Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Alcra Worm HJT Log [CLOSED]

Started by Caleb! , Jul 10 2008 12:24 AM

  • This topic is locked This topic is locked

#1
Caleb!
Posted 10 July 2008 - 12:24 AM

Caleb!

    Member

  • Member
  • PipPip
  • 19 posts
im not very good with all this stuff.
but i followed the instructions.



heres my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:14 AM, on 7/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\STK017_V2.01\STK017M.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\17PHolmes1188.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\17PHolmes1000106.exe
C:\WINDOWS\SG9zdA\command.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\mcntokdm.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\limewire\limewire.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\HOST\Application Data\Mozilla\Profiles\default\h6lbj8lj.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\BellSouthBrowser.exe" /hidden
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [{5A-A9-9D-DD-DW}] c:\windows\system32\rwwnw64d.exe DWram02
O4 - HKLM\..\Run: [c435a972] rundll32.exe "C:\WINDOWS\System32\ntsyovsn.dll",b
O4 - HKLM\..\Run: [{e63055ed-7d5b-578f-1a84-915b108f388c}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\hzamsrwugp.dll" DllStart
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\mcntokdm.exe DWram02
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: STK017 PNP Monitor.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - AppInit_DLLs:
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11059 bytes

Edited by Caleb!, 10 July 2008 - 12:47 AM.

  • 0

Advertisements

#2
Thunderbird1988
Posted 10 July 2008 - 05:48 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Caleb! and welcome at Geekstogo,

I am Thunderbird1988 and I am going to fix your malwareproblems. If you have questions, feel free to ask.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thunderbird1988
  • 0

#3
Caleb!
Posted 10 July 2008 - 10:09 PM

Caleb!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
sorry it took so long.

it took me all day to run a combofix log, because of the millions of pop-ups and everything freezing when i try to exit.


but heres the combofix log

ComboFix 08-07-09.5 - Host 2008-07-10 22:17:06.1 - NTFSx86
Running from: C:\Documents and Settings\Host\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Host\Application Data\SpeedRunner
C:\Documents and Settings\Host\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Host\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Host\Application Data\SpeedRunner\SRUninstall.exe
C:\Documents and Settings\Host\My Documents\MBOLS~1
C:\Documents and Settings\Host\My Documents\MBOLS~1\??mbols\
C:\Documents and Settings\Host\My Documents\MBOLS~1\scanregw.exe
C:\Documents and Settings\Host\My Documents\SMBOLS~1
C:\Documents and Settings\Host\My Documents\SMBOLS~1\?explore.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\wrri
C:\Program Files\Common Files\wrri\wrria.exe
C:\Program Files\Common Files\wrri\wrria.lck
C:\Program Files\Common Files\wrri\wrrid\class-barrel
C:\Program Files\Common Files\wrri\wrrid\vocabulary
C:\Program Files\Common Files\wrri\wrrid\wrric.dll
C:\Program Files\Common Files\wrri\wrrih
C:\Program Files\Common Files\wrri\wrril.exe
C:\Program Files\Common Files\wrri\wrril.lck
C:\Program Files\Common Files\wrri\wrrim.exe
C:\Program Files\Common Files\wrri\wrrim.lck
C:\Program Files\Common Files\wrri\wrrip.exe
C:\Program Files\GetPack
C:\Program Files\GetPack\dictame.gz
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\GetPack\trgtame.gz
C:\Program Files\inetget2
C:\Program Files\mjc
C:\Program Files\mjc\mjc.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\Sakora
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\spysheriff
C:\Program Files\spysheriff\base.avd
C:\Program Files\spysheriff\base001.avd
C:\Program Files\spysheriff\base002.avd
C:\Program Files\spysheriff\found.wav
C:\Program Files\spysheriff\heur000.dll
C:\Program Files\spysheriff\heur001.dll
C:\Program Files\spysheriff\heur002.dll
C:\Program Files\spysheriff\heur003.dll
C:\Program Files\spysheriff\notfound.wav
C:\Program Files\spysheriff\removed.wav
C:\Program Files\spysheriff\SpySheriff.dvm
C:\Program Files\spysheriff\SpySheriff.exe
C:\Program Files\spysheriff\Uninstall.exe
C:\Program Files\Temporary
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191379675.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\444.470
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\SG9zdA\
C:\WINDOWS\SG9zdA\\asappsrv.dll
C:\WINDOWS\SG9zdA\\command.exe
C:\WINDOWS\SG9zdA\\m36WxE.vbs
C:\WINDOWS\SG9zdA\command.exe
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\drivers\fastfatt.sys
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hzamsrwugp.dll
C:\WINDOWS\system32\iiffDUmL.dll
C:\WINDOWS\system32\josbdr.dll
C:\WINDOWS\system32\kywhbwsv.dll
C:\WINDOWS\system32\LmUDffii.ini
C:\WINDOWS\system32\LmUDffii.ini2
C:\WINDOWS\system32\mcntokdm.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\nsvoystn.ini
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqRHyvWN.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\uaprik.dll
C:\WINDOWS\system32\utunldix.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xidlnutu.ini
C:\WINDOWS\system32\yyhkodds.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\wrri
C:\WINDOWS\wrri\wrri.dat
C:\WINDOWS\wrri\wu

----- BITS: Possible infected sites -----

hxxp://dna65.fastaccess.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_FASTFATT
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_cmdService
-------\Service_fastfatt
-------\Service_Network Monitor
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-10 22:39 . 2008-07-10 22:39 49,172 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-07-10 22:39 . 2008-07-10 22:40 36 --a------ C:\WINDOWS\system32\msnav32.ax
2008-07-10 13:47 . 2008-07-10 13:47 90,922 --a------ C:\WINDOWS\system32\nwgjmqahpj.dll-uninst.exe
2008-07-10 12:21 . 2008-07-10 12:21 110,419 --a------ C:\WINDOWS\BMc7069aee.xml
2008-07-10 09:50 . 2008-07-10 09:50 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-07-10 09:34 . 2008-07-10 09:34 49,167 --a------ C:\WINDOWS\system32\jnwnw64n.exe
2008-07-10 01:53 . 2008-07-10 01:53 <DIR> d-------- C:\Program Files\iCheck
2008-07-10 01:51 . 2008-07-10 01:51 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-07-10 01:48 . 2008-07-10 01:48 41,724 ---hs---- C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
2008-07-10 01:43 . 2008-07-10 01:43 <DIR> d-------- C:\Program Files\Webtools
2008-07-10 01:16 . 2008-07-10 01:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 01:00 . 2008-07-10 01:00 <DIR> d-------- C:\New Folder
2008-07-10 01:00 . 2008-07-10 01:02 <DIR> d-------- C:\BFU
2008-07-10 00:20 . 2008-07-10 00:20 152,243 --a------ C:\WINDOWS\system32\g66.exe
2008-07-10 00:20 . 2008-07-10 00:20 64,332 --a------ C:\WINDOWS\system32\aekgipeosr.exe
2008-07-10 00:14 . 2008-07-10 00:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HPAppData
2008-07-10 00:13 . 2008-07-10 00:13 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-07-10 00:10 . 2008-07-10 00:10 <DIR> d-------- C:\WINDOWS\system32\tfig
2008-07-10 00:10 . 2008-07-10 00:10 <DIR> d-------- C:\WINDOWS\system32\net
2008-07-10 00:10 . 2008-07-10 00:10 <DIR> d-------- C:\WINDOWS\system32\cREG
2008-07-10 00:10 . 2008-07-10 00:10 <DIR> d-------- C:\WINDOWS\system32\1030
2008-07-10 00:10 . 2008-07-10 00:10 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-07-10 00:10 . 2008-07-10 00:10 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-07-10 00:10 . 2008-07-10 00:10 244,993 --a------ C:\Temp\sonetud5.exe
2008-07-10 00:10 . 2008-07-10 00:10 167,976 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-07-10 00:10 . 2008-07-10 00:10 41,984 --a------ C:\WINDOWS\mrofinu1188.exe
2008-07-10 00:10 . 2008-07-10 00:10 41,984 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-07-10 00:10 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-07-10 00:09 . 2008-07-10 00:09 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-10 00:09 . 2008-07-10 00:10 <DIR> d-------- C:\Temp\stmpv4
2008-07-07 10:38 . 2008-07-07 07:38 91,648 --a------ C:\WINDOWS\b152.exe
2008-07-05 00:15 . 2008-07-05 00:15 32,768 --a------ C:\WINDOWS\system32\olixds18\olixds182328.exe
2008-07-03 09:45 . 2008-07-03 09:45 364,544 --a------ C:\WINDOWS\system32\nwgjmqahpj.dll
2008-07-02 05:32 . 2008-07-02 02:32 74,752 --a------ C:\WINDOWS\b155.exe
2008-06-25 10:47 . 2008-06-25 07:47 41,984 --a------ C:\WINDOWS\b156.exe
2008-06-18 11:21 . 2008-06-18 08:21 215,040 --a------ C:\WINDOWS\b148.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 01:47 --------- d-----w C:\Documents and Settings\Host\Application Data\LimeWire
2008-07-10 05:34 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-10 05:18 --------- d-----w C:\Program Files\LimeWire
2008-06-30 00:56 --------- d-----w C:\Program Files\Diablo II
2008-05-28 01:43 --------- d-----w C:\Program Files\VstPlugins
2008-05-28 01:43 --------- d-----w C:\Program Files\Image-Line
2008-04-14 15:08 46,592 ----a-w C:\WINDOWS\b157.exe
2008-01-15 21:34 140,800 --sh--w C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
2007-10-01 22:58 66,269 ----a-w C:\Program Files\INSTALL.LOG
2007-03-26 11:35 1,198,484 ----a-w C:\Documents and Settings\Host\Application Data\Install.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 70,816 2003-11-10 13:30:02 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 35,852 2007-01-02 02:25:16 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 49,152 2005-05-12 05:12:54 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2007-03-12 02:34:40 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

----a-w 77,824 2005-05-20 01:00:19 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-12-11 16:56:54 C:\Program Files\QuickTime\QTTask.exe

----a-w 885,760 2002-01-28 12:48:50 C:\WINDOWS\system32\bak\LXSUPMON.EXE
----a-w 35,852 2007-01-02 02:25:16 C:\WINDOWS\system32\LXSUPMON.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4b15cf7e-eb43-901e-0915-d5768d3d2901}]
2008-07-03 09:45 364544 --a------ C:\WINDOWS\System32\nwgjmqahpj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
2008-03-27 10:35 333824 --a------ C:\WINDOWS\System32\mysidesearch_sidebar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Whp"="C:\Documents and Settings\Host\My Documents\s?mbols\?explore.exe" [?]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [N/A]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"mjc"="C:\Program Files\mjc\mjc.exe" [N/A]
"Sakora"="C:\Program Files\Sakora\Sakora.exe" [N/A]
"Usrr"="C:\DOCUME~1\Host\MYDOCU~1\MBOLS~1\scanregw.exe" [N/A]
"GetPack19"="C:\Program Files\GetPack\GetPack19.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXSUPMON"="C:\WINDOWS\System32\LXSUPMON.EXE" [2007-01-01 21:25 35852]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-01 21:25 35852]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-03-26 15:03 95960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 12:14 2061816]
"MotiveReportAgent"="C:\Program Files\Common Files\Motive\McciBootStrapper.exe" [2004-06-25 13:14 204800]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"HelpCenter4.1"="C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe" [2007-04-12 21:59 198184]
"{5A-A9-9D-DD-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-07-10 22:39 49172]
"{e63055ed-7d5b-578f-1a84-915b108f388c}"="C:\WINDOWS\System32\hzamsrwugp.dll" [N/A]
"c435a972"="C:\WINDOWS\System32\utunldix.dll" [N/A]
"BMc7069aee"="C:\WINDOWS\System32\kywhbwsv.dll" [N/A]
"ExploreUpdSched"="C:\WINDOWS\System32\mcntokdm.exe" [2008-07-10 22:50 192582]
"CHotkey"="mHotkey.exe" [2002-07-23 14:09 477184 C:\WINDOWS\mHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 19:38 54472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0a\aoltray.exe [2003-03-09 09:54:23 36939]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2002-12-24 09:13:37 217162]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2002-12-24 09:29:38 1730096]
Event Planner Reminders Tray Icon.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [2003-04-23 18:08:57 184320]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe [2003-10-05 21:07:52 331776]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 22:56:14 282624]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-05-26 15:59:38 1073152]
STK017 PNP Monitor.lnk - C:\Program Files\STK017_V2.01\STK017M.exe [2007-06-17 22:36:28 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blspcloader]
C:\Program Files\BellSouth Internet Tools\blsloader.exe [N/A]

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
S3 DCamUSBSTK017;STK017 Camera;C:\WINDOWS\System32\DRIVERS\STK017W2.sys [2003-11-17 20:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-07-04 21:22:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-05 03:48:53 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Host.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-07-11 03:37:40 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 22:39:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AOL\AIM Toolbar 5.0\AolTbServer.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-07-10 22:57:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-11 03:57:28

Pre-Run: 57,288,183,808 bytes free
Post-Run: 65,528,860,672 bytes free

292








i'll post the hiijackthis log in another post.
  • 0

#4
Caleb!
Posted 10 July 2008 - 10:11 PM

Caleb!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
heres the hiijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:18 PM, on 7/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\STK017_V2.01\STK017M.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\System32\mcntokdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\HOST\Application Data\Mozilla\Profiles\default\h6lbj8lj.slt\prefs.js)
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: mysidesearch search enhancer - {4b15cf7e-eb43-901e-0915-d5768d3d2901} - C:\WINDOWS\System32\nwgjmqahpj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\BellSouthBrowser.exe" /hidden
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [{5A-A9-9D-DD-DW}] c:\windows\system32\rwwnw64d.exe DWram02
O4 - HKLM\..\Run: [{e63055ed-7d5b-578f-1a84-915b108f388c}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\hzamsrwugp.dll" DllStart
O4 - HKLM\..\Run: [c435a972] rundll32.exe "C:\WINDOWS\System32\utunldix.dll",b
O4 - HKLM\..\Run: [BMc7069aee] Rundll32.exe "C:\WINDOWS\System32\kywhbwsv.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - HKCU\..\Run: [Usrr] "C:\DOCUME~1\Host\MYDOCU~1\MBOLS~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Whp] "C:\Documents and Settings\Host\My Documents\s?mbols\?explore.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: STK017 PNP Monitor.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - AppInit_DLLs:
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11847 bytes



my computer seems to be working like normal after the combo fix did its thing.

but if i need to do anything else, tell me.
  • 0

#5
Thunderbird1988
Posted 11 July 2008 - 03:09 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Caleb!,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nwgjmqahpj.dll-uninst.exe
C:\WINDOWS\BMc7069aee.xml
C:\WINDOWS\system32\jnwnw64n.exe
C:\WINDOWS\system32\pinkip.ico
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\WINDOWS\system32\g66.exe
C:\WINDOWS\system32\aekgipeosr.exe
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\atmtd.dll
C:\Temp\sonetud5.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\b152.exe
C:\WINDOWS\system32\nwgjmqahpj.dll
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\b148.exe
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
C:\WINDOWS\System32\nwgjmqahpj.dll
C:\WINDOWS\System32\mysidesearch_sidebar.dll

Folder::
C:\Program Files\iCheck
C:\Program Files\Webtools
C:\WINDOWS\system32\tfig
C:\WINDOWS\system32\net
C:\WINDOWS\system32\cREG
C:\WINDOWS\system32\1030
C:\WINDOWS\system32\olixds18
C:\Temp\stmpv4

AWF::
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\bak\LXSUPMON.EXE

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{5A-A9-9D-DD-DW}"=-
"{e63055ed-7d5b-578f-1a84-915b108f388c}"=-
"c435a972"=-
"BMc7069aee"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4b15cf7e-eb43-901e-0915-d5768d3d2901}]
[-HKEY_CLASSES_ROOT\CLSID\{4b15cf7e-eb43-901e-0915-d5768d3d2901}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sakora"=-
"Usrr"=-
"Whp"=-
"GetPack19"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#6
Caleb!
Posted 11 July 2008 - 09:45 AM

Caleb!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
COMBO FIX LOG

ComboFix 08-07-09.5 - Host 2008-07-11 10:22:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.205 [GMT -5:00]Running from: C:\Documents and Settings\Host\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Host\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\Temp\sonetud5.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\BMc7069aee.xml
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\aekgipeosr.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g66.exe
C:\WINDOWS\system32\jnwnw64n.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\System32\mysidesearch_sidebar.dll
C:\WINDOWS\System32\nwgjmqahpj.dll
C:\WINDOWS\system32\nwgjmqahpj.dll
C:\WINDOWS\system32\nwgjmqahpj.dll-uninst.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\uninstall_nmon.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\Program Files\iCheck
C:\Program Files\iCheck\iCheck.exe
C:\Program Files\iCheck\Uninstall.exe
C:\Program Files\Webtools
C:\Program Files\Webtools\webtools.dll
C:\Temp\sonetud5.exe
C:\Temp\stmpv4
C:\Temp\stmpv4\bnwe7.log
C:\WINDOWS\b148.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\BMc7069aee.xml
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\1030
C:\WINDOWS\system32\1030\icmsetup.exe
C:\WINDOWS\system32\aekgipeosr.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\cREG
C:\WINDOWS\system32\cREG\bmndird.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g66.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\jnwnw64n.exe
C:\WINDOWS\system32\mcntokdm.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\net
C:\WINDOWS\system32\net\jvvtmp3.exe
C:\WINDOWS\system32\nwgjmqahpj.dll-uninst.exe
C:\WINDOWS\system32\nwgjmqahpj.dll
C:\WINDOWS\system32\olixds18
C:\WINDOWS\system32\olixds18\olixds182328.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tfig
C:\WINDOWS\system32\tfig\ichnewu.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-10 09:50 . 2008-07-10 09:50 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-07-10 01:16 . 2008-07-10 01:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 01:00 . 2008-07-10 01:00 <DIR> d-------- C:\New Folder
2008-07-10 01:00 . 2008-07-10 01:02 <DIR> d-------- C:\BFU
2008-07-10 00:14 . 2008-07-10 00:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HPAppData
2008-07-10 00:13 . 2008-07-10 00:13 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 15:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-11 15:22 --------- d-----w C:\Program Files\QuickTime
2008-07-11 01:47 --------- d-----w C:\Documents and Settings\Host\Application Data\LimeWire
2008-07-10 05:34 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-10 05:18 --------- d-----w C:\Program Files\LimeWire
2008-06-30 00:56 --------- d-----w C:\Program Files\Diablo II
2008-06-29 17:53 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-28 01:43 --------- d-----w C:\Program Files\VstPlugins
2008-05-28 01:43 --------- d-----w C:\Program Files\Image-Line
2008-04-14 15:08 46,592 ----a-w C:\WINDOWS\b157.exe
2007-10-01 22:58 66,269 ----a-w C:\Program Files\INSTALL.LOG
2007-03-26 11:35 1,198,484 ----a-w C:\Documents and Settings\Host\Application Data\Install.dat
.

((((((((((((((((((((((((((((( snapshot@2008-07-10_22.49.34.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-11 03:36:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-11 14:33:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-11 03:37:27 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-11 14:37:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-11 03:37:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-11 14:37:01 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-11 03:37:27 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-11 14:37:01 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-01-02 02:25:16 35,852 ----a-w C:\WINDOWS\system32\LXSUPMON.EXE
+ 2002-01-28 12:48:50 885,760 ----a-w C:\WINDOWS\system32\LXSUPMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXSUPMON"="C:\WINDOWS\System32\LXSUPMON.EXE" [2002-01-28 07:48 885760]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 08:30 70816]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2005-05-19 20:00 77824]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-03-26 15:03 95960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 12:14 2061816]
"MotiveReportAgent"="C:\Program Files\Common Files\Motive\McciBootStrapper.exe" [2004-06-25 13:14 204800]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"HelpCenter4.1"="C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe" [2007-04-12 21:59 198184]
"CHotkey"="mHotkey.exe" [2002-07-23 14:09 477184 C:\WINDOWS\mHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 19:38 54472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0a\aoltray.exe [2003-03-09 09:54:23 36939]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2002-12-24 09:13:37 217162]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2002-12-24 09:29:38 1730096]
Event Planner Reminders Tray Icon.lnk - C:\Program Files\Sierra\Planner\PLNRnote.exe [2003-04-23 18:08:57 184320]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe [2003-10-05 21:07:52 331776]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 22:56:14 282624]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-05-26 15:59:38 1073152]
STK017 PNP Monitor.lnk - C:\Program Files\STK017_V2.01\STK017M.exe [2007-06-17 22:36:28 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-04 21:22:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-05 03:48:53 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Host.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-07-11 14:37:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
HKCU-Run-mjc - C:\Program Files\mjc\mjc.exe
MSConfigStartUp-blspcloader - C:\Program Files\BellSouth Internet Tools\blsloader.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 10:26:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-11 10:29:04
ComboFix-quarantined-files.txt 2008-07-11 15:28:33
ComboFix2.txt 2008-07-11 03:57:37

Pre-Run: 65,439,662,080 bytes free
Post-Run: 65,429,970,944 bytes free

182



HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:43 AM, on 7/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\Program Files\Common Files\Motive\BellSouthBrowser.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\STK017_V2.01\STK017M.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\HOST\Application Data\Mozilla\Profiles\default\h6lbj8lj.slt\prefs.js)
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\BellSouthBrowser.exe" /hidden
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jnwnw64n.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: STK017 PNP Monitor.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - AppInit_DLLs:
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10587 bytes
  • 0

#7
Thunderbird1988
Posted 11 July 2008 - 12:45 PM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello Caleb!,

I strongly rercommand you to uninstall Limewire, this program causes a lot of infections, also because it makes copyright infrigments pssible, the use of it is forbidden in many countries.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jnwnw64n.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\b157.exe

After that, Reboot.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

After that please tell me how your system is running.

Thunderbird1988
  • 0

#8
Thunderbird1988
Posted 24 July 2008 - 11:03 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP