Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Antivirus xp 2008 [RESOLVED]


  • This topic is locked This topic is locked

#1
Fochzila

Fochzila

    New Member

  • Member
  • Pip
  • 9 posts
Hello all, I am infected whit some stuborn malware.

faw days ago i was reinstal main partition and automaticly get antivirus xp 2008, i was remove him but ther is some files what i can't delete.

My browser act wery strange. Cant open google or google search from browser. Using Opera, FF and IE.

Ok from slight search i use lot's of program to delete that file's and they comeing back all the time. In IE i set up high setings for that browser, and in FF I make that i clear all data on exit. in opera iclear all data.

i was use hijack this, SmitfraudFix,SpywareBlaster,Toolbarcop,VundoFix,ErrorKiller,Ad-Aware,TuneUp Utilities 2007, killbox, nod32.

From this list of programs i chek and fix registry but files geting back all the time. Whit that porgrams i clean dayli my pc to be able to use internet.

Anyway this is files what i have problem whit

C:\Windows\system32\jkkLFxWp.dll
C:\Windows\system32\qclydeco.dll
C:\Windows\system32\qwfuwqms.ini
C:\Windows\system32\smqwufwq.dll


file what i can't delete whit any program is C:\Windows\system32\jkkLFxWp.dll eaven whit killbox and option replace on reboot and option use dumy.


I will post other logs from proram's when i get back from work.

ty in advance.
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Fochzila

Welcome to G2Go. :)
=====================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
Fochzila

Fochzila

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Posted Image

This is Screan from Toolbarcop and only when i disable that file's i can browse.

VundoFix V7.0.6

Scan started at 1:42:21 AM 8/17/2008

Listing files found while scanning....

C:\Windows\system32\amlxoxtm.dll
C:\Windows\system32\ddcCRHAR.dll
C:\Windows\system32\efcBurRL.dll
C:\Windows\system32\jkkLFxWp.dll
C:\Windows\system32\kvphwxbw.dll
C:\Windows\system32\LRruBcfe.ini
C:\Windows\system32\LRruBcfe.ini2
C:\Windows\system32\mtxoxlma.ini
C:\Windows\system32\mymfgukh.dll
C:\Windows\system32\ogxpqfgh.dll
C:\Windows\system32\sdwbipxc.dll
C:\Windows\system32\warycnfr.dll

Beginning removal...

Attempting to delete C:\Windows\system32\amlxoxtm.dll
C:\Windows\system32\amlxoxtm.dll Has been deleted!

Attempting to delete C:\Windows\system32\ddcCRHAR.dll
C:\Windows\system32\ddcCRHAR.dll Has been deleted!

Attempting to delete C:\Windows\system32\efcBurRL.dll
C:\Windows\system32\efcBurRL.dll Has been deleted!

Attempting to delete C:\Windows\system32\jkkLFxWp.dll
C:\Windows\system32\jkkLFxWp.dll Could not be deleted.

Attempting to delete C:\Windows\system32\kvphwxbw.dll
C:\Windows\system32\kvphwxbw.dll Has been deleted!

Attempting to delete C:\Windows\system32\LRruBcfe.ini
C:\Windows\system32\LRruBcfe.ini Has been deleted!

Attempting to delete C:\Windows\system32\LRruBcfe.ini2
C:\Windows\system32\LRruBcfe.ini2 Has been deleted!

Attempting to delete C:\Windows\system32\mtxoxlma.ini
C:\Windows\system32\mtxoxlma.ini Has been deleted!

Attempting to delete C:\Windows\system32\mymfgukh.dll
C:\Windows\system32\mymfgukh.dll Has been deleted!

Attempting to delete C:\Windows\system32\ogxpqfgh.dll
C:\Windows\system32\ogxpqfgh.dll Has been deleted!

Attempting to delete C:\Windows\system32\sdwbipxc.dll
C:\Windows\system32\sdwbipxc.dll Has been deleted!

Attempting to delete C:\Windows\system32\warycnfr.dll
C:\Windows\system32\warycnfr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V7.0.6

Scan started at 2:26:39 AM 8/17/2008

Listing files found while scanning....

C:\Windows\system32\jkkLFxWp.dll
C:\Windows\system32\qclydeco.dll
C:\Windows\system32\qwfuwqms.ini
C:\Windows\system32\smqwufwq.dll


nod32 3.0 cant see them as malware. At kaspersky online scan says that jkkLFxWp.dll - infected by Trojan.Win32.Monderb.eig but i can find removal tool
Can't remove whit killbox, after any removal he come's back.

I am thinking that I pick up a antivirus xp 2008 when i log on hotmail and didnt set high for IE.
  • 0

#4
Fochzila

Fochzila

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:48:46, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Ovislink\Common\TurboG-UI.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirLive Turbo-G Wireless Utility.lnk = C:\Program Files\Ovislink\Common\TurboG-UI.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 3232 bytes


this is log file

HJT cant see any errors, pic related in uper replay

Edited by Fochzila, 17 August 2008 - 07:52 AM.

  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

(Note:If the Recovery Console fails to install then do not proceed rather alert me and post back here we will continue)
  • 0

#6
Fochzila

Fochzila

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix log

ComboFix 08-08-16.01 - Anbu 2008-08-17 16:30:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511 [GMT 2:00]
Running from: C:\Documents and Settings\Anbu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anbu\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\Anbu\Application Data\Microsoft\dtsc
C:\Documents and Settings\Anbu\Application Data\Microsoft\dtsc\@KeyLogger Home v2.0b.torrent
C:\Documents and Settings\Anbu\Application Data\Microsoft\dtsc\@KeyLogger Home v2.0b.zip
C:\Documents and Settings\Anbu\Application Data\Microsoft\dtsc\28378.exe
C:\Documents and Settings\Anbu\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\Anbu\Application Data\rhcevgj0ecda
C:\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
C:\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
C:\Program Files\Ovislink\AirLive WT-2000PCI\_desktop.ini
C:\Program Files\Ovislink\AirLive WT-2000PCI\Installer\_desktop.ini
C:\Program Files\Ovislink\AirLive WT-2000PCI\Installer\win2k\_desktop.ini
C:\Program Files\Ovislink\AirLive WT-2000PCI\Installer\win9x\_desktop.ini
C:\Program Files\Ovislink\AirLive WT-2000PCI\Installer\winme\_desktop.ini
C:\Program Files\Ovislink\AirLive WT-2000PCI\Installer\winx64\_desktop.ini
C:\Program Files\Ovislink\AirLive WT-2000PCI\Installer\winxp\_desktop.ini
C:\WINDOWS\BMd7e552d7.txt
C:\WINDOWS\BMd7e552d7.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\CKUtDfhk.ini
C:\WINDOWS\system32\CKUtDfhk.ini2
C:\WINDOWS\system32\cxpibwds.ini
C:\WINDOWS\system32\dmwenyxh.ini
C:\WINDOWS\system32\hgfqpxgo.ini
C:\WINDOWS\system32\iudisrqd.ini
C:\WINDOWS\system32\jkkLFxWp.dll
C:\WINDOWS\system32\kcsktniu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qclydeco.dll
C:\WINDOWS\system32\qfperrfv.dll
C:\WINDOWS\system32\qwfuwqms.ini
C:\WINDOWS\system32\rfncyraw.ini
C:\WINDOWS\system32\smqwufwq.dll
C:\WINDOWS\system32\tiwfiowf.ini
C:\WINDOWS\system32\uintksck.dll
C:\WINDOWS\system32\vfrrepfq.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-17 09:19 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-17 09:19 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-17 09:19 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-17 09:19 . 2008-08-09 15:37 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-17 09:19 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-17 09:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-17 09:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-17 09:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-17 09:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-17 02:16 . 2008-08-17 02:16 249,344 --a------ C:\WINDOWS\system32\khfDtUKC.dll
2008-08-17 02:01 . 2008-08-17 02:01 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-08-17 01:53 . 2008-08-17 01:53 <DIR> d-------- C:\Program Files\Panda Security
2008-08-17 01:42 . 2008-08-17 02:01 <DIR> d-------- C:\VundoFix Backups
2008-08-17 01:24 . 2008-08-17 01:24 <DIR> d-------- C:\Documents and Settings\Anbu\DoctorWeb
2008-08-17 01:23 . 2008-08-17 01:23 77,824 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2008-08-17 01:22 . 2008-08-17 02:07 <DIR> d-------- C:\Program Files\DrWeb
2008-08-17 00:22 . 2008-08-17 09:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-17 00:21 . 2008-08-17 00:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-16 23:51 . 2008-08-16 23:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 23:21 . 2008-08-16 23:55 <DIR> d--hs---- C:\!Submit
2008-08-16 23:19 . 2008-08-16 23:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-16 12:00 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-14 00:25 . 2008-08-14 00:25 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\AdobeUM
2008-08-13 09:06 . 2008-08-13 09:06 <DIR> d-------- C:\Program Files\DNA
2008-08-13 09:06 . 2008-08-17 16:21 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\DNA
2008-08-13 09:06 . 2008-08-16 16:58 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\BitTorrent
2008-08-13 09:05 . 2008-08-13 09:06 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2008-08-13 09:05 . 2008-08-13 09:06 <DIR> d-------- C:\Program Files\BitTorrent
2008-08-13 09:05 . 2008-08-13 09:06 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\BitTorrent DNA
2008-08-10 22:25 . 2008-08-10 22:25 <DIR> d-------- C:\Program Files\Google
2008-08-10 22:23 . 2008-08-10 22:23 <DIR> d-------- C:\WINDOWS\Sun
2008-08-10 20:00 . 2008-08-17 09:19 2,082 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-10 15:35 . 2008-08-10 15:38 <DIR> d-------- C:\Program Files\ErrorKiller
2008-08-10 15:35 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-10 15:35 . 2000-05-22 17:58 647,872 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-08-10 15:35 . 1999-03-26 00:00 101,888 --a------ C:\WINDOWS\system32\vb6stkit.dll
2008-08-10 15:15 . 2008-08-10 15:15 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\ErrorKiller
2008-08-09 22:32 . 2008-08-17 02:10 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-09 22:32 . 2008-08-09 22:32 <DIR> d-------- C:\Program Files\DScaler5
2008-08-09 22:18 . 2006-10-25 09:05 8,192 --a------ C:\WINDOWS\system32\drivers\RT2661.bin
2008-08-09 22:18 . 2006-10-25 09:05 8,192 --a------ C:\WINDOWS\system32\drivers\RT2561s.bin
2008-08-09 22:18 . 2006-10-25 09:05 8,192 --a------ C:\WINDOWS\system32\drivers\RT2561.bin
2008-08-09 17:40 . 2008-08-09 17:40 <DIR> d-------- C:\Program Files\ESET
2008-08-09 17:40 . 2008-08-09 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-09 17:21 . 2008-08-09 17:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 17:13 . 2008-08-09 17:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-09 17:13 . 2008-08-10 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-09 16:35 . 2006-12-19 16:53 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-09 16:34 . 2008-08-09 16:35 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2008-08-09 16:34 . 2008-08-15 16:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 16:34 . 2008-08-09 16:34 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\TuneUp Software
2008-08-09 16:34 . 2008-08-09 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-09 16:17 . 2008-08-09 16:27 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\uTorrent
2008-08-09 16:16 . 2008-08-09 16:17 <DIR> d-------- C:\Program Files\uTorrent
2008-08-09 15:50 . 2008-08-09 15:50 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-08-09 15:50 . 2008-08-09 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-08-09 15:46 . 2008-08-09 15:46 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-08-09 15:45 . 2008-08-09 15:45 <DIR> d-------- C:\Program Files\Corel
2008-08-09 14:24 . 2008-08-10 21:47 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-08-09 14:23 . 2008-08-09 14:23 <DIR> d-------- C:\Program Files\RealMedia
2008-08-09 14:20 . 2008-08-09 14:20 <DIR> d-------- C:\Program Files\Haali
2008-08-09 14:20 . 2008-08-09 14:20 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\Media Player Classic
2008-08-09 14:19 . 2007-11-29 12:52 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-08-09 14:19 . 2007-11-29 12:52 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-08-09 14:17 . 2008-08-10 21:47 <DIR> d-------- C:\Program Files\DirectVobSub
2008-08-09 10:27 . 2008-08-09 10:27 <DIR> d-------- C:\Program Files\Skype
2008-08-09 10:27 . 2008-08-09 10:27 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-09 10:27 . 2008-08-17 16:37 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\Skype
2008-08-09 10:27 . 2008-08-09 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-08-09 10:24 . 2008-08-09 10:24 <DIR> d-------- C:\Program Files\Last.fm
2008-08-09 10:24 . 2008-08-09 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-08-09 10:23 . 2008-08-09 10:24 <DIR> d-------- C:\Program Files\Winamp
2008-08-09 09:53 . 2008-08-09 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-09 00:22 . 2008-08-09 00:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-09 00:18 . 2008-08-10 21:48 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-08-09 00:16 . 2008-08-09 00:17 <DIR> d-------- C:\totalcmd
2008-08-09 00:16 . 2008-08-17 01:24 3,823 --a------ C:\WINDOWS\wincmd.ini
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\UC.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\RAR.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\LHA.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\ARJ.PIF
2008-08-09 00:03 . 2001-08-17 15:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-08-09 00:02 . 2004-08-04 00:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-08-09 00:02 . 2004-08-04 02:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-08-09 00:01 . 2006-10-22 12:22 4,527,488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-08-09 00:01 . 2006-10-22 12:22 3,994,624 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-08-09 00:01 . 2006-10-22 12:22 3,994,624 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2008-08-09 00:01 . 2004-08-04 01:14 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-08-09 00:01 . 2004-08-04 01:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-08-09 00:01 . 2004-08-04 00:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2008-08-09 00:00 . 2004-08-04 02:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 20:33 --------- d-----w C:\Documents and Settings\Anbu\Application Data\foobar2000
2008-08-13 22:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-09 20:32 --------- d-----w C:\Program Files\Ovislink
2008-08-08 21:18 --------- d-----w C:\Program Files\MSN Messenger
2008-08-08 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-08-08 20:49 --------- d-----w C:\Program Files\foobar2000
2008-08-08 20:47 --------- d-----w C:\Program Files\Opera
2008-08-08 20:43 --------- d-----w C:\Program Files\Bonjour
2008-08-08 20:30 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-08-08 20:26 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-08-08 20:26 --------- d-----w C:\Program Files\ACD Systems
2008-08-08 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-08-08 20:25 10,368 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2008-08-08 20:24 21,419 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-08 20:24 --------- d-----w C:\Program Files\D-Tools
2008-08-08 20:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-08 20:12 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDE2D83A-646A-4409-A081-F96317531961}]
2008-08-17 02:16 249344 --a------ C:\WINDOWS\system32\khfDtUKC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDE2D83A-646A-4409-A081-F96317531961}]
2008-08-17 02:16 249344 --a------ C:\WINDOWS\system32\khfDtUKC.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2008-08-08 23:18 5674352]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-08-13 09:06 289088]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"errorkiller"="C:\Program Files\errorkiller\errorkiller.exe" [2006-07-11 15:54 6475776]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
AirLive Turbo-G Wireless Utility.lnk - C:\Program Files\Ovislink\Common\TurboG-UI.exe [2008-08-08 22:24:40 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"d4d6614b"=rundll32.exe "C:\WINDOWS\system32\smqwufwq.dll",b
"BMd7e552d7"=Rundll32.exe "C:\WINDOWS\system32\qclydeco.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\bootcd\wintools\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53]

2008-08-14 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
- C:\Program Files\ErrorKiller\ErrorKiller.exe [2006-07-11 15:54]

2008-08-14 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
- C:\Program Files\ErrorKiller [2008-08-10 15:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{78463C13-B147-4E9C-97F3-ECD3CEFECFE3} - C:\WINDOWS\system32\efcBurRL.dll
HKLM-Run-NvCplDaemon - C:\WINDOWS\system32\NvCpl.dll
MSConfigStartUp-NvCplDaemon - C:\WINDOWS\system32\NvCpl.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Anbu\Application Data\Mozilla\Firefox\Profiles\culoos2y.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 16:36:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-08-17 16:44:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-17 14:43:29

Pre-Run: 32,029,208,576 bytes free
Post-Run: 31,950,311,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

262



HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:49:01, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - -{78463C13-B147-4E9C-97F3-ECD3CEFECFE3} - (no file)
O2 - BHO: (no name) - -{CDE2D83A-646A-4409-A081-F96317531961} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {CDE2D83A-646A-4409-A081-F96317531961} - C:\WINDOWS\system32\khfDtUKC.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirLive Turbo-G Wireless Utility.lnk = C:\Program Files\Ovislink\Common\TurboG-UI.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFD6344-B670-43F6-A976-C984E2E4FC3A}: NameServer = 79.101.14.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 3881 bytes


this is logz
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\khfDtUKC.dll
C:\WINDOWS\system32\smqwufwq.dll
C:\WINDOWS\system32\qclydeco.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"d4d6614b"=-
"BMd7e552d7"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#8
Fochzila

Fochzila

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

ComboFix 08-08-16.01 - Anbu 2008-08-17 17:15:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.519 [GMT 2:00]
Running from: C:\Documents and Settings\Anbu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anbu\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\khfDtUKC.dll
C:\WINDOWS\system32\qclydeco.dll
C:\WINDOWS\system32\smqwufwq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\khfDtUKC.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-17 09:19 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-17 09:19 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-17 09:19 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-17 09:19 . 2008-08-09 15:37 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-17 09:19 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-17 09:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-17 09:18 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-17 09:18 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-08-17 09:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-17 02:01 . 2008-08-17 02:01 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-08-17 01:53 . 2008-08-17 01:53 <DIR> d-------- C:\Program Files\Panda Security
2008-08-17 01:42 . 2008-08-17 02:01 <DIR> d-------- C:\VundoFix Backups
2008-08-17 01:24 . 2008-08-17 01:24 <DIR> d-------- C:\Documents and Settings\Anbu\DoctorWeb
2008-08-17 01:23 . 2008-08-17 01:23 77,824 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2008-08-17 01:22 . 2008-08-17 02:07 <DIR> d-------- C:\Program Files\DrWeb
2008-08-17 00:22 . 2008-08-17 09:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-17 00:21 . 2008-08-17 00:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-16 23:51 . 2008-08-16 23:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-16 23:21 . 2008-08-16 23:55 <DIR> d--hs---- C:\!Submit
2008-08-16 23:19 . 2008-08-16 23:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-16 12:00 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-14 00:25 . 2008-08-14 00:25 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\AdobeUM
2008-08-13 09:06 . 2008-08-13 09:06 <DIR> d-------- C:\Program Files\DNA
2008-08-13 09:06 . 2008-08-17 17:17 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\DNA
2008-08-13 09:06 . 2008-08-16 16:58 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\BitTorrent
2008-08-13 09:05 . 2008-08-13 09:06 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2008-08-13 09:05 . 2008-08-13 09:06 <DIR> d-------- C:\Program Files\BitTorrent
2008-08-13 09:05 . 2008-08-13 09:06 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\BitTorrent DNA
2008-08-10 22:25 . 2008-08-10 22:25 <DIR> d-------- C:\Program Files\Google
2008-08-10 22:23 . 2008-08-10 22:23 <DIR> d-------- C:\WINDOWS\Sun
2008-08-10 20:00 . 2008-08-17 09:19 2,082 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-10 15:35 . 2008-08-10 15:38 <DIR> d-------- C:\Program Files\ErrorKiller
2008-08-10 15:35 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-10 15:35 . 2000-05-22 17:58 647,872 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-08-10 15:35 . 1999-03-26 00:00 101,888 --a------ C:\WINDOWS\system32\vb6stkit.dll
2008-08-10 15:15 . 2008-08-10 15:15 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\ErrorKiller
2008-08-09 22:32 . 2008-08-17 02:10 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-09 22:32 . 2008-08-09 22:32 <DIR> d-------- C:\Program Files\DScaler5
2008-08-09 22:18 . 2006-10-25 09:05 8,192 --a------ C:\WINDOWS\system32\drivers\RT2661.bin
2008-08-09 22:18 . 2006-10-25 09:05 8,192 --a------ C:\WINDOWS\system32\drivers\RT2561s.bin
2008-08-09 22:18 . 2006-10-25 09:05 8,192 --a------ C:\WINDOWS\system32\drivers\RT2561.bin
2008-08-09 17:40 . 2008-08-09 17:40 <DIR> d-------- C:\Program Files\ESET
2008-08-09 17:40 . 2008-08-09 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-09 17:21 . 2008-08-09 17:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 17:13 . 2008-08-09 17:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-09 17:13 . 2008-08-10 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-09 16:35 . 2006-12-19 16:53 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-09 16:34 . 2008-08-09 16:35 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2008-08-09 16:34 . 2008-08-15 16:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 16:34 . 2008-08-09 16:34 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\TuneUp Software
2008-08-09 16:34 . 2008-08-09 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-09 16:17 . 2008-08-09 16:27 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\uTorrent
2008-08-09 16:16 . 2008-08-09 16:17 <DIR> d-------- C:\Program Files\uTorrent
2008-08-09 15:50 . 2008-08-09 15:50 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-08-09 15:50 . 2008-08-09 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-08-09 15:46 . 2008-08-09 15:46 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-08-09 15:45 . 2008-08-09 15:45 <DIR> d-------- C:\Program Files\Corel
2008-08-09 14:24 . 2008-08-10 21:47 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-08-09 14:23 . 2008-08-09 14:23 <DIR> d-------- C:\Program Files\RealMedia
2008-08-09 14:20 . 2008-08-09 14:20 <DIR> d-------- C:\Program Files\Haali
2008-08-09 14:20 . 2008-08-09 14:20 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\Media Player Classic
2008-08-09 14:19 . 2007-11-29 12:52 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-08-09 14:19 . 2007-11-29 12:52 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-08-09 14:17 . 2008-08-10 21:47 <DIR> d-------- C:\Program Files\DirectVobSub
2008-08-09 10:27 . 2008-08-09 10:27 <DIR> d-------- C:\Program Files\Skype
2008-08-09 10:27 . 2008-08-09 10:27 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-09 10:27 . 2008-08-17 17:22 <DIR> d-------- C:\Documents and Settings\Anbu\Application Data\Skype
2008-08-09 10:27 . 2008-08-09 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-08-09 10:24 . 2008-08-09 10:24 <DIR> d-------- C:\Program Files\Last.fm
2008-08-09 10:24 . 2008-08-09 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-08-09 10:23 . 2008-08-09 10:24 <DIR> d-------- C:\Program Files\Winamp
2008-08-09 09:53 . 2008-08-09 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-09 00:22 . 2008-08-09 00:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-09 00:18 . 2008-08-10 21:48 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-08-09 00:16 . 2008-08-09 00:17 <DIR> d-------- C:\totalcmd
2008-08-09 00:16 . 2008-08-17 01:24 3,823 --a------ C:\WINDOWS\wincmd.ini
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\UC.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\RAR.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\LHA.PIF
2008-08-09 00:16 . 2007-04-11 07:00 545 --a------ C:\WINDOWS\ARJ.PIF
2008-08-09 00:03 . 2001-08-17 15:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-08-09 00:02 . 2004-08-04 00:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-08-09 00:02 . 2004-08-04 02:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-08-09 00:01 . 2006-10-22 12:22 4,527,488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-08-09 00:01 . 2006-10-22 12:22 3,994,624 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-08-09 00:01 . 2006-10-22 12:22 3,994,624 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2008-08-09 00:01 . 2004-08-04 01:14 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-08-09 00:01 . 2004-08-04 01:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-08-09 00:01 . 2004-08-04 00:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2008-08-09 00:00 . 2004-08-04 02:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 20:33 --------- d-----w C:\Documents and Settings\Anbu\Application Data\foobar2000
2008-08-13 22:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-09 20:32 --------- d-----w C:\Program Files\Ovislink
2008-08-08 21:18 --------- d-----w C:\Program Files\MSN Messenger
2008-08-08 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-08-08 20:49 --------- d-----w C:\Program Files\foobar2000
2008-08-08 20:47 --------- d-----w C:\Program Files\Opera
2008-08-08 20:43 --------- d-----w C:\Program Files\Bonjour
2008-08-08 20:30 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-08-08 20:26 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-08-08 20:26 --------- d-----w C:\Program Files\ACD Systems
2008-08-08 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-08-08 20:25 10,368 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2008-08-08 20:24 21,419 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-08 20:24 --------- d-----w C:\Program Files\D-Tools
2008-08-08 20:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-08 20:12 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2008-08-08 23:18 5674352]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-08-13 09:06 289088]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"errorkiller"="C:\Program Files\errorkiller\errorkiller.exe" [2006-07-11 15:54 6475776]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [BU]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
AirLive Turbo-G Wireless Utility.lnk - C:\Program Files\Ovislink\Common\TurboG-UI.exe [2008-08-08 22:24:40 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53]

2008-08-14 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
- C:\Program Files\ErrorKiller\ErrorKiller.exe [2006-07-11 15:54]

2008-08-14 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
- C:\Program Files\ErrorKiller [2008-08-10 15:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{78463C13-B147-4E9C-97F3-ECD3CEFECFE3} - (no file)
BHO-{CDE2D83A-646A-4409-A081-F96317531961} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 17:20:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-08-17 17:27:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-17 15:26:31
ComboFix2.txt 2008-08-17 14:44:36

Pre-Run: 31,949,709,312 bytes free
Post-Run: 31,941,521,408 bytes free

210



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:40, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ovislink\Common\TurboG-UI.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\MSN Messenger\usnsvc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - -{78463C13-B147-4E9C-97F3-ECD3CEFECFE3} - (no file)
O2 - BHO: (no name) - -{CDE2D83A-646A-4409-A081-F96317531961} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirLive Turbo-G Wireless Utility.lnk = C:\Program Files\Ovislink\Common\TurboG-UI.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFD6344-B670-43F6-A976-C984E2E4FC3A}: NameServer = 79.101.14.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 4009 bytes


  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
IS this part of your known ISP > Teamnet Novi Sad?

Fix these 2 entries with Hijackthis.
O2 - BHO: (no name) - -{78463C13-B147-4E9C-97F3-ECD3CEFECFE3} - (no file)
O2 - BHO: (no name) - -{CDE2D83A-646A-4409-A081-F96317531961} - (no file)


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#10
Fochzila

Fochzila

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

IS this part of your known ISP > Teamnet Novi Sad?


part of larger wireless network ( my network is Hallsys from Backa palanka, not Teamnet from Novi sad, but they are in lan connected)

Fix these 2 entries with Hijackthis.
O2 - BHO: (no name) - -{78463C13-B147-4E9C-97F3-ECD3CEFECFE3} - (no file)
O2 - BHO: (no name) - -{CDE2D83A-646A-4409-A081-F96317531961} - (no file)

i was doo that whit HJT but no efect


reporting after complite all that
  • 0

Advertisements


#11
Fochzila

Fochzila

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Malwarebytes' Anti-Malware 1.24
Database version: 1061
Windows 5.1.2600 Service Pack 2

7:23:07 PM 8/17/2008
mbam-log-8-17-2008 (19-23-07).txt

Scan type: Quick Scan
Objects scanned: 41449
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errorkiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anbu\Application Data\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anbu\Application Data\ErrorKiller\Log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\ErrorKiller\ErrorKiller.exe (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\ErrorKiller.url (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Errors.stg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Launcher.exe (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\license.txt (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Results.stg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\unins000.dat (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\unins000.exe (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_16_12_59_12.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_16_13_28_18.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_16_14_36_15.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_16_22_46_40.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_16_23_25_11.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_17_02_11_17.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_17_08_40_44.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_17_16_36_15.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Log\log_2008_08_17_17_20_39.eklog (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-10_15-38-18.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-10_15-40-07.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-10_20-21-10.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-11_00-14-16.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-11_00-16-41.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-12_00-40-32.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-12_00-42-18.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-14_03-44-15.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\2008-08-16_13-29-58.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\Errors.stg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Program Files\ErrorKiller\Registry Backups\Results.stg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ErrorKiller\ErrorKiller on the Web.lnk (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ErrorKiller\ErrorKiller.lnk (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ErrorKiller\Uninstall ErrorKiller.lnk (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anbu\Application Data\ErrorKiller\Log\2008 Aug 10 - 03_15_38 PM_843.log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anbu\Desktop\ErrorKiller+2.6.2.rar (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anbu\Desktop\ErrorKiller.lnk (Rogue.ErrorKiller) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23:57, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ovislink\Common\TurboG-UI.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirLive Turbo-G Wireless Utility.lnk = C:\Program Files\Ovislink\Common\TurboG-UI.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFD6344-B670-43F6-A976-C984E2E4FC3A}: NameServer = 79.101.14.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 3773 bytes


  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Looks good how is everthing running?
  • 0

#13
Fochzila

Fochzila

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
mhm, yea.

now alol IE add-ons are gone, and should be working fine.

But i wont make a risk, will leave all protection on.

ty on advice and help!
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Open Internet Explorer then:
Go to Tools>Manage add-ons> then Enable add-ons.
Enable what one's that you want.

Let me know if that helps or not.
  • 0

#15
Fochzila

Fochzila

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I dont use IE for eny add-ons .... Opera and FF is my main Browser's. Ie use For Hotmail, my fammily memmber's ....

Zerging PC when i am Away >.> iritating wery

Anyhow Ty wery much on this halp, my first stuborn malware.

:) :)


P.S. 1 PC = 1 user , 1 PC = more then 1 user = Fun for ewrybody !

cheers
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP