Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

antivirusxp08 [RESOLVED]

Started by mbrikha , Jul 27 2008 11:43 PM

  • This topic is locked This topic is locked

#46
mbrikha
Posted 01 August 2008 - 11:27 AM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:06 PM, on 8/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\aol\1139186156\ee\anotify.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://i21.photobuck...Grl90/black.jpg

--
End of file - 7311 bytes
  • 0

Advertisements

#47
fenzodahl512
Posted 01 August 2008 - 03:37 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\WINDOWS\system32\drivers\ip6fw.sys
      C:\WINDOWS\System32\SVKP.sys
      C:\WINDOWS\System32\DRIVERS\sonypvd2.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.



NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
C:\WINDOWS\System32\dccnncr.exe

File::
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\AE.tmp
C:\WINDOWS\{7026FA23-A796-43C9-BF9D-223558230A97}.dat
C:\WINDOWS\{C70DBAF0-79B6-4F26-A6D9-40DD6412DCD2}.dat
C:\WINDOWS\system32\ovjy.dll
C:\WINDOWS\system32\vdfvqydc.dll
C:\WINDOWS\system32\{1F0BCF34-AF6E-4B35-AC62-AEF898B1D097}.dat
C:\WINDOWS\system32\{8444D0C8-A2A4-4623-9B9E-B04F8589CCEB}.dat

Folder::
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b]

AWF::
C:\Program Files\Common Files\AOL\1139186156\ee\bak\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1139186156\ee\bak\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
C:\Program Files\COMPAQ\Coloreal\bak\coloreal.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe
C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe
C:\Program Files\Microsoft Money\System\bak\Activation.exe
C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
C:\Program Files\MySpace\IM\bak\MySpaceIM.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe
C:\WINDOWS\SMINST\bak\RECGUARD.EXE
C:\WINDOWS\system\bak\hpsysdrv.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org result
  • Combofix.txt
  • A new HijackThis log.

  • 0

#48
mbrikha
Posted 01 August 2008 - 03:45 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
do i put each of these separately?
* C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\System32\SVKP.sys
C:\WINDOWS\System32\DRIVERS\sonypvd2.sys
  • 0

#49
mbrikha
Posted 01 August 2008 - 04:05 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
ok, so when i try to press upload, nothing happens
  • 0

#50
fenzodahl512
Posted 01 August 2008 - 04:22 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts

do i put each of these separately?
* C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\System32\SVKP.sys
C:\WINDOWS\System32\DRIVERS\sonypvd2.sys


Yup.. you have to upload it one file at a time.. not all three of them.. Please try again.. if VirScan is busy, try VirusTotal instead.. I already gave the link to you at my previous instruction..
  • 0

#51
mbrikha
Posted 01 August 2008 - 06:25 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
AhnLab-V3 2008.7.26.0 2008.07.28 -
AntiVir 7.8.1.12 2008.07.28 -
Authentium 5.1.0.4 2008.07.29 -
Avast 4.8.1195.0 2008.07.28 -
AVG 8.0.0.130 2008.07.28 -
BitDefender 7.2 2008.07.29 -
CAT-QuickHeal 9.50 2008.07.28 -
ClamAV 0.93.1 2008.07.29 -
DrWeb 4.44.0.09170 2008.07.28 -
eSafe 7.0.17.0 2008.07.28 -
eTrust-Vet 31.6.5991 2008.07.29 -
Ewido 4.0 2008.07.28 -
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.29 -
Fortinet 3.14.0.0 2008.07.29 -
GData 2.0.7306.1023 2008.07.29 -
Ikarus T3.1.1.34.0 2008.07.29 -
Kaspersky 7.0.0.125 2008.07.29 -
McAfee 5348 2008.07.28 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3304 2008.07.28 -
Norman 5.80.02 2008.07.28 -
Panda 9.0.0.4 2008.07.28 -
PCTools 4.4.2.0 2008.07.28 -
Prevx1 V2 2008.07.29 -
Rising 20.55.02.00 2008.07.28 -
Sophos 4.31.0 2008.07.29 -
Sunbelt 3.1.1536.1 2008.07.28 -
Symantec 10 2008.07.29 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.29 -
VBA32 3.12.8.1 2008.07.28 -
ViRobot 2008.7.26.1311 2008.07.28 -
VirusBuster 4.5.11.0 2008.07.28 -
Webwasher-Gateway 6.6.2 2008.07.29 -
Additional information
File size: 29056 bytes
MD5...: 4448006b6bc60e6c027932cfc38d6855
SHA1..: 677304e575660642bced544266126131ff6ed75f
SHA256: c377235ebe475c281acb6a3267f12d8fe623433f05134a6ce50562414f94d7b1
SHA512: 2a064f12541fca6f7909160fb0bee46e13c0e099c695e61190c630c94c005d4b
3cb2acf575b2430ec6f5bde384040f4647c62e49c1b564d02b0e83ce0b4da963
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159c2
timedatestamp.....: 0x41107b64 (Wed Aug 04 06:00:04 2004)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x41f0 0x4200 6.40 52a5b342d8ca33c3b7ff834dec70ff44
.rdata 0x4500 0x2d4 0x300 3.42 274f5394e9de53f478d2fd955c54c685
.data 0x4800 0x944 0x980 0.39 18a5a02194890ded98c09bed000178b4
PAGE 0x5180 0x17e 0x180 5.56 69f3fb6a3fe67d9c23dfbbe40a13ea53
INIT 0x5300 0xdda 0xe00 6.13 39bbe34f60ad1f2810966b4e05d1de50
.rsrc 0x6100 0xa30 0xa80 6.29 e318c0d1cc7d1e40ea5bb635fd4864db
.reloc 0x6b80 0x5dc 0x600 6.07 6abd820c93b9aa575526436e852c30bf

( 4 imports )
> ntoskrnl.exe: KeInitializeSpinLock, RtlCopyUnicodeString, ZwQueryValueKey, ZwClose, RtlInitUnicodeString, ZwOpenKey, ObReleaseObjectSecurity, ObSetSecurityObjectByPointer, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlDeleteAce, RtlEqualSid, SeExports, RtlGetAce, RtlGetDaclSecurityDescriptor, ObGetObjectSecurity, KeInitializeEvent, KeSetEvent, KeWaitForSingleObject, IoDeleteDevice, IoDeleteSymbolicLink, IoCreateSymbolicLink, _except_handler3, KefReleaseSpinLockFromDpcLevel, RtlSplay, KefAcquireSpinLockAtDpcLevel, KeTickCount, IoWMIRegistrationControl, IoWMIWriteEvent, KeQuerySystemTime, KeInsertQueueDpc, ExAllocatePoolWithTagPriority, InterlockedPopEntrySList, InterlockedPushEntrySList, ExDeleteNPagedLookasideList, RtlDelete, KeInitializeDpc, ExInitializeNPagedLookasideList, KeCancelTimer, KeSetTimerEx, _alldiv, KeInitializeTimer, KeQueryTimeIncrement, KeBugCheckEx, ExGetPreviousMode, MmUserProbeAddress, ExRaiseAccessViolation, ExAllocatePoolWithTag, ExFreePoolWithTag, PsGetCurrentProcessId, IoCreateDevice, IofCompleteRequest
> HAL.dll: KfAcquireSpinLock, KfRaiseIrql, KfLowerIrql, KfReleaseSpinLock
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest
> tcpip6.sys: IPv6DisableFirewallHook, IPv6ObtainPacketData, IPv6GetBestRouteInfo, IPv6EnableFirewallHook

( 0 exports )
  • 0

#52
mbrikha
Posted 01 August 2008 - 06:26 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
AhnLab-V3 2008.7.29.1 2008.07.29 -
AntiVir 7.8.1.12 2008.07.29 -
Authentium 5.1.0.4 2008.07.30 -
Avast 4.8.1195.0 2008.07.29 -
AVG 8.0.0.130 2008.07.29 -
BitDefender 7.2 2008.07.30 -
CAT-QuickHeal 9.50 2008.07.29 TrojanSpy.Joiner.av
ClamAV 0.93.1 2008.07.29 -
DrWeb 4.44.0.09170 2008.07.29 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5994 2008.07.30 -
Ewido 4.0 2008.07.29 -
F-Prot 4.4.4.56 2008.07.30 -
F-Secure 7.60.13501.0 2008.07.29 -
Fortinet 3.14.0.0 2008.07.29 -
GData 2.0.7306.1023 2008.07.29 -
Ikarus T3.1.1.34.0 2008.07.30 -
Kaspersky 7.0.0.125 2008.07.30 -
McAfee 5349 2008.07.29 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3308 2008.07.29 -
Norman 5.80.02 2008.07.28 -
Panda 9.0.0.4 2008.07.29 -
PCTools 4.4.2.0 2008.07.29 -
Prevx1 V2 2008.07.30 -
Rising 20.55.12.00 2008.07.29 -
Sophos 4.31.0 2008.07.29 -
Sunbelt 3.1.1537.1 2008.07.29 -
Symantec 10 2008.07.30 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.29 -
VBA32 3.12.8.1 2008.07.29 -
ViRobot 2008.7.29.1315 2008.07.29 Trojan.Win32.Joiner.2368
VirusBuster 4.5.11.0 2008.07.29 -
Webwasher-Gateway 6.6.2 2008.07.29 -
Additional information
File size: 2368 bytes
MD5...: f05028b163b92c302a74409d683ac9b0
SHA1..: 74a943b9f3bf63f8de5c3175f96366b24a661067
SHA256: c43a744c18d12b8214e75f67c557974564f24ec318807bbe796b26619fce7154
SHA512: 6b03105a7ea5ae7ddd88ec83a4fbd12e495bbc21ab90484cfadf178583771ee9
a059823500b3d2c485600d0bc3b2455144ef5ffc651b44566c7f1b737a5d2cb5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1043c
timedatestamp.....: 0x3e6cafde (Mon Mar 10 15:31:42 2003)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2a0 0x110 0x120 5.12 7dad7d6ca221d6725388d90f719d0c20
.data 0x3c0 0x28 0x40 1.74 e741cf2e01e1bea59fcfd4a89d4358ad
INIT 0x400 0x18a 0x1a0 5.03 7b36305b5ff4cad3eeaca307bbb0fd60
.rsrc 0x5a0 0x350 0x360 3.18 46fab0e7c9b34889fdfead1c6e17eae8
.reloc 0x900 0x34 0x40 3.39 a963ac053cb6e23a9fbf797befe868bb

( 1 imports )
> ntoskrnl.exe: IoCreateDevice, IoCreateSymbolicLink, IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, IoCompleteRequest

( 0 exports )
ThreatExpert info: http://www.threatexp...a74409d683ac9b0
  • 0

#53
mbrikha
Posted 01 August 2008 - 06:29 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
AhnLab-V3 2008.7.29.1 2008.08.01 -
AntiVir 7.8.1.15 2008.08.01 -
Authentium 5.1.0.4 2008.08.01 -
Avast 4.8.1195.0 2008.08.01 -
AVG 8.0.0.156 2008.08.01 -
BitDefender 7.2 2008.08.02 -
CAT-QuickHeal 9.50 2008.08.01 -
ClamAV 0.93.1 2008.08.02 -
DrWeb 4.44.0.09170 2008.08.01 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.6002 2008.08.02 -
Ewido 4.0 2008.08.01 -
F-Prot 4.4.4.56 2008.08.01 -
F-Secure 7.60.13501.0 2008.08.01 -
Fortinet 3.14.0.0 2008.08.01 -
GData 2.0.7306.1023 2008.08.02 -
Ikarus T3.1.1.34.0 2008.08.02 -
K7AntiVirus 7.10.402 2008.08.01 -
Kaspersky 7.0.0.125 2008.08.02 -
McAfee 5352 2008.08.01 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3318 2008.08.01 -
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.02 -
PCTools 4.4.2.0 2008.08.01 -
Prevx1 V2 2008.08.02 -
Rising 20.55.42.00 2008.08.01 -
Sophos 4.31.0 2008.08.02 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.02 -
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.01 -
ViRobot 2008.8.1.1321 2008.08.01 -
VirusBuster 4.5.11.0 2008.08.01 -
Webwasher-Gateway 6.6.2 2008.08.01 -
Additional information
File size: 64093 bytes
MD5...: 4101a5a53d93a7c6d059e630992b9149
SHA1..: 0babf32764edf283ff53a96d6b0ed2ba01413021
SHA256: f88ba1db9614c8f92ab6828919bdee2dca5a826a3225721a92c4737cefdce1f8
SHA512: 6649194a058ea9be1fb3a10b691dba62d9aea03cf619c60022946658b562b827
9ec35601368e7fa2d140376968c1be9f8942fd509f239ce13c4650267a1d70bf
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1d980
timedatestamp.....: 0x3ef7a97e (Tue Jun 24 01:29:34 2003)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x82d8 0x8300 6.54 308853f675e2e71c15727615d0edc1a5
.data 0x8600 0xc0 0x100 2.98 c7dfb4f25bc9e0688ebbec5d84df5bc3
PAGE 0x8700 0x5251 0x5280 6.52 5ac576bba786b352756f28ae620a3156
INIT 0xd980 0x131c 0x1380 5.95 d6581b0e808c9eeca456226fd2d07ce0
.rsrc 0xed00 0x3e0 0x400 3.14 8419fce225446b55dbc48feebbef1c6f
.reloc 0xf100 0x8f6 0x900 6.18 3cd3d75b33643def48cf39abfafe1640

( 2 imports )
> ntoskrnl.exe: IoAllocateIrp, ExAllocatePoolWithTag, ZwClose, RtlWriteRegistryValue, KeInitializeEvent, RtlQueryRegistryValues, ZwCreateKey, RtlInitUnicodeString, IoOpenDeviceRegistryKey, RtlFreeUnicodeString, RtlAnsiStringToUnicodeString, ZwOpenKey, InterlockedIncrement, RtlCompareMemory, IoQueueWorkItem, IoAllocateWorkItem, IoStartTimer, IoInitializeTimer, IoStopTimer, IoFreeWorkItem, ObfDereferenceObject, IoBuildDeviceIoControlRequest, IoGetAttachedDeviceReference, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, IoGetDriverObjectExtension, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, ObfReferenceObject, IoWMIRegistrationControl, IoSetHardErrorOrVerifyDevice, _allshl, KeBugCheck, IoFreeMdl, MmUnlockPages, InterlockedExchangeAdd, IoAllocateMdl, ExInterlockedPushEntrySList, KeDelayExecutionThread, MmProbeAndLockPages, _except_handler3, _allmul, RtlExtendedIntegerMultiply, memmove, ExInterlockedPopEntrySList, MmBuildMdlForNonPagedPool, IoInvalidateDeviceRelations, IofCompleteRequest, InterlockedExchange, IoFreeIrp, IoCreateDevice, RtlInitString, ExDeleteNPagedLookasideList, ExInitializeNPagedLookasideList, ObReferenceObjectByPointer, IoDetachDevice, IoSetDeviceInterfaceState, ZwSetValueKey, sprintf, IoRegisterDeviceInterface, KeGetCurrentThread, KeInitializeSpinLock, IoInitializeIrp, KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, KeQuerySystemTime, IoWMIWriteEvent, IoRegisterBootDriverReinitialization, IoAttachDeviceToDeviceStack, ZwMakeTemporaryObject, ZwCreateDirectoryObject, swprintf, strncmp, IoBuildSynchronousFsdRequest, _allrem, _allshr, _strnicmp, HalDispatchTable, IoGetConfigurationInformation, RtlFreeAnsiString, RtlUpperString, RtlUnicodeStringToAnsiString, ZwQueryValueKey, RtlUnicodeStringToInteger, DbgPrint, InitSafeBootMode, IoDeleteSymbolicLink, IoCreateSymbolicLink, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, RtlInitAnsiString, PoStartNextPowerIrp, PoCallDriver, PoSetPowerState, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExFreePool, IoStartPacket, InterlockedDecrement, IofCallDriver, KeSetEvent, IoStartNextPacket, KeWaitForSingleObject, RtlDeleteRegistryValue, IoReportTargetDeviceChangeAsynchronous, IoDeleteDevice
> HAL.dll: KeGetCurrentIrql, IoReadPartitionTable, IoWritePartitionTable, KfAcquireSpinLock, IoSetPartitionInformation, KfRaiseIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfLowerIrql

( 0 exports )
  • 0

#54
mbrikha
Posted 01 August 2008 - 07:13 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
ComboFix 08-07-31.01 - Owner 2008-08-01 19:30:34.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.333 [GMT -8:00]
Running from: C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\{7026FA23-A796-43C9-BF9D-223558230A97}.dat
C:\WINDOWS\{C70DBAF0-79B6-4F26-A6D9-40DD6412DCD2}.dat
C:\WINDOWS\system32\{1F0BCF34-AF6E-4B35-AC62-AEF898B1D097}.dat
C:\WINDOWS\system32\{8444D0C8-A2A4-4623-9B9E-B04F8589CCEB}.dat
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\AE.tmp
C:\WINDOWS\system32\ovjy.dll
C:\WINDOWS\system32\vdfvqydc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_03000F11.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\IEUI.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1420194370.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1725972020.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-512559710.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1504369768.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\190457878.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\253621806.mtx
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1250239307.MTS
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\722093742.mtz
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1250239310.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-430710159.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\518054506.mtx
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\979266177.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-825244877.SWF
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-983945651.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\716494328.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\WINDOWS\{7026FA23-A796-43C9-BF9D-223558230A97}.dat
C:\WINDOWS\{C70DBAF0-79B6-4F26-A6D9-40DD6412DCD2}.dat
C:\WINDOWS\system32\{1F0BCF34-AF6E-4B35-AC62-AEF898B1D097}.dat
C:\WINDOWS\system32\{8444D0C8-A2A4-4623-9B9E-B04F8589CCEB}.dat
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\AE.tmp
C:\WINDOWS\System32\dccnncr.exe
C:\WINDOWS\system32\ovjy.dll
C:\WINDOWS\system32\vdfvqydc.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-07-31 23:51 . 2008-07-31 23:52 <DIR> d-------- C:\Program Files\ERUNT
2008-07-31 14:35 . 2008-07-31 14:35 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-07-30 21:20 . 2008-07-30 21:20 <DIR> d-------- C:\fsaua.data
2008-07-29 19:27 . 2008-07-29 19:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-29 19:27 . 2008-07-29 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-29 13:11 . 2008-07-29 13:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-29 13:11 . 2008-07-29 13:11 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Malwarebytes
2008-07-29 13:11 . 2008-07-29 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 13:11 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-29 13:11 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 12:52 . 2008-07-29 12:52 <DIR> d-------- C:\_OTMoveIt
2008-07-28 21:44 . 2008-07-28 21:44 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Comcast
2008-07-28 21:23 . 2008-07-29 11:57 3,022 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-28 21:22 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-28 21:22 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-28 21:22 . 2008-05-29 08:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-28 21:22 . 2008-05-23 17:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-28 21:22 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-28 21:22 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-28 21:22 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-28 10:07 . 2008-07-28 10:07 <DIR> d-------- C:\Deckard
2008-07-27 23:47 . 2008-07-27 23:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 23:15 . 2008-07-27 23:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 19:16 . 2002-08-29 02:41 150,528 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-27 19:16 . 2001-08-17 21:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-07-25 23:20 . 2008-07-25 23:20 <DIR> d-------- C:\Documents and Settings\OWNERY~1~000\LOCALS~1
2008-07-25 23:20 . 2008-07-25 23:20 <DIR> d-------- C:\Documents and Settings\OWNERY~1~000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 03:36 --------- d-----w C:\Program Files\QuickTime
2008-08-02 03:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-02 03:30 --------- d-----w C:\Program Files\MSN Messenger
2008-08-02 03:30 --------- d-----w C:\Program Files\iTunes
2008-07-31 23:15 --------- d-----w C:\Program Files\support.com
2008-07-31 08:31 --------- d-----w C:\Program Files\hbinst
2008-07-29 05:56 --------- d-----w C:\Program Files\WildTangent
2008-07-29 05:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-29 05:52 --------- d-----w C:\Program Files\NewSoft
2008-07-29 05:50 --------- d-----w C:\Program Files\MUSICMATCH
2008-07-29 05:50 --------- d-----w C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Application Data\Musicmatch
2008-07-29 05:48 --------- d-----w C:\Program Files\Microsoft Money
2008-07-29 05:41 --------- d-----w C:\Program Files\Common Files\aolshare
2008-07-29 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-24 20:26 --------- d-----w C:\Program Files\McAfee
2008-06-23 22:31 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-03 06:36 --------- d-----w C:\Program Files\LimeWire
2007-02-24 05:49 25,600 ----a-w C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\usbsermptxp.sys
2007-02-24 05:49 22,768 ----a-w C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\usbsermpt.sys
2005-09-05 21:32 601 ---ha-w C:\Documents and Settings\Guest.JAINIE\hpothb07.dat
2005-05-29 00:06 637 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2004-02-08 04:21 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2003-10-10 01:23 665 ---ha-w C:\WINDOWS\system32\config\systemprofile\hpothb07.dat
2003-10-10 01:23 665 ---ha-w C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\hpothb07.dat
2003-10-10 01:23 665 ---ha-w C:\Documents and Settings\Guest.YOUR-KYBTG65GXE\hpothb07.dat
2003-10-10 01:23 665 ---ha-w C:\Documents and Settings\Guest.YOUR-KYBTG65GXE.000\hpothb07.dat
2003-10-10 01:23 665 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2003-10-10 01:23 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2003-10-10 01:23 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
.

------- Sigcheck -------

2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ip6fw.sys
2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-08-01_12.19.33.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-14 05:42:26 212,992 ----a-w C:\WINDOWS\SMINST\RECGUARD.EXE
+ 1998-05-08 00:04:38 52,736 ----a-w C:\WINDOWS\system\hpsysdrv.exe
- 2008-08-01 18:49:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-01 23:08:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-01 18:49:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-01 23:08:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-01 18:49:15 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-01 23:08:50 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-09-09 15:05:52 114,688 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2002-08-01 04:28:38 81,920 ----a-w C:\WINDOWS\system32\ps2.exe
+ 2002-12-04 08:23:24 188,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-09-30 23:39 548933 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"HostManager"="C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe" [2006-09-25 16:52 50736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-16 19:59 185784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]
"nwiz"="nwiz.exe" [2002-09-30 23:39 372736 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2006-11-16 13:42 1327104]

C:\Documents and Settings\Owner.YOUR-KYBTG65GXE.000\Start Menu\Programs\Startup\
AOL OpenRide.lnk - C:\Program Files\Common Files\AOL\Launch\aollaunch.exe [2006-09-25 16:52:49 50736]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-03 16:58:20 40960]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2003-10-11 08:19:17 237568]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-12-03 16:23:30 147456]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 19:20:02 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

R0 sonypvl2;sonypvl2;C:\WINDOWS\System32\drivers\sonypvl2.sys [2003-07-25 14:02]
R1 sonypvf2;sonypvf2;C:\WINDOWS\System32\drivers\sonypvf2.sys [2004-04-08 10:04]
R1 sonypvt2;sonypvt2;C:\WINDOWS\System32\drivers\sonypvt2.sys [2003-08-20 09:44]
R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2005-07-18 15:36]
S1 sonypvd2;sonypvd2;C:\WINDOWS\System32\DRIVERS\sonypvd2.sys [2003-06-24 09:29]
S3 msCMTSrvc;Content Monitoring Tool;C:\WINDOWS\system32\msCMTSrvc.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b]
C:\WINDOWS\System32\dccnncr.exe
.
Contents of the 'Scheduled Tasks' folder

2003-05-22 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1052015226.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 16:40]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PhotoShow Deluxe Media Manager - C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
HKCU-Run-Yahoo! Pager - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-BlockTracker - c:\hp\bin\BlockTracker.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 19:36:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\AOL\1139186156\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\1139186156\ee\anotify.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-01 20:07:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-02 04:06:55
ComboFix2.txt 2008-08-01 20:21:28

Pre-Run: 75,289,374,720 bytes free
Post-Run: 75,230,162,944 bytes free

229
  • 0

#55
mbrikha
Posted 01 August 2008 - 07:14 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:34 PM, on 8/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1139186156\ee\AOLOpenRide.exe
C:\Program Files\Common Files\AOL\1139186156\ee\aolsoftware.exe
c:\program files\common files\aol\1139186156\ee\anotify.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139186156\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://i21.photobuck...Grl90/black.jpg

--
End of file - 7254 bytes
  • 0

Advertisements

#56
fenzodahl512
Posted 01 August 2008 - 07:37 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
That is one extremely difficult key to remove :)


Please go to Start >> Run >> Copy/Paste command below >> Press Enter

reg export "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\86942b4f-d046-4526-8f8c-669ad3dd860b" C:\seeit.txt

A new textfile seeit.txt will be created on your C:\ drive. Please post its content in your next reply..
  • 0

#57
mbrikha
Posted 01 August 2008 - 07:51 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
there is no text file saved on my C:\ drive
  • 0

#58
fenzodahl512
Posted 01 August 2008 - 07:59 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Erm.. not sure why we don't get rid of that entry.. Lets do another method..


Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again



1. Start AVZ.
2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
3. Click on the Execute selected scripts.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.



  • After that, please restart AVZ again,
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm to your next reply, along with a fresh HijackThis log

  • 0

#59
mbrikha
Posted 01 August 2008 - 08:19 PM

mbrikha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
how do you unzip it?
  • 0

#60
fenzodahl512
Posted 01 August 2008 - 08:25 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts

how do you unzip it?


Ok.. download this file and install it on your computer

http://downloads.sou...enzip/7z457.exe

Then go to the zipped file >> Right click >> choose "7-zip" >> click on "Extract files.." >> Hit "Ok"

You will have the "unzipped" folder on your Desktop (or wherever you put it)..
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP