Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I can't instal an antivirus and some programs [Solved]

Started by Gasol , Jan 29 2009 04:37 PM

This topic is locked

#1
Gasol

Posted 29 January 2009 - 04:37 PM

Member

Member
153 posts

I know. It is bad! Again.
Now, the problem: I THINK some malware came from a memory stick. I have that program, flash dissinfector and maybe it doesn't work (or maybe I wasn't infected from the stick).
My antivirus (AVG8) expires a week ago. Because I don't want to "extend" the licence, I uninstaled it. Now I have just Malwarebytes' Anti-Malware, the Windows Firewall, Spyware Blaster and NoAdware. So I want an antivirus. I want to instal a Trial Version of Kaspersky it doesn't work! after the instalation when I push on .exe, it dissapeared! With CTRL+ALT+DEL I saw the program was running, but I can't see it, so, I uninstall it, and try wint avast! but, the same problem! I search for my ATF Cleaner but... it wasn't on his place! So I consider (maybe) I deleted it a time ago (but I don't remember that) and downloaded again; instal and... when I push on .exe... appear the interface, and suddenly after 0.5 seconds dissapeared; I can't use emty temp files from IE.
When I tried to install that avast, an restart was made by PC. After turn on, appear a message with an error, I made a print screen and I attached on this post.
Can you tell me what kind of problem I have?
Here it is my Logfile on Trend Micro and I'm waiting for your help, please.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:55 AM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winsmaptf.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qgebq.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winqhbf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.ro
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.ro
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 6998 bytes

Attached Thumbnails

#2
Essexboy

Posted 29 January 2009 - 04:57 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there lets see what we can do

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Files
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winsmaptf.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qgebq.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winqhbf.exe

:Commands
[purity]
[emptytemp]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#3
Gasol

Posted 30 January 2009 - 03:07 AM

Member

Topic Starter
Member
153 posts

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winsmaptf.exe not found.
File/Folder C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qgebq.exe not found.
File/Folder C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winqhbf.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OD6BKPA3\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4XUZOHMJ\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\41QF4HU3\parking[1].htm scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\3614TNJ7\CA4LJ0CK.htm scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Cookies\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\liom.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qewon.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qwrpkx.exe scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5e8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01302009_105224

Files moved on Reboot...
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OD6BKPA3\iframe[1].htm moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4XUZOHMJ\iframe[1].htm moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\41QF4HU3\parking[1].htm moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\3614TNJ7\CA4LJ0CK.htm moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\History\History.IE5\index.dat moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\Cookies\index.dat moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\liom.exe moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qewon.exe moved successfully.
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qwrpkx.exe moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_5e8.dat scheduled to be moved on reboot.

ComboFix 09-01-21.04 - Bogdanian 2009-01-30 10:58:55.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.708 [GMT 2:00]
Running from: c:\documents and settings\Bogdanian\Desktop\ComboFix.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-30 10:52 . 2009-01-30 10:52 <DIR> d-------- C:\_OTMoveIt
2009-01-29 23:34 . 2009-01-29 23:34 4,408,452 --a------ C:\SPMT.rar
2009-01-23 20:42 . 2009-01-23 20:53 <DIR> d-------- C:\Vladu - materiale finale, corectate
2009-01-23 20:09 . 2009-01-23 20:41 156,672 --a------ C:\Revista - Vladu - corectat, TOT.doc
2009-01-23 19:49 . 2009-01-20 22:03 565,756 --a------ C:\Virgil GEORGESCU jr..jpg
2009-01-23 19:48 . 2009-01-23 19:48 1,560,614 --a------ C:\DSC_0185.JPG
2009-01-23 19:46 . 2006-03-07 19:50 421,157 --a------ C:\DSC09990.JPG
2009-01-23 01:02 . 2009-01-03 05:00 257,895 --a------ C:\screenshot.png
2009-01-23 01:00 . 2009-01-03 04:07 734,789,316 --a------ C:\HIM-Rockpalast.2000.DVBRip.x264.HIMMANIA.mkv
2009-01-23 01:00 . 2009-01-03 05:00 260,068 --a------ C:\screens-thumbs.jpg
2009-01-16 10:35 . 2009-01-16 10:37 54,530 --a------ C:\DSCF3572.jpg
2009-01-14 17:09 . 2009-01-14 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winter Sports 2009
2009-01-01 02:10 . 2009-01-01 02:11 <DIR> d-------- c:\windows\NV20842420.TMP
2009-01-01 02:09 . 2009-01-01 02:09 <DIR> d-------- C:\NVIDIA
2009-01-01 02:06 . 2009-01-01 02:06 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-01 01:36 . 2009-01-01 01:36 <DIR> d-------- c:\windows\Logs
2008-12-31 03:21 . 2008-12-31 03:21 <DIR> d-------- C:\2000
2008-12-26 17:20 . 2008-12-26 17:20 <DIR> d-------- c:\program files\Common Files\EasyInfo
2008-12-16 03:22 . 2008-12-17 18:43 <DIR> d-------- C:\CM
2008-12-14 21:10 . 2008-12-14 21:13 <DIR> d-------- c:\documents and settings\Bogdanian\Application Data\GrabIt
2008-12-02 16:19 . 2009-01-30 00:03 <DIR> d-------- c:\program files\Eset

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 21:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-29 21:41 --------- d-----w c:\program files\SPMT
2009-01-29 21:33 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-29 21:33 --------- d-----w c:\program files\SpywareBlaster
2009-01-29 21:32 --------- d-----w c:\program files\NoAdware5.0
2009-01-29 19:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-21 10:07 --------- d-----w c:\documents and settings\Bogdanian\Application Data\PlayFirst
2009-01-15 10:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 14:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 14:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-10 22:25 --------- d-----w c:\program files\oDC
2009-01-07 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2009-01-05 10:54 --------- d-----w c:\program files\Java
2009-01-02 19:54 --------- d-----w c:\documents and settings\Bogdanian\Application Data\mIRC
2009-01-02 19:01 --------- d-----w c:\program files\mIRC
2008-12-31 23:37 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-31 23:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 16:18 --------- d-----w c:\documents and settings\Bogdanian\Application Data\dvdcss
2008-12-20 19:27 --------- d-----w c:\program files\Winamp
2008-12-20 19:27 --------- d-----w c:\program files\LHM2006
2008-12-20 19:27 --------- d-----w c:\program files\LHM2003-2004
2008-12-20 19:27 --------- d-----w c:\program files\DVD Photo Slideshow Professional
2008-12-20 19:27 --------- d-----w c:\program files\Batch Watermark Creator
2008-12-20 19:27 --------- d-----w c:\program files\Astral Masters
2008-12-02 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-10 03:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-02 08:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-03-14 19:56 22,328 ----a-w c:\documents and settings\Bogdanian\Application Data\PnkBstrK.sys
2008-02-23 19:47 560 ----a-w c:\program files\Global.sw
2004-10-01 13:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-10-24 4732408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-05 253368]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-18 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 163840]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-11-02 1397760]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 53340]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 229376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 113520]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]

c:\documents and settings\Bogdanian\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 187392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll
"MSVideo"= CSvidcap.dll
"vidc.dvsd"= pdvcodec.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.mjpg"= mcmjpg32.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Marvel game\\Marvel Vs\\MarvelVs.exe"=
"e:\\motogp2\\motogp2.exe"=
"e:\\Warcraft III- Reign of Chaos & Frozen Throne\\warcraft iii\\Warcraft III.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"g:\\BitLord\\BitLord.exe"=
"c:\\Program Files\\oDC\\oDC.exe"=
"g:\\CrySis Game\\Bin32\\Crysis.exe"=
"g:\\CrySis Game\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\TV_View_Plugin_4.7.ocx"=
"e:\\Guitar Hero 3\\GH3.exe"=
"c:\\Program Files\\oDC\\StrongDC.exe"=
"d:\\ZOMBIESS\\System\\LOTD.exe"=
"g:\\Far2\\Far Cry 2\\bin\\FarCry2.exe"=
"g:\\Far2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"g:\\Far2\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"d:\\Games-kitturi\\FIFA2007\\fifa07.exe"=
"c:\\WINDOWS\\Explorer.EXE"=
"c:\\WINDOWS\\system32\\HDAShCut.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\WINDOWS\\notepad.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\hxhrd.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\reuf.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\winvwwtna.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\etrws.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\windjqng.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\winktce.exe"=

R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\gnhhmu.sys --> c:\windows\system32\drivers\gnhhmu.sys [?]
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-11-15 2560]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d03ab35-ee1d-11dd-93a5-001a9233777c}]
\Shell\AutoPlay\commAnD - L:\lwbi.pif
\Shell\AutoRun\command - L:\lwbi.pif
\Shell\explorE\CoMmanD - L:\lwbi.pif
\Shell\OPeN\Command - L:\lwbi.pif
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.ro
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Bogdanian\Application Data\Mozilla\Firefox\Profiles\8r9j2g21.default\
FF - plugin: c:\documents and settings\Bogdanian\Application Data\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 11:00:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,
e3
"2"=hex:f1,df,16,de,80,08,0e,2a,78,a4,28,cb,d2,56,ff,58,a6,09,d8,fb,43,e9,d5,
e7,16,83,71,61,5d,be,d8,25
"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,2b,92,4b,0d,22,14,9d,
cb,e3,f8,73,90,7d,a4,36,0d,7e,db,3a,16,4c,1a,45,81,b1,a5,77,31,f5,50,d6,e8

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,36,d7,56,53,fe,9f,3d,f9
"2"=hex:8c,23,2d,03,75,bd,a0,cd
"3"=hex:ae,73,3f,fd,2b,83,eb,67,f2,93,90,8f,76,ae,d1,e9,96,73,d7,92,15,c0,66,
82,55,81,f1,8f,d8,ad,02,60,ee,7e,c3,37,11,d9,b4,42,f8,9d,1e,81,3f,79,76,02,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,
97,9f,f9,03,77,68,81,1b,0c,34,a2,88,30,12,be,09,a0
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,
63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:8a,86,86,9a,b4,43,5e,10
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2009-01-30 11:04:09
ComboFix-quarantined-files.txt 2009-01-30 09:04:08

Pre-Run: 2,561,765,376 bytes free
Post-Run: 2,673,684,480 bytes free

233 --- E O F --- 2008-06-27 22:52:18

#4
Essexboy

Posted 30 January 2009 - 10:21 AM

GeekU Moderator

Retired Staff
69,964 posts

More to kill before I can start looking for remnants

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit:: 
c:\windows\system32\drivers\gnhhmu.sys 

Driver::
asc3360pr

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d03ab35-ee1d-11dd-93a5-001a9233777c}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\hxhrd.exe"=-
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\reuf.exe"=-
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\winvwwtna.exe"=-
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\etrws.exe"=-
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\windjqng.exe"=-
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\winktce.exe"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#5
Gasol

Posted 30 January 2009 - 02:32 PM

Member

Topic Starter
Member
153 posts

ComboFix 09-01-21.04 - Bogdanian 2009-01-30 22:11:48.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.694 [GMT 2:00]
Running from: c:\documents and settings\Bogdanian\Desktop\ComboFix.exe
Command switches used :: d:\alternosfera\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-30 10:52 . 2009-01-30 10:52 <DIR> d-------- C:\_OTMoveIt
2009-01-29 23:34 . 2009-01-29 23:34 4,408,452 --a------ C:\SPMT.rar
2009-01-23 20:42 . 2009-01-23 20:53 <DIR> d-------- C:\Vladu - materiale finale, corectate
2009-01-23 20:09 . 2009-01-23 20:41 156,672 --a------ C:\Revista - Vladu - corectat, TOT.doc
2009-01-23 19:49 . 2009-01-20 22:03 565,756 --a------ C:\Virgil GEORGESCU jr..jpg
2009-01-23 19:48 . 2009-01-23 19:48 1,560,614 --a------ C:\DSC_0185.JPG
2009-01-23 19:46 . 2006-03-07 19:50 421,157 --a------ C:\DSC09990.JPG
2009-01-23 01:02 . 2009-01-03 05:00 257,895 --a------ C:\screenshot.png
2009-01-23 01:00 . 2009-01-03 04:07 734,789,316 --a------ C:\HIM-Rockpalast.2000.DVBRip.x264.HIMMANIA.mkv
2009-01-23 01:00 . 2009-01-03 05:00 260,068 --a------ C:\screens-thumbs.jpg
2009-01-16 10:35 . 2009-01-16 10:37 54,530 --a------ C:\DSCF3572.jpg
2009-01-14 17:09 . 2009-01-14 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winter Sports 2009
2009-01-01 02:10 . 2009-01-01 02:11 <DIR> d-------- c:\windows\NV20842420.TMP
2009-01-01 02:09 . 2009-01-01 02:09 <DIR> d-------- C:\NVIDIA
2009-01-01 02:06 . 2009-01-01 02:06 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-01 01:36 . 2009-01-01 01:36 <DIR> d-------- c:\windows\Logs
2008-12-31 03:21 . 2008-12-31 03:21 <DIR> d-------- C:\2000
2008-12-26 17:20 . 2008-12-26 17:20 <DIR> d-------- c:\program files\Common Files\EasyInfo
2008-12-16 03:22 . 2008-12-17 18:43 <DIR> d-------- C:\CM
2008-12-14 21:10 . 2008-12-14 21:13 <DIR> d-------- c:\documents and settings\Bogdanian\Application Data\GrabIt
2008-12-02 16:19 . 2009-01-30 00:03 <DIR> d-------- c:\program files\Eset

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 12:38 --------- d-----w c:\program files\SpywareBlaster
2009-01-29 21:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-29 21:41 --------- d-----w c:\program files\SPMT
2009-01-29 21:33 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-29 21:32 --------- d-----w c:\program files\NoAdware5.0
2009-01-29 19:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-21 10:07 --------- d-----w c:\documents and settings\Bogdanian\Application Data\PlayFirst
2009-01-15 10:41 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 14:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 14:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-10 22:25 --------- d-----w c:\program files\oDC
2009-01-07 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2009-01-05 10:54 --------- d-----w c:\program files\Java
2009-01-02 19:54 --------- d-----w c:\documents and settings\Bogdanian\Application Data\mIRC
2009-01-02 19:01 --------- d-----w c:\program files\mIRC
2008-12-31 23:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 16:18 --------- d-----w c:\documents and settings\Bogdanian\Application Data\dvdcss
2008-12-20 19:27 --------- d-----w c:\program files\Winamp
2008-12-20 19:27 --------- d-----w c:\program files\LHM2006
2008-12-20 19:27 --------- d-----w c:\program files\LHM2003-2004
2008-12-20 19:27 --------- d-----w c:\program files\DVD Photo Slideshow Professional
2008-12-20 19:27 --------- d-----w c:\program files\Batch Watermark Creator
2008-12-20 19:27 --------- d-----w c:\program files\Astral Masters
2008-12-02 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-03-14 19:56 22,328 ----a-w c:\documents and settings\Bogdanian\Application Data\PnkBstrK.sys
2008-02-23 19:47 560 ----a-w c:\program files\Global.sw
2004-10-01 13:00 110,592 ----a-w c:\program files\Uninstall_CDS.exe
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-30_11.01.24.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-25 18:38:08 317,952 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-30 19:59:10 317,952 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-30 20:22:51 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 4732408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-05 253368]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-18 1003520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 135168]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 163840]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 102400]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-11-02 1397760]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 135260]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 159744]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 229376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 214424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 113520]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]

c:\documents and settings\Bogdanian\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 187392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll
"MSVideo"= CSvidcap.dll
"vidc.dvsd"= pdvcodec.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.mjpg"= mcmjpg32.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Marvel game\\Marvel Vs\\MarvelVs.exe"=
"e:\\motogp2\\motogp2.exe"=
"e:\\Warcraft III- Reign of Chaos & Frozen Throne\\warcraft iii\\Warcraft III.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"g:\\BitLord\\BitLord.exe"=
"c:\\Program Files\\oDC\\oDC.exe"=
"g:\\CrySis Game\\Bin32\\Crysis.exe"=
"g:\\CrySis Game\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\TV_View_Plugin_4.7.ocx"=
"e:\\Guitar Hero 3\\GH3.exe"=
"c:\\Program Files\\oDC\\StrongDC.exe"=
"d:\\ZOMBIESS\\System\\LOTD.exe"=
"g:\\Far2\\Far Cry 2\\bin\\FarCry2.exe"=
"g:\\Far2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"g:\\Far2\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"d:\\Games-kitturi\\FIFA2007\\fifa07.exe"=
"c:\\WINDOWS\\Explorer.EXE"=
"c:\\WINDOWS\\system32\\HDAShCut.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\WINDOWS\\notepad.exe"=
"c:\\WINDOWS\\system32\\CF9495.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\jifh.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\winmrtbe.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\jeoy.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\tycwhe.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\winkeah.exe"=
"c:\\DOCUME~1\\BOGDAN~1\\LOCALS~1\\Temp\\wincfgl.exe"=

R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\gnhhmu.sys --> c:\windows\system32\drivers\gnhhmu.sys [?]
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-11-15 2560]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.ro
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Bogdanian\Application Data\Mozilla\Firefox\Profiles\8r9j2g21.default\
FF - plugin: c:\documents and settings\Bogdanian\Application Data\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 22:23:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,
e3
"2"=hex:f1,df,16,de,80,08,0e,2a,78,a4,28,cb,d2,56,ff,58,a6,09,d8,fb,43,e9,d5,
e7,16,83,71,61,5d,be,d8,25
"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,2b,92,4b,0d,22,14,9d,
cb,e3,f8,73,90,7d,a4,36,0d,7e,db,3a,16,4c,1a,45,81,b1,a5,77,31,f5,50,d6,e8

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,36,d7,56,53,fe,9f,3d,f9
"2"=hex:8c,23,2d,03,75,bd,a0,cd
"3"=hex:ae,73,3f,fd,2b,83,eb,67,f2,93,90,8f,76,ae,d1,e9,96,73,d7,92,15,c0,66,
82,55,81,f1,8f,d8,ad,02,60,ee,7e,c3,37,11,d9,b4,42,f8,9d,1e,81,3f,79,76,02,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,
97,9f,f9,03,77,68,81,1b,0c,34,a2,88,30,12,be,09,a0
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,
63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:8a,86,86,9a,b4,43,5e,10
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\docume~1\BOGDAN~1\LOCALS~1\temp\jifh.exe
c:\docume~1\BOGDAN~1\LOCALS~1\temp\jeoy.exe
c:\docume~1\BOGDAN~1\LOCALS~1\temp\winkeah.exe
.
**************************************************************************
.
Completion time: 2009-01-30 22:27:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-30 20:27:56
ComboFix2.txt 2009-01-30 09:04:10

Pre-Run: 2,540,740,608 bytes free
Post-Run: 2,614,616,064 bytes free

244 --- E O F --- 2008-06-27 22:52:18

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:35 PM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jifh.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jeoy.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkeah.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.ro
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.ro
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 6912 bytes

#6
Essexboy

Posted 30 January 2009 - 04:23 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi Gasol your combofix copy is out of date so it is not functioning properly and it failed to do any of the required deletions

Please delete your current copy and download a new version using the previous links

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Then redownload a new copy then run it

#7
Gasol

Posted 30 January 2009 - 04:43 PM

Member

Topic Starter
Member
153 posts

All three links contain a ComboFix out of date. Can you tell me where I could find OK one?

#8
Essexboy

Posted 30 January 2009 - 04:55 PM

GeekU Moderator

Retired Staff
69,964 posts

OK that is curious

I will kill the driver another way and then look for remnants

1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
asc3360pr

Files to delete:
c:\windows\system32\drivers\gnhhmu.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

THEN

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All Users
Check the Radio button for Rootkit check YES
Under Additional Scans check the following:
- File - Lop Check
- File - Purity Scan
- Evnt - EventViewer Errors/Warnings (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#9
Gasol

Posted 30 January 2009 - 05:23 PM

Member

Topic Starter
Member
153 posts

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "asc3360pr" deleted successfully.

Error: file "c:\windows\system32\drivers\gnhhmu.sys" not found!
Deletion of file "c:\windows\system32\drivers\gnhhmu.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:20 AM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winisccaf.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winsdvd.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\veca.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.ro
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.ro
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 6989 bytes

Attached Files

OTScanIt.Txt 181.95KB 306 downloads

#10
Essexboy

Posted 30 January 2009 - 05:35 PM

GeekU Moderator

Retired Staff
69,964 posts

On completion of running this fix could you let me know how things are running /

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Safe List]
YY -> veca.exe -> %UserProfile%\Local Settings\temp\veca.exe
YY -> winisccaf.exe -> %UserProfile%\Local Settings\temp\winisccaf.exe
YY -> winsdvd.exe -> %UserProfile%\Local Settings\temp\winsdvd.exe
[Driver Services - Safe List]
YY -> (asc3360pr) asc3360pr [Kernel | On_Demand | Running] -> 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1957994488-2049760794-725345543-1003\] > -> 
YN -> HKEY_USERS\S-1-5-21-1957994488-2049760794-725345543-1003\: SearchURL\\"provider" -> gogl
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\ffsmg.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\ffsmg.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\ffsmg.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jeoy.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jeoy.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jeoy.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jifh.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jifh.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jifh.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\nfjj.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\nfjj.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\nfjj.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\nqopyp.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\nqopyp.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\nqopyp.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qafv.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qafv.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qafv.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\slkpec.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\slkpec.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\slkpec.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\sxawsx.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\sxawsx.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\sxawsx.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\tecew.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\tecew.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\tecew.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\tycwhe.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\tycwhe.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\tycwhe.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\uqgv.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\uqgv.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\uqgv.exe:*:Enabled:ipsec]
YY -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\veca.exe" -> C:\Documents and Settings\Bogdanian\Local Settings\temp\veca.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\veca.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winakhica.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winakhica.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winakhica.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\wincfgl.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\wincfgl.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\wincfgl.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winfxpdtn.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winfxpdtn.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winfxpdtn.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winhgwfsv.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winhgwfsv.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winhgwfsv.exe:*:Enabled:ipsec]
YY -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winisccaf.exe" -> C:\Documents and Settings\Bogdanian\Local Settings\temp\winisccaf.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winisccaf.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winjbllji.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winjbllji.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winjbllji.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winjqbety.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winjqbety.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winjqbety.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkeah.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkeah.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkeah.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkvgfpy.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkvgfpy.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkvgfpy.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkxeheu.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkxeheu.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkxeheu.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winlygxx.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winlygxx.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winlygxx.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winmrtbe.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winmrtbe.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winmrtbe.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winnbad.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winnbad.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winnbad.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winntly.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winntly.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winntly.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winohcg.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winohcg.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winohcg.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winoxeci.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winoxeci.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winoxeci.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winpthu.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winpthu.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winpthu.exe:*:Enabled:ipsec]
YY -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winsdvd.exe" -> C:\Documents and Settings\Bogdanian\Local Settings\temp\winsdvd.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winsdvd.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winuntfrn.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winuntfrn.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winuntfrn.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winvahlvv.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winvahlvv.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winvahlvv.exe:*:Enabled:ipsec]
YN -> "C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\xusl.exe" -> C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\xusl.exe [C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\xusl.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\system32\CF9495.exe" -> C:\WINDOWS\system32\CF9495.exe [C:\WINDOWS\system32\CF9495.exe:*:Enabled:ipsec]
[Files/Folders - Modified Within 30 Days]
NY -> veca.exe -> %UserProfile%\Local Settings\temp\veca.exe
NY -> winsdvd.exe -> %UserProfile%\Local Settings\temp\winsdvd.exe
NY -> winisccaf.exe -> %UserProfile%\Local Settings\temp\winisccaf.exe
[Custom Items]
:files
c:\windows\system32\drivers\gnhhmu.sys
:end
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#11
Gasol

Posted 30 January 2009 - 06:03 PM

Member

Topic Starter
Member
153 posts

Process Explorer.EXE killed successfully!
[Processes - Safe List]
Process veca.exe killed successfully!
C:\Documents and Settings\Bogdanian\Local Settings\temp\veca.exe moved successfully.
Process winisccaf.exe killed successfully!
C:\Documents and Settings\Bogdanian\Local Settings\temp\winisccaf.exe moved successfully.
Process winsdvd.exe killed successfully!
C:\Documents and Settings\Bogdanian\Local Settings\temp\winsdvd.exe moved successfully.
[Driver Services - Safe List]
Unable to stop service asc3360pr!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3360pr deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_asc3360pr deleted successfully.
Unable to delete service asc3360pr!
File not found.
[Registry - Safe List]
Registry key HKEY_USERS\1-5-21-1957994488-2049760794-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\SearchURL not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\ffsmg.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jeoy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\jifh.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\nfjj.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\nqopyp.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\qafv.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\slkpec.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\sxawsx.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\tecew.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\tycwhe.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\uqgv.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\veca.exe deleted successfully.
File C:\Documents and Settings\Bogdanian\Local Settings\temp\veca.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winakhica.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\wincfgl.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winfxpdtn.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winhgwfsv.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winisccaf.exe deleted successfully.
File C:\Documents and Settings\Bogdanian\Local Settings\temp\winisccaf.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winjbllji.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winjqbety.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkeah.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkvgfpy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winkxeheu.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winlygxx.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winmrtbe.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winnbad.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winntly.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winohcg.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winoxeci.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winpthu.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winsdvd.exe deleted successfully.
File C:\Documents and Settings\Bogdanian\Local Settings\temp\winsdvd.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winuntfrn.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winvahlvv.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\xusl.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\CF9495.exe deleted successfully.
[Files/Folders - Modified Within 30 Days]
File C:\Documents and Settings\Bogdanian\Local Settings\temp\veca.exe not found!
File C:\Documents and Settings\Bogdanian\Local Settings\temp\winsdvd.exe not found!
File C:\Documents and Settings\Bogdanian\Local Settings\temp\winisccaf.exe not found!
[Custom Items]
========== FILES ==========
File/Folder c:\windows\system32\drivers\gnhhmu.sys not found.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_e8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.7.1 fix logfile created on 01312009_015819

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_e8.dat not found!

Registry entries deleted on Reboot...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:42 AM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.ro
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.ro
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 6886 bytes

#12
Essexboy

Posted 31 January 2009 - 04:52 AM

GeekU Moderator

Retired Staff
69,964 posts

That looks better now lets try MBAM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#13
Gasol

Posted 31 January 2009 - 05:17 AM

Member

Topic Starter
Member
153 posts

Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 2

1/31/2009 1:14:58 PM
mbam-log-2009-01-31 (13-14-58).txt

Scan type: Quick Scan
Objects scanned: 53953
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

PS: Please, can you give me a location were can I download a safe ATF Cleaner? I want to see if now it works!

#14
Essexboy

Posted 31 January 2009 - 11:42 AM

GeekU Moderator

Retired Staff
69,964 posts

That looks OK now - subject to no further problems

Please download ATF Cleaner by Atribune.
This program is for XP, Vista and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster to help prevent spyware from installing in the first place.
SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Secunia Software inspector To check your programme update status
Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

#15
Gasol

Posted 31 January 2009 - 01:27 PM

Member

Topic Starter
Member
153 posts

I don't think I'm clean now

I download the ATF Cleaner, Run it and... the mirror stay only 0.5 seconds and then dissapeared.
It is the same problem!

I made another Hijack this and... appear again some... suspicious .exe look:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:59 PM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\wingdwosc.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\winoiyr.exe
C:\DOCUME~1\BOGDAN~1\LOCALS~1\Temp\rpnj.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bogdanian\Desktop\staffeditor\staff editor\FMStaffMiniEditor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.ro
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.ro
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7294 bytes

* After the problem with ATF Cleaner, I skipped the steps with JavaRa, Restore Point and Clean Registry. Any suggestion? Hm... I remember I used yesterday a ftp. transfer; it is possible to came from there the problem?! Please help! It is frustrant because I don't know amother manifestation of this "malware"; just because some .exe (especially for programs - you know that ComboFix, this ATF, avast antivirus... maybe it is a virus for small files? I'm very incoerent, I know....