Michael S Din\winlogon.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Michael S Din\winlogon.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202868210000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202871325187
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: vtUomlIx - C:\WINDOWS\SYSTEM32\vtUomlIx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 5767 bytes
  • 0

#9
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clear the remaining infections i can see and do an online scan to see what is left.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

====STEP 4====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Michael S Din\winlogon.exe
C:\WINDOWS\system32\vtUomlIx.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUomlIx]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{85891CF5-118E-44AF-8682-A7B08D33A9E7}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


====STEP 6====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

In your next reply could i see:
1. the malwarebytes log
2. the SUPERantispyware log
3. the combofix log
4. the hijackthis log
5. the kaspersky log

feel free to post them as you get them, i will wait for the kaspersky log to be posted

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#10
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Malwarebytes' Anti-Malware 1.19
Database version: 929
Windows 5.1.2600 Service Pack 2

8:37:54 PM 7/6/2008
mbam-log-7-6-2008 (20-37-54).txt

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 84225
Time elapsed: 48 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 17

Memory Processes Infected:
C:\Documents and Settings\Michael S Din\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\pmnlijhe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\vtUomlIx.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\opnlIcDs.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1524c39c-c3fc-4b52-867c-8030e207d24b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1524c39c-c3fc-4b52-867c-8030e207d24b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{85891cf5-118e-44af-8682-a7b08d33a9e7} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85891cf5-118e-44af-8682-a7b08d33a9e7} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtuomlix (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{85891cf5-118e-44af-8682-a7b08d33a9e7} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Logon Applicationedc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnlijhe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnlijhe -> Delete on reboot.

Folders Infected:
C:\WINDOWS\system32\modtrux18 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bam (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vec3 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pmnlijhe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ehjilnmp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ehjilnmp.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUomlIx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\opnlIcDs.dll (Trojan.Vundo) -> Delete on reboot.
C:\QooBox\Quarantine\C\WINDOWS\system32\gowfghyg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\opnnklkl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnOIyY.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqPfcyY.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUlMfFY.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32B3939-BDD3-42F2-A216-190DDA23AEE8}\RP251\A0048224.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32B3939-BDD3-42F2-A216-190DDA23AEE8}\RP254\A0049309.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32B3939-BDD3-42F2-A216-190DDA23AEE8}\RP254\A0049313.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32B3939-BDD3-42F2-A216-190DDA23AEE8}\RP254\A0049314.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F32B3939-BDD3-42F2-A216-190DDA23AEE8}\RP254\A0049315.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bam\covmarNV.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael S Din\winlogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
  • 0

Advertisements


#11
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/06/2008 at 09:30 PM

Application Version : 4.15.1000

Core Rules Database Version : 3497
Trace Rules Database Version: 1488

Scan type : Complete Scan
Total Scan Time : 00:36:08

Memory items scanned : 479
Memory threats detected : 0
Registry items scanned : 4631
Registry threats detected : 0
File items scanned : 42565
File threats detected : 1

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\MICHAEL S DIN\APPLICATION DATA\MALWAREBYTES\MALWAREBYTES' ANTI-MALWARE\QUARANTINE\QUAR1.76557

Adware.Tracking Cookie
ad.yieldmanager.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
adopt.euroclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.hornymatches.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.hornymatches.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.hornymatches.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.hornymatches.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
software-traffic.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.adecn.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.ez-tracks.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.ez-tracks.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.ez-tracks.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.hypertracker.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.qnsr.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.qnsr.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.roadandtrack.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
.stats.paypal.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
auditor.whosclickingwho.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
ecnext.advertserve.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
sales.liveperson.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
sales.liveperson.net [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
stats.gamestop.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
us.2.cqcounter.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
www.clickmanage.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
www.clickmanage.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
www.ez-tracks.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
www.ez-tracks.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
www.ez-tracks.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
www.gototrafficschool.com [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
www.phantomelite.org [ C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cookies.txt ]
  • 0

#12
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix 08-07-05.1 - Michael S Din 2008-07-06 21:36:41.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1598 [GMT -7:00]
Running from: C:\Documents and Settings\Michael S Din\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael S Din\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Michael S Din\winlogon.exe
C:\WINDOWS\system32\vtUomlIx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\opnlIcDs.dll
C:\WINDOWS\system32\pmnlijhe.dll
C:\WINDOWS\system32\vtUomlIx.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-06 20:49 . 2008-07-06 20:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-06 20:49 . 2008-07-06 20:49 <DIR> d-------- C:\Documents and Settings\Michael S Din\Application Data\SUPERAntiSpyware.com
2008-07-06 20:49 . 2008-07-06 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-06 19:46 . 2008-07-06 19:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-06 19:46 . 2008-07-06 19:46 <DIR> d-------- C:\Documents and Settings\Michael S Din\Application Data\Malwarebytes
2008-07-06 19:46 . 2008-07-06 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-06 19:46 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-06 19:46 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-06 15:55 . 2008-07-06 15:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 11:33 . 2008-07-06 11:33 <DIR> d-------- C:\Deckard
2008-07-03 14:25 . 2008-07-06 21:42 4,679 --a------ C:\WINDOWS\system32\Config.MPF
2008-07-03 11:57 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-07-03 11:48 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-03 11:48 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-03 11:48 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-03 11:48 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-03 11:48 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-03 11:48 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-03 11:39 . 2008-07-03 11:39 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03\Application Data\Talkback
2008-07-03 11:36 . 2008-07-03 11:36 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-VS9D6DWP03
2008-07-03 11:25 . 2008-07-03 11:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-07-03 11:22 . 2008-07-03 11:28 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-07-03 11:14 . 2008-07-03 11:47 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-03 11:14 . 2008-07-03 11:57 <DIR> d-------- C:\Program Files\McAfee
2008-07-03 11:14 . 2008-07-03 11:48 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-03 10:49 . 2008-07-03 10:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2008-07-03 10:48 . 2008-07-03 14:18 <DIR> d--hs---- C:\WINDOWS\WW91ciBVc2VyIE5hbWU
2008-07-03 10:48 . 2008-07-03 10:48 <DIR> d-------- C:\Temp\syschk3
2008-07-03 10:48 . 2008-07-05 14:33 <DIR> d-------- C:\Temp
2008-06-22 16:10 . 2008-06-22 16:10 <DIR> d-------- C:\Documents and Settings\Michael S Din\Application Data\CDBurnerXP_Soft
2008-06-22 16:08 . 2008-06-22 16:09 <DIR> d-------- C:\Program Files\CDBurnerXP
2008-06-11 15:25 . 2004-12-21 16:51 7,794 --a------ C:\WINDOWS\vp171b-2.cat
2008-06-11 15:25 . 2005-03-04 05:41 7,786 --a------ C:\WINDOWS\g90f-3.cat
2008-06-11 15:25 . 2005-03-03 04:36 7,782 --a------ C:\WINDOWS\q51-9.cat
2008-06-11 15:25 . 2004-12-20 11:38 1,224 --a------ C:\WINDOWS\VP171b-2.inf
2008-06-11 15:25 . 2005-03-01 16:43 1,204 --a------ C:\WINDOWS\Q51-9.inf
2008-06-11 15:25 . 2005-03-01 16:43 1,164 --a------ C:\WINDOWS\G90f-3.inf
2008-06-11 15:25 . 2004-09-16 06:18 512 --a------ C:\WINDOWS\VP171b-2.icm
2008-06-11 15:25 . 2004-11-04 01:00 512 --a------ C:\WINDOWS\Q51-9.icm
2008-06-11 15:25 . 2004-07-23 01:00 512 --a------ C:\WINDOWS\G90f-3.icm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 03:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-07 03:06 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\LimeWire
2008-07-06 22:11 --------- d-----w C:\Program Files\World of Warcraft
2008-07-06 18:30 --------- d-----w C:\Program Files\Steam
2008-07-03 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-03 18:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-22 23:14 --------- d-----w C:\Program Files\DivX
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 03:42 --------- d-----w C:\Program Files\Common Files\DirectX
2008-05-24 07:08 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\ATI
2008-05-24 07:05 --------- d-----w C:\Program Files\ATI Technologies
2008-05-24 07:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-17 15:42 --------- d-----w C:\Documents and Settings\Michael S Din\Application Data\Uniblue
2008-05-12 16:30 3,007,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-12 15:02 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-05-12 02:43 --------- d-----w C:\Program Files\Driver Sweeper
2008-05-11 16:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 02:49 22,328 ----a-w C:\Documents and Settings\Michael S Din\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( [email protected]_14.49.40.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-05 21:44:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 04:40:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 03:49:55 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-07-07 03:49:55 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-07-05 21:19:42 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-07 02:42:15 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-05 21:19:42 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-07 02:42:15 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 12:15 147456]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-02-01 13:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-29 08:58 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Steam\\steamapps\\liqwiddancin\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 23:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 16:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-03 18:15:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-07-03 18:15:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-06 15:42:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-07 15:42:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 21:40:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-07-06 21:44:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-07 04:44:35
ComboFix2.txt 2008-07-06 22:52:12
ComboFix3.txt 2008-07-06 20:30:00
ComboFix4.txt 2008-07-05 21:50:28

Pre-Run: 92,131,315,712 bytes free
Post-Run: 92,120,629,248 bytes free

196 --- E O F --- 2008-06-19 22:30:48

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:12 PM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CF11288.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202868210000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202871325187
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 5794 bytes
  • 0

#13
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Monday, July 07, 2008 12:37:16 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/07/2008
Kaspersky Anti-Virus database records: 919808
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 50238
Number of viruses found 2
Number of infected objects 4
Number of suspicious objects 10
Duration of the scan process 01:14:35

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{9918E835-6603-42F2-B70D-E5C55AC0D138}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/winmgnt.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/systemcritical.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip/clrssn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\cert8.db Object is locked skipped
C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\history.dat Object is locked skipped
C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\key3.db Object is locked skipped
C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\parent.lock Object is locked skipped
C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Michael S Din\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Michael S Din\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-7-6-2008( 21-56-58 ).LOG Object is locked skipped
C:\Documents and Settings\Michael S Din\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Application Data\Mozilla\Firefox\Profiles\znl2cssa.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Michael S Din\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael S Din\ntuser.dat Object is locked skipped
C:\Documents and Settings\Michael S Din\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dlvbkbss.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnKdAS.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urqRIyAT.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urqRJYqn.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F32B3939-BDD3-42F2-A216-190DDA23AEE8}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{595334BB-7424-4156-B3E7-A5F85E5345BC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_BLrImtA0WgNeVRh Object is locked skipped
C:\WINDOWS\Temp\mcmsc_FOImPNlohbf7Zn2 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_TkbzK3k3PvuZAqm Object is locked skipped
C:\WINDOWS\Temp\mcmsc_z4WMWlsGhHVPXyu Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi michaelsdin

your logs are looking much better. the kaspersky scan only found infections that were already safely quarantined away.

in this post we will update your java, scan three files and clear out a couple of folders.



====STEP 1====
Clearing the Java cache:
there is a nice set of instructions http://www.java.com/.../5000020300.xml

  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel and then the Java Control Panel will appear.
  • Click Settings under Temporary Internet Files and the Temporary Files Settings dialog box appears.
  • Click Delete Files and the Delete Temporary Files dialog box appears.
  • Make sure all three boxes are ticked: Downloaded Applets, Downloaded Applications and Other Files and then Click OK on Delete Temporary Files window. Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
====STEP 2====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\CF11288.exe

Click on the submit button

Please also do the same with the following two files:
C:\WINDOWS\G90f-3.inf
C:\WINDOWS\vp171b-2.cat


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 3====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\WINDOWS\WW91ciBVc2VyIE5hbWU
C:\Temp\syschk3


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

In your next reply could i see:
1. the 3 jotti reports
2. the combofix log
3. the hijackthis log
4. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#15
michaelsdin

michaelsdin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
C:\WINDOWS\system32\CF11288.exe Wouldnt scan for some reason!!!. says something about firewall but i disabled firewalls and still said 0byte recieved

C:\WINDOWS\G90f-3.inf
Scan taken on 07 Jul 2008 23:17:18 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

C:\WINDOWS\vp171b-2.cat
Scan taken on 07 Jul 2008 23:13:55 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP