Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Downloader+W32BackdoorIRC endless popups audio ads [RESOLVED]

Started by Q6600isabeast , Aug 27 2008 09:32 PM

  • This topic is locked This topic is locked

#1
Q6600isabeast
Posted 27 August 2008 - 09:32 PM

Q6600isabeast

    Member

  • Member
  • PipPip
  • 10 posts
Tried the basic scanners and have a HJT list as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:55 PM, on 8/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\sotpeca.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\JMRaidTool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ABIT\uGuru\uGuru.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescam...GamesCampus.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1219797676031
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O23 - Service: afisicx Corporation (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: noxtcyr Manages messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: roxtctm Event propagation service (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
O23 - Service: sotpeca Settings storage service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: wsldoekd Manages messages (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 8926 bytes
  • 0

Advertisements

#2
Mike
Posted 28 August 2008 - 06:52 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

You have a lot of nasties there. Please follow the instructions in the order they are given :)

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of mmchost.dll.
  • Select every instance of mmchost.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.

Then go to add or remove programs (start > control panel) and uninstall:
Viewpoint


Then,

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Make sure the 'Zip files after move' box is checked.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
afisicx <delete service>
noxtcyr <delete service>
roxtctm <delete service>
sotpeca <delete service>
wsldoekd <delete service>
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\wsldoekd.exe
c:\windows\system32\mmchost.dll
emptytemp
purity
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

***********

Now in c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.zip) you should find a zipped folder of moved files. Please upload it to a hosting website like Rapidshare and PM me the download link or PM me and attach the file to the PM.

***********

And finally,

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Edited by Mike, 28 August 2008 - 06:53 AM.

  • 0

#3
Q6600isabeast
Posted 28 August 2008 - 04:50 PM

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK... first here is my OTmoveIT log contents:

Explorer killed successfully
afisicx service deleted successfully.
noxtcyr service deleted successfully.
roxtctm service deleted successfully.
sotpeca service deleted successfully.
wsldoekd service deleted successfully.
C:\WINDOWS\system32\afisicx.exe moved successfully.
C:\WINDOWS\system32\noxtcyr.exe moved successfully.
C:\WINDOWS\system32\roxtctm.exe moved successfully.
C:\WINDOWS\system32\sotpeca.exe moved successfully.
C:\WINDOWS\system32\wsldoekd.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\mmchost.dll
c:\windows\system32\mmchost.dll NOT unregistered.
c:\windows\system32\mmchost.dll moved successfully.
< emptytemp >
File delete failed. C:\DOCUME~1\Wade\LOCALS~1\Temp\etilqs_5IsaBj82uZ1fMcjFcu6V scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Wade\LOCALS~1\Temp\~DF3CC9.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta33152.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta55029.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta55971.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta59849.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta64789.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta77231.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta97656.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mtaw65556.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_f18.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08282008_172822

Files moved on Reboot...
File C:\DOCUME~1\Wade\LOCALS~1\Temp\etilqs_5IsaBj82uZ1fMcjFcu6V not found!
C:\DOCUME~1\Wade\LOCALS~1\Temp\~DF3CC9.tmp moved successfully.
File C:\WINDOWS\temp\mta33152.dll not found!
C:\WINDOWS\temp\mta55029.dll unregistered successfully.
C:\WINDOWS\temp\mta55029.dll moved successfully.
C:\WINDOWS\temp\mta55971.dll unregistered successfully.
C:\WINDOWS\temp\mta55971.dll moved successfully.
C:\WINDOWS\temp\mta59849.dll unregistered successfully.
C:\WINDOWS\temp\mta59849.dll moved successfully.
C:\WINDOWS\temp\mta64789.dll unregistered successfully.
C:\WINDOWS\temp\mta64789.dll moved successfully.
C:\WINDOWS\temp\mta77231.dll unregistered successfully.
C:\WINDOWS\temp\mta77231.dll moved successfully.
File C:\WINDOWS\temp\mta97656.dll not found!
C:\WINDOWS\temp\mtaw65556.dll unregistered successfully.
C:\WINDOWS\temp\mtaw65556.dll moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_f18.dat not found!


I attempted to DL the RSIT program.. it said my current settings don't allow me to download it.. i tried to disable all security for IE just to get this file; with no luck. And.. thank you very much for the help thus far.. i know this may just be the tip of the iceberg.. by YOU saying I have a LOT of nasties.

Here is the link to my OTmoveIT zip file: Removed link, thanks for uploading them for me

Edited by Mike, 29 August 2008 - 02:28 AM.
Removed link so others won't download it, thank you

  • 0

#4
Mike
Posted 29 August 2008 - 02:30 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

Thanks for the files.

Something that might help you a bit if you are having problems browsing in IE is to download FireFox. See if you can get RSIT with that.

Otherwise please do this for me so we make some progress :)

Download OTViewIt to your desktop.
  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras. Post both those logs here.
  • You may need to use two posts to get it all on the forum & Post a new hijack this log along with it.

Edited by Mike, 29 August 2008 - 03:04 AM.

  • 0

#5
Q6600isabeast
Posted 29 August 2008 - 07:02 AM

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Any download (at least OTviewer and RSIT) will not download due to my Security Zone Policy settings. I just got firefox and have been using it since my first post on the site. HJT log as of now:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:36 AM, on 8/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\WINDOWS\system32\macidwe.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\JMRaidTool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ABIT\uGuru\uGuru.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\sotpeca.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescam...GamesCampus.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1219797676031
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O23 - Service: afisicx Portable Media Serial Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: macidwe Manages messages (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: noxtcyr Event propagation service (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: roxtctm Manages messages (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
O23 - Service: sotpeca Manages messages (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: tdxdowkc Co. Ltd. (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: wsldoekd Settings storage service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 8542 bytes

Edited by Q6600isabeast, 29 August 2008 - 07:09 AM.

  • 0

#6
Mike
Posted 29 August 2008 - 09:58 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there, sorry for the delay in replying.

Firefox 3 takes over the security settings present in IE.

Open internet Explorer, go to Tools, Internet Options then Security.
Make sure that the the little slide bar under 'Security level for this zone' is not set to high.

If it is slide it down to medium.

If you still cant download from the infected PC, see if you can transfer the tools from another one via USB or CD.

Now all the bad guys are back so please do this for me.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
  • 0

#7
Q6600isabeast
Posted 29 August 2008 - 11:54 AM

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OMG i'm about to rip my bleeping hair out!!!!!!!!!!!!!!

I am working on my other computer in attempt to get those files. Every single link you gave me is not responding on this other computer.. could this be something to do with my router? I was able to find ComboFix.exe from another site... but the XP SP2 Pro Bootdisk ENU i cannot find anywhere else, which means no recovery console for me. I have misplaced my XP pro disk at the moment but will work on getting that some time this weekend. So aggrivating... it shows that it has started these downloads but then it will sit there transfering a 4.4MB file forever with no transfer rate or estimated time for finish.

WHEW problem fixed with other PC. Rebooted after some Auto updates were through, and the files were able to be downloaded then.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:53 PM, on 8/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\JMRaidTool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.geekstogo.com
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescam...GamesCampus.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1219797676031
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7154 bytes

ComboFix 08-08-28.06 - Wade 2008-08-29 13:14:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1600 [GMT -5:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Wade\Application Data\inst.exe
C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\#SharedObjects\N9658NA4\bin.clearspring.com
C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\#SharedObjects\N9658NA4\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\#SharedObjects\N9658NA4\interclick.com
C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\#SharedObjects\N9658NA4\interclick.com\ud.sol
C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Wade\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Wade\new.txt
C:\test.txt
C:\WINDOWS\Install.txt
C:\WINDOWS\system32\launcher.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\mywfhit.ini
C:\WINDOWS\system32\mywfhit.ini.tmp
C:\WINDOWS\system32\oduxftw.sys
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\syspilog.pil
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\tawisys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_AFISICX
-------\Legacy_MACIDWE
-------\Legacy_NOXTCYR
-------\Legacy_PANDRV
-------\Legacy_ROXTCTM
-------\Legacy_SEUICTOL
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_TDXDOWKC
-------\Legacy_WSLDOEKD
-------\Service_6to4
-------\Service_macidwe
-------\Service_Pandrv
-------\Service_seuictol
-------\Service_tdxdowkc


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-28 17:28 . 2008-08-28 17:28 <DIR> d-------- C:\_OTMoveIt
2008-08-27 21:58 . 2008-08-27 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 20:19 . 2008-08-27 20:19 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-27 20:08 . 2008-08-27 20:08 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Documents and Settings\Wade\Application Data\Malwarebytes
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 19:50 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 19:50 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 19:48 . 2008-08-27 19:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-27 19:44 . 2008-08-27 19:45 <DIR> d-------- C:\Program Files\ERUNT
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-26 19:30 . 2008-08-26 19:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-26 19:10 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-26 18:55 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-26 18:53 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-26 11:40 . 2008-08-27 19:58 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-26 11:40 . 2008-08-27 20:00 14,848 --a------ C:\WINDOWS\system32\zordisa.dll
2008-08-16 12:51 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-08-16 12:49 . 2008-08-16 12:49 <DIR> d-------- C:\WINDOWS\Logs
2008-08-16 10:57 . 2008-08-29 08:57 <DIR> d-------- C:\Program Files\ShotOnline International
2008-08-14 19:11 . 2003-07-16 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-08-14 19:11 . 2004-12-31 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-08-14 19:10 . 2008-08-14 19:10 <DIR> d-------- C:\Program Files\Common Files\INCA Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 18:18 --------- d-----w C:\Program Files\lg_fwupdate
2008-08-28 23:04 --------- d-----w C:\Program Files\PokerStars
2008-08-28 22:26 --------- d-----w C:\Program Files\Viewpoint
2008-08-28 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-28 02:45 --------- d-----w C:\Program Files\BFG
2008-08-27 01:14 --------- d-----w C:\Program Files\NavNT
2008-08-23 21:38 --------- d-----w C:\Documents and Settings\Wade\Application Data\Vso
2008-07-01 23:19 --------- d-----w C:\Program Files\Common Files\Motive
2008-07-01 23:19 --------- d-----w C:\Program Files\ATT
2008-07-01 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-04-26 13:09 47,360 ----a-w C:\Documents and Settings\Wade\Application Data\pcouffin.sys
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-02-08 15:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ABIT uGuruIII"="C:\Program Files\ABIT\uGuru\uGuru.exe" [2006-03-23 11:41 417792]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-10-31 11:59 73728]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 03:00 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-05 03:46 249856]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 11:47 151552]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-24 21:52 385024]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 18:08 16342528 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\ShotOnline International\\ShotOnline.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3680:TCP"= 3680:TCP:*:Disabled:Ares
"27158:TCP"= 27158:TCP:*:Disabled:BitComet 27158 TCP
"27158:UDP"= 27158:UDP:*:Disabled:BitComet 27158 UDP
"16180:TCP"= 16180:TCP:*:Disabled:BitComet 16180 TCP
"16180:UDP"= 16180:UDP:*:Disabled:BitComet 16180 UDP

R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 13:46]
R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.sys [2003-12-21 03:21]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 10:00]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-08-25 15:00]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-07-11 00:46]
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 19:49]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\wdcos58e.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 13:18:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\drivers\BWCSRV.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-29 13:19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 18:19:46

Pre-Run: 259,319,922,688 bytes free
Post-Run: 259,346,857,984 bytes free

190 --- E O F --- 2008-08-29 12:54:48


Yes i do use PokerStars

Edited by Q6600isabeast, 29 August 2008 - 04:06 PM.

  • 0

#8
Mike
Posted 29 August 2008 - 03:10 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi again :)

Did you install PokerStars?

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
Folder::
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Then,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Post back with the logs please :)
  • 0

#9
Q6600isabeast
Posted 29 August 2008 - 04:05 PM

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK looking much better already.. here's CFlog:

ComboFix 08-08-28.06 - Wade 2008-08-29 17:01:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1620 [GMT -5:00]
Running from: C:\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wade\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\WINDOWS\system32\zordisa.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-28 17:28 . 2008-08-28 17:28 <DIR> d-------- C:\_OTMoveIt
2008-08-27 21:58 . 2008-08-27 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 20:19 . 2008-08-27 20:19 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-27 20:08 . 2008-08-27 20:08 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Documents and Settings\Wade\Application Data\Malwarebytes
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 19:50 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 19:50 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 19:48 . 2008-08-27 19:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-27 19:44 . 2008-08-27 19:45 <DIR> d-------- C:\Program Files\ERUNT
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-26 19:30 . 2008-08-26 19:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-26 19:10 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-26 18:55 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-26 18:53 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-26 11:40 . 2008-08-27 19:58 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-16 12:51 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-08-16 12:49 . 2008-08-16 12:49 <DIR> d-------- C:\WINDOWS\Logs
2008-08-16 10:57 . 2008-08-29 13:45 <DIR> d-------- C:\Program Files\ShotOnline International
2008-08-14 19:11 . 2003-07-16 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-08-14 19:11 . 2004-12-31 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-08-14 19:10 . 2008-08-14 19:10 <DIR> d-------- C:\Program Files\Common Files\INCA Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 20:42 --------- d-----w C:\Program Files\PokerStars
2008-08-29 18:18 --------- d-----w C:\Program Files\lg_fwupdate
2008-08-28 02:45 --------- d-----w C:\Program Files\BFG
2008-08-27 01:14 --------- d-----w C:\Program Files\NavNT
2008-08-23 21:38 --------- d-----w C:\Documents and Settings\Wade\Application Data\Vso
2008-07-31 15:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 15:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 15:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-26 02:34 288,763 ----a-w C:\WINDOWS\system32\Windll32.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:08 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-12 13:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 13:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 13:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 23:19 --------- d-----w C:\Program Files\Common Files\Motive
2008-07-01 23:19 --------- d-----w C:\Program Files\ATT
2008-07-01 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-30 19:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 19:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 19:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 19:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 19:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 19:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 19:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-04-26 13:09 47,360 ----a-w C:\Documents and Settings\Wade\Application Data\pcouffin.sys
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-02-08 15:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ABIT uGuruIII"="C:\Program Files\ABIT\uGuru\uGuru.exe" [2006-03-23 11:41 417792]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-10-31 11:59 73728]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 03:00 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-05 03:46 249856]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 11:47 151552]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-24 21:52 385024]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 18:08 16342528 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\ShotOnline International\\ShotOnline.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3680:TCP"= 3680:TCP:*:Disabled:Ares
"27158:TCP"= 27158:TCP:*:Disabled:BitComet 27158 TCP
"27158:UDP"= 27158:UDP:*:Disabled:BitComet 27158 UDP
"16180:TCP"= 16180:TCP:*:Disabled:BitComet 16180 TCP
"16180:UDP"= 16180:UDP:*:Disabled:BitComet 16180 UDP

R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 13:46]
R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.sys [2003-12-21 03:21]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 10:00]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-08-25 15:00]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-07-11 00:46]
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 19:49]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 17:02:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-08-29 17:02:20
ComboFix-quarantined-files.txt 2008-08-29 22:02:17
ComboFix2.txt 2008-08-29 18:19:49

Pre-Run: 259,332,501,504 bytes free
Post-Run: 259,335,081,984 bytes free

153 --- E O F --- 2008-08-29 12:54:48
  • 0

#10
Q6600isabeast
Posted 29 August 2008 - 05:03 PM

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
yes i use pokerstars. Thank you very much! As of yet.. things appear to be back to normal.
  • 0

Advertisements

#11
Mike
Posted 30 August 2008 - 02:51 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Glad to hear it, can I see the log from MalwareBytes' Anti-Malware along with a new Hijack this log?

Also do this for me please :)

please open Notepad by going to Start > Run and typing Notepad.exe in the window that pops up. Press enter and in the notepad window that appears Copy (Ctrl+C) and Paste (Ctrl+P) the following:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
Note: it is important to copy this with the spacing left as it is, also make sure "Windows Registry Editor Version 5.00" is the first thing in Notepad (No spaces ahead or anything).

In Notepad click on the "File" menu > Save As... Under "File name" type Fix.reg and Change "Save as type" to All Files
Posted Image
Now double click Fix.reg. A pop-up will appear asking you if you want to import this to your registry click yes.

Edited by Mike, 30 August 2008 - 02:53 AM.

  • 0

#12
Q6600isabeast
Posted 30 August 2008 - 07:24 AM

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
First on the list:

Malwarebytes' Anti-Malware 1.25
Database version: 1094
Windows 5.1.2600 Service Pack 3

8:19:35 AM 8/30/2008
mbam-log-08-30-2008 (08-19-35).txt

Scan type: Quick Scan
Objects scanned: 42350
Time elapsed: 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And then:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:06 AM, on 8/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\bwcsrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\JMRaidTool.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.geekstogo.com
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescam...GamesCampus.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1219797676031
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7120 bytes

I updated my reg with the fix.reg you made for me. How's she lookin?
  • 0

#13
Mike
Posted 30 August 2008 - 08:21 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
The logs look good :)

How is your PC running? Let's do one last check to make sure we have everything under control.

Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Edited by Mike, 30 August 2008 - 08:22 AM.

  • 0

#14
Q6600isabeast
Posted 30 August 2008 - 10:10 AM

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Alright kaspersky scan complete:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 30, 2008 14:20:50
Records in database: 1168784
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 76075
Threat name: 12
Infected objects: 33
Suspicious objects: 0
Duration of the scan: 01:08:32


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0000.VBN Infected: Virus.Win32.Hidrag.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A700000.VBN Infected: Exploit.JS.Agent.tz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CFC0000.VBN Infected: Trojan.BAT.Regger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CFC0001.VBN Infected: Trojan.BAT.Regger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D000000.VBN Infected: Trojan.BAT.Regger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D040000.VBN Infected: Trojan.BAT.Regger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D040001.VBN Infected: Trojan.BAT.Regger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D0C0000.VBN Infected: Trojan.BAT.Regger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D100000.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D180000.VBN Infected: Trojan.BAT.Regger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D1C0000.VBN Infected: Trojan.BAT.Regger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D1C0001.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D1C0002.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D1C0003.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D2C0000.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D2C0001.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D2C0002.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D340000.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D380000.VBN Infected: Virus.Win32.Parite.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D3C0000.VBN Infected: Virus.Win32.Parite.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oduxftw.sys.vir Infected: Trojan-Clicker.Win32.VB.brv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zordisa.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.syhe 1
C:\WINDOWS\system32\tpszxyd.sys Infected: Trojan.Win32.DNSChanger.iez 1
C:\WINDOWS\system32\winimgr.exe Infected: Trojan-Downloader.Win32.AutoIt.bt 1
C:\WINDOWS\system32\winlogs.exe Infected: Trojan-Downloader.Win32.AutoIt.bt 1
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\afisicx.exe Infected: Trojan.Win32.Agent.abgv 1
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\noxtcyr.exe Infected: Trojan.Win32.Agent.abgz 1
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\roxtctm.exe Infected: Trojan.Win32.Agent.absa 1
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\wsldoekd.exe Infected: Trojan.Win32.Agent.abgy 1
C:\_OTMoveIt\MovedFiles\08282008_172822.zip Infected: Trojan.Win32.Agent.abgv 1
C:\_OTMoveIt\MovedFiles\08282008_172822.zip Infected: Trojan.Win32.Agent.abgz 1
C:\_OTMoveIt\MovedFiles\08282008_172822.zip Infected: Trojan.Win32.Agent.absa 1
C:\_OTMoveIt\MovedFiles\08282008_172822.zip Infected: Trojan.Win32.Agent.abgy 1

The selected area was scanned.
  • 0

#15
Mike
Posted 30 August 2008 - 11:53 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there :)

Delete everything in this folder please. C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\system32\tpszxyd.sys 
C:\WINDOWS\system32\winimgr.exe 
C:\WINDOWS\system32\winlogs.exe

Folder::
C:\_OTMoveIt
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP