Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

routing.exe, perfs.exe, various .dlls

Started by Mechana , Aug 08 2008 01:55 PM

  • Please log in to reply

#1
Mechana
Posted 08 August 2008 - 01:55 PM

Mechana

    Member

  • Member
  • PipPip
  • 46 posts
Hello,

Yesterday my computer began acting strangely. Various soundfiles, most of them offensive, began playing without any programs active that would potentially be making them. The system reset it's clock back to 2002 and began changing the style of all of the windows to Windows 2000 style. (Even know I have XP) I did a Running Programs check via Security Task Manager and found that routing.exe and perfs.exe were the primary cause.

I would post a HijackThis! log, but said malware began shutting the computer down as soon as I began to copy/paste the log to the post I previously attempted to post here. I had the computer disconnected from the internet for most of yesterday and today to prevent anything else from happening. I am currently on my laptop computer.

After doing a bit of research I found that it's supposedly a virus that makes a remote server constantly monitor your computer's actions. One source said that it's a very dangerous virus, and that the only way to make sure that it's entirely removed is to reformat the drive and reinstall Windows.

I'm not entirely sure what to do. Avast!, SuperAntispyware, Deckard's System Scanner, and all of the other recommended programs found nothing. I'm too afraid to boot the computer again, as it seems to have corrupted the startup files.

Should I take the computer to a professional to have my files saved and the system reformatted, or is there a way other than that that would make sure my files are safe and the malware is gone for good?

Thanks in advance,
Mech
  • 0

Advertisements

#2
kahdah
Posted 08 August 2008 - 06:23 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Mechana

Welcome to G2Go. :)
=====================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please upload the contents of main.txt and extra.txt in your next reply.

In your next reply click on the Browse button and then go to the logs that you saved they will be in here > C:\Deckard\System scanner\main.txt and extra.txt.
Then click on Upload.
Then click the dropdown that says Manage current attachments.
Then insert image into text editor.
  • 0

#3
Mechana
Posted 08 August 2008 - 07:01 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I would run DSS, but the fact is that my computer shuts down before I can do anything. I ran DSS in safemode this morning and it found nothing.


I'm afraid that I may have to have a professional save my files and have my computer reformatted. By the look of it, both of them have installed tons of rootkits, trojans, keyloggers, and various other malware.
  • 0

#4
kahdah
Posted 08 August 2008 - 07:04 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
How do you know if it found nothing do you know what you are looking for?
Rootkits are hidden preocesses and aren't always shown.
If you would like help here then go ahead and run dss in safe mode if you do not then we will not continue.

Let me know what you want to do.
  • 0

#5
Mechana
Posted 08 August 2008 - 07:12 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I am very sorry if that post sounded aggressive at all. I'm trying my best to comply with what is needed. I will run Deckard, but I am not sure how I am supposed to get the logs onto here. My internet connection doesn't work in safemode, and it appears to be that the viruses are also running in it aswell. Is there any particular way I should go about it?
  • 0

#6
kahdah
Posted 08 August 2008 - 07:14 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Boot into safe mode with networking and then you will have internet.
PLease upload the files you can see how by following my previous instructions in the post before this one.

Let me know if that works.
  • 0

#7
Mechana
Posted 08 August 2008 - 07:32 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Deckard's System Scanner v20071014.68
Run by Parent on 2008-08-08 18:53:34
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Parent.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:35 PM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Parent\My Documents\larryhadalittlelamb\Deckard System Scanner (temp).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Parent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Update Helper - {25D596E9-BD03-4D4A-8310-5DF3B31E8D26} - C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.k12.com
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvi...iveXClient1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - http://ea-land.ea.co...stall/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1179847293578
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c8e20299b95e4) (gupdate1c8e20299b95e4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe

--
End of file - 10277 bytes

-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 18:52:28 0 d-------- C:\Program Files\Trend Micro
2008-08-08 18:40:17 0 d-------- C:\WINDOWS\CSC
2008-08-08 12:59:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-08-08 12:58:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-08 10:38:56 0 d-------- C:\Program Files\Alwil Software
2008-08-07 21:35:52 34292 --a------ C:\WINDOWS\system32\sss.exe
2008-08-07 21:35:41 11264 --a------ C:\WINDOWS\system32\mmchost.dll
2008-08-07 21:35:37 7884 --a------ C:\WINDOWS\system32\maomaochong.exe
2008-08-07 19:06:09 0 --a------ C:\WINDOWS\system32\39866AC4
2008-07-24 17:07:27 0 d-------- C:\Program Files\Phun
2008-07-20 23:17:45 0 d------c- C:\AudioConverter
2008-07-20 23:16:51 0 d-------- C:\Program Files\easetech
2008-07-20 20:07:10 0 d------c- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-20 20:07:01 0 d-------- C:\Program Files\Security Task Manager
2008-07-19 14:59:28 0 d-------- C:\Program Files\Pyra Productions
2008-07-19 14:07:45 0 d-------- C:\Program Files\Easy Icon Maker
2008-07-18 16:34:44 0 d-------- C:\Program Files\Pivot Stickfigure Animator
2008-07-16 15:16:48 0 d-------- C:\Program Files\QuickTime
2008-07-16 15:13:55 0 d-------- C:\Program Files\Apple Software Update
2008-07-16 15:13:54 0 d------c- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-08-08 12:55:40 0 d-------- C:\Documents and Settings\Parent\Application Data\DNA
2008-08-08 12:49:42 0 d-------- C:\Program Files\Steam
2008-08-07 19:06:09 3 --a------ C:\WINDOWS\system32\fhpatch.dll
2008-08-07 19:06:04 15360 --ah----- C:\WINDOWS\system32\dbi102.dll
2008-08-07 19:06:03 117615 --a------ C:\WINDOWS\system32\new2.exe
2008-08-06 08:35:38 0 d-------- C:\Program Files\McAfee
2008-08-01 17:23:19 0 d-------- C:\Program Files\Google
2008-07-26 11:03:36 4 --a------ C:\WINDOWS\system32\riphy.dll
2008-07-26 11:03:36 4 --a------ C:\WINDOWS\system32\iphy.dll
2008-07-19 16:56:20 102400 --a------ C:\WINDOWS\system32\IPHOST.dll
2008-07-19 15:56:20 102400 --a------ C:\WINDOWS\system32\_reproxy.dll
2008-07-19 15:56:20 102400 --a------ C:\WINDOWS\system32\_proxy.dll
2008-07-07 23:36:17 103424 --a------ C:\WINDOWS\system32\nUI_nat.dll <Not Verified;  ; nUI>
2008-07-06 11:37:21 0 d-------- C:\Program Files\Rocks'n'Diamonds
2008-07-05 18:34:12 0 d-------- C:\Documents and Settings\Parent\Application Data\Teeworlds
2008-07-05 14:12:09 0 d-------- C:\Program Files\Image-Line
2008-07-05 14:11:26 0 d-------- C:\Program Files\VstPlugins
2008-07-05 14:09:34 0 d-------- C:\Program Files\ASIO4ALL v2
2008-07-05 14:07:10 0 d-------- C:\Program Files\Outsim
2008-07-03 18:33:11 0 d-------- C:\Documents and Settings\Parent\Application Data\NBOS
2008-07-03 18:33:09 0 d-------- C:\Program Files\nbos
2008-07-03 17:31:19 0 d-------- C:\Documents and Settings\Parent\Application Data\.crossfire
2008-07-03 17:30:30 0 d-------- C:\Program Files\Crossfire GTK Client
2008-07-03 17:28:50 0 d-------- C:\Program Files\Common Files
2008-07-03 17:28:50 0 d-------- C:\Program Files\Common Files\GTK
2008-07-03 15:47:11 0 d-------- C:\Documents and Settings\Parent\Application Data\uk.co.planetside
2008-07-03 15:44:05 0 d-------- C:\Program Files\Terragen
2008-06-29 21:19:34 0 d-------- C:\Program Files\LEGO Company
2008-06-26 17:32:44 0 d-------- C:\Documents and Settings\Parent\Application Data\SPORE Creature Creator
2008-06-26 15:15:17 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-26 14:57:38 0 d-------- C:\Program Files\Clonk Endeavour
2008-06-26 14:56:00 0 d-------- C:\Documents and Settings\Parent\Application Data\Clonk
2008-06-21 23:31:55 0 d-------- C:\Program Files\KoolMoves Demo
2008-06-21 20:11:49 0 d-------- C:\Program Files\ProcedurallyGeneratedGames
2008-06-20 17:33:53 0 d-------- C:\Documents and Settings\Parent\Application Data\Malwarebytes
2008-06-20 17:33:49 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-18 22:04:43 0 dr-h----- C:\Documents and Settings\Parent\Application Data\SecuROM
2008-06-18 22:02:47 0 d-------- C:\Program Files\Electronic Arts
2008-06-18 22:02:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-18 21:32:38 1504 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-18 17:13:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-18 17:13:17 0 d-------- C:\Documents and Settings\Parent\Application Data\Mozilla
2008-06-18 16:21:17 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-16 18:44:48 0 d-------- C:\Documents and Settings\Parent\Application Data\IEPro
2008-06-16 18:05:18 0 dr------- C:\Documents and Settings\Parent\Application Data\SpaceTime 3D
2008-06-12 23:08:04 0 d-------- C:\Program Files\Audacity
2008-06-12 11:09:52 0 d-------- C:\Program Files\PyraProductions
2008-06-12 10:43:28 0 d-------- C:\Program Files\Install Creator
2008-06-10 14:32:16 0 d-------- C:\Program Files\Framsticks
2008-06-06 19:52:04 54864 --a------ C:\WINDOWS\War3Unin.dat
2008-06-06 19:51:30 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-06 19:51:30 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-06-04 10:50:45 185344 --a------ C:\WINDOWS\patchw32.dll
2008-06-02 15:27:47 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-06-02 15:27:47 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-05-28 22:19:00 174 --a------ C:\WINDOWS\Palace.reg
2008-05-27 23:14:29 1024 --a------ C:\Documents and Settings\Parent\Application Data\WavCodec.wff


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25D596E9-BD03-4D4A-8310-5DF3B31E8D26}]
07/31/2008 04:58 PM 184816 --a----t- C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [12/31/2002 08:00 AM C:\WINDOWS\RTHDCPL.EXE]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [01/22/2008 11:09 PM]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [01/22/2008 11:09 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/25/2008 09:57 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/19/2008 10:38 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [10/30/2006 11:01 AM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/08/2008 08:17 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 10:37 AM]
"Steam"="c:\program files\steam\steam.exe" [04/19/2008 07:12 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12/31/2002 08:00 AM]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [06/13/2008 06:27 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E60A0B68-2F3C-A1D2-A901-9381E036D21A}"= C:\WINDOWS\system32\Karna2Drv.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10a77790-f28e-11db-b04b-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cba5d2d-f4cd-11db-b3ec-806d6172696f}]
AutoRun\command- D:\ltree\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e63f5ad-087b-11dc-9ac1-806d6172696f}]
AutoRun\command- D:\ltree\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9323aad-f3fe-11db-b907-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec46b1ad-19d1-11dc-ad3e-806d6172696f}]
AutoRun\command- D:\ltree\autorun\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-08-08 18:54:00 ------------

Here you go.

Edited by Mechana, 08 August 2008 - 07:33 PM.

  • 0

#8
kahdah
Posted 08 August 2008 - 07:44 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok that was all I needed to see.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
======================
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#9
Mechana
Posted 08 August 2008 - 07:49 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
The malware changed my settings, preventing any files from being downloaded. Thankfully, I have another computer(Which I am posting from right now) which has the ability to write Combofix to a CD. (The same way I ran HijackThis and other programs)

I will be posting the results soon..
  • 0

#10
Mechana
Posted 08 August 2008 - 08:09 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I am sorry for posting so much, but the fact is that after Combofix rebooted my computer, it began popping up various "svchost.exe" Application errors referencing a memory reference error at "0x000000000". I am currently posting from my laptop..


This keeps popping up even if I close it. Combofix is stalling repeatedly because of this. I am not sure how to continue, is there anything you could recommend?
  • 0

Advertisements

#11
Mechana
Posted 08 August 2008 - 08:23 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
ComboFix 08-08-08.07 - Parent 2008-08-08 19:15:09.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT -4:00]
Running from: C:\Documents and Settings\Parent\My Documents\larryhadalittlelamb\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Parent\Application Data\macromedia\Flash Player\#SharedObjects\AFBFUEMB\interclick.com
C:\Documents and Settings\Parent\Application Data\macromedia\Flash Player\#SharedObjects\AFBFUEMB\interclick.com\ud.sol
C:\Documents and Settings\Parent\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Parent\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\_proxy.dll
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\disk.dll
C:\WINDOWS\system32\fhpatch.dll
C:\WINDOWS\system32\IPHOST.dll
C:\WINDOWS\system32\iphy.dll
C:\WINDOWS\system32\IpSvchostF.dll
C:\WINDOWS\system32\maomaochong.exe
C:\WINDOWS\system32\mmchost.dll
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\riphy.dll
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\tmp0_576143751796.bk
C:\WINDOWS\system32\tmp1_70517412096.bk
C:\WINDOWS\system32\WServing.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_ROUTING
-------\Legacy_SEICTRL
-------\Legacy_WSERVING
-------\Service_afinding
-------\Service_routing
-------\Service_seictrl
-------\Service_wserving
-------\Legacy_nobicyt
-------\Service_nobicyt


((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-08 18:52 . 2008-08-08 18:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 10:39 . 2003-03-18 17:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-08-08 10:38 . 2008-08-08 10:38 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-08 10:22 . 2008-08-08 10:22 <DIR> d----c--- C:\Deckard
2008-08-07 21:35 . 2008-08-07 19:06 4,598,536 --a------ C:\WINDOWS\system32\syspilog.pil
2008-08-07 21:35 . 2008-08-07 19:06 34,292 --a------ C:\WINDOWS\system32\sss.exe
2008-08-07 19:06 . 2008-08-07 19:06 0 --a------ C:\WINDOWS\system32\39866AC4
2008-07-28 18:08 . 2008-07-28 18:08 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-24 17:07 . 2008-07-24 19:09 <DIR> d-------- C:\Program Files\Phun
2008-07-20 23:22 . 2008-07-20 23:22 398 --a------ C:\WINDOWS\AudioConverter.INI
2008-07-20 23:17 . 2008-07-20 23:22 <DIR> d----c--- C:\AudioConverter
2008-07-20 23:16 . 2008-07-20 23:16 <DIR> d-------- C:\Program Files\easetech
2008-07-20 20:07 . 2008-08-07 20:24 <DIR> d-------- C:\Program Files\Security Task Manager
2008-07-20 20:07 . 2008-08-08 12:50 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-19 14:59 . 2008-07-19 14:59 <DIR> d-------- C:\Program Files\Pyra Productions
2008-07-19 14:07 . 2008-07-19 14:10 <DIR> d-------- C:\Program Files\Easy Icon Maker
2008-07-18 17:22 . 2008-07-18 17:22 238 --a------ C:\WINDOWS\Downfall.INI
2008-07-18 16:34 . 2008-07-18 16:34 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2008-07-16 15:16 . 2008-07-16 15:18 <DIR> d-------- C:\Program Files\QuickTime
2008-07-16 15:13 . 2008-07-16 15:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-16 15:13 . 2008-07-16 15:13 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 16:55 --------- d-----w C:\Documents and Settings\Parent\Application Data\DNA
2008-08-08 16:49 --------- d-----w C:\Program Files\Steam
2008-08-07 00:36 24 ----a-w C:\Documents and Settings\Parent\jagex_runescape_preferences.dat
2008-08-06 12:35 --------- d-----w C:\Program Files\McAfee
2008-08-01 21:23 --------- d-----w C:\Program Files\Google
2008-07-16 19:16 --------- dc----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-06 15:37 --------- d-----w C:\Program Files\Rocks'n'Diamonds
2008-07-05 22:34 --------- d-----w C:\Documents and Settings\Parent\Application Data\Teeworlds
2008-07-05 18:12 --------- d-----w C:\Program Files\Image-Line
2008-07-05 18:11 --------- d-----w C:\Program Files\VstPlugins
2008-07-05 18:09 --------- d-----w C:\Program Files\ASIO4ALL v2
2008-07-05 18:07 --------- d-----w C:\Program Files\Outsim
2008-07-04 18:13 --------- dc----w C:\Documents and Settings\All Users\Application Data\NexonUS
2008-07-03 22:33 --------- d-----w C:\Program Files\nbos
2008-07-03 22:33 --------- d-----w C:\Documents and Settings\Parent\Application Data\NBOS
2008-07-03 21:31 --------- d-----w C:\Documents and Settings\Parent\Application Data\.crossfire
2008-07-03 21:30 --------- d-----w C:\Program Files\Crossfire GTK Client
2008-07-03 21:28 --------- d-----w C:\Program Files\Common Files\GTK
2008-07-03 19:47 --------- d-----w C:\Documents and Settings\Parent\Application Data\uk.co.planetside
2008-07-03 19:44 --------- d-----w C:\Program Files\Terragen
2008-06-30 01:19 --------- d-----w C:\Program Files\LEGO Company
2008-06-26 21:32 --------- d-----w C:\Documents and Settings\Parent\Application Data\SPORE Creature Creator
2008-06-26 19:15 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-26 18:57 --------- d-----w C:\Program Files\Clonk Endeavour
2008-06-26 18:56 --------- d-----w C:\Documents and Settings\Parent\Application Data\Clonk
2008-06-22 03:31 --------- d-----w C:\Program Files\KoolMoves Demo
2008-06-22 00:11 --------- d-----w C:\Program Files\ProcedurallyGeneratedGames
2008-06-20 21:33 --------- dc----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-20 21:33 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-20 21:33 --------- d-----w C:\Documents and Settings\Parent\Application Data\Malwarebytes
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 21:48 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 21:47 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-19 02:04 --------- d--h--r C:\Documents and Settings\Parent\Application Data\SecuROM
2008-06-19 02:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-19 02:02 --------- d-----w C:\Program Files\Electronic Arts
2008-06-16 22:44 --------- d-----w C:\Documents and Settings\Parent\Application Data\IEPro
2008-06-16 22:05 --------- d-----r C:\Documents and Settings\Parent\Application Data\SpaceTime 3D
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 03:08 --------- d-----w C:\Program Files\Audacity
2008-06-12 15:09 --------- d-----w C:\Program Files\PyraProductions
2008-06-12 14:43 --------- d-----w C:\Program Files\Install Creator
2008-06-10 18:32 --------- d-----w C:\Program Files\Framsticks
2008-06-06 23:51 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-06-06 23:51 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-06-04 14:50 185,344 ----a-w C:\WINDOWS\patchw32.dll
2008-05-29 02:05 5,607 ----a-w C:\WINDOWS\~GLH0000.TMP
2008-05-29 02:05 155,136 ----a-w C:\WINDOWS\~GLC0000.TMP
2007-08-12 01:04 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2000-02-02 00:01 40,960 --sh--r C:\WINDOWS\system32\KarnaDrv.dll
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25D596E9-BD03-4D4A-8310-5DF3B31E8D26}]
2008-07-31 16:58 184816 --a----t- C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01 392832]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 08:17 289088]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
"Steam"="c:\program files\steam\steam.exe" [2008-04-19 19:12 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 08:00 15360]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-06-13 18:27 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 23:09 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 23:09 87360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-25 09:57 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 10:38 78008]
"RTHDCPL"="RTHDCPL.EXE" [2002-12-31 08:00 16049664 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"C:\\Program Files\\Java\\jre1.5.0_12\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SecondLife\\SecondLife.exe"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Documents and Settings\\Parent\\My Documents\\BurningSand2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"C:\\Nexon\\Combat Arms\\NMService.exe"=

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
S2 EngineServer;EngineServer;C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 12:30]
S2 gupdate1c8e20299b95e4;Google Update Service (gupdate1c8e20299b95e4);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-09 16:25]
S2 macidwe;macidwe Service;C:\WINDOWS\system32\macidwe.exe [2002-12-31 08:00]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-01-22 23:09]
S2 perfs;perfs Service;C:\WINDOWS\system32\perfs.exe [2002-12-31 08:00]
S2 sobicyt;sobicyt Service;C:\WINDOWS\system32\sobicyt.exe [2002-12-31 08:00]
S2 tdxdowkc;tdxdowkc Service;C:\WINDOWS\system32\tdxdowkc.exe [2002-12-31 08:00]
S3 GameConsoleService;GameConsoleService;C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe [2007-08-28 19:06]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-02-14 21:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10a77790-f28e-11db-b04b-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cba5d2d-f4cd-11db-b3ec-806d6172696f}]
\Shell\AutoRun\command - D:\ltree\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e63f5ad-087b-11dc-9ac1-806d6172696f}]
\Shell\AutoRun\command - D:\ltree\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9323aad-f3fe-11db-b907-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec46b1ad-19d1-11dc-ad3e-806d6172696f}]
\Shell\AutoRun\command - D:\ltree\autorun\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-08 C:\WINDOWS\Tasks\GoogleUpdateTask.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-09 16:25]

2007-12-07 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-01-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-08 C:\WINDOWS\Tasks\User_Feed_Synchronization-{39641254-8A6A-478E-82B4-A0803A7A90E2}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{E60A0B68-2F3C-A1D2-A901-9381E036D21A} - C:\WINDOWS\system32\Karna2Drv.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Parent\Application Data\Mozilla\Firefox\Profiles\kq4wounh.default\
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\BYOND\bin\npbyond.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\Google\Lively\nplively.dll
FF -: plugin - C:\Program Files\Google\Update\1.2.121.17\npGoogleOneClick.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbyond.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 19:26:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2008-08-08 19:40:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 23:39:57

Pre-Run: 34,539,421,696 bytes free
Post-Run: 34,457,366,528 bytes free

260 --- E O F --- 2008-07-18 15:25:45
Combofix's file. Going to post Hijackthis' in a second.
  • 0

#12
Mechana
Posted 08 August 2008 - 08:24 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:25 PM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Update Helper - {25D596E9-BD03-4D4A-8310-5DF3B31E8D26} - C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.k12.com
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvi...iveXClient1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - http://ea-land.ea.co...stall/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1179847293578
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c8e20299b95e4) (gupdate1c8e20299b95e4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe

--
End of file - 10364 bytes
The Hijackthis logfile.
  • 0

#13
kahdah
Posted 08 August 2008 - 09:01 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are running 2 antivirus programs McAFee and Avast.
See if you are able to uninstall one of those before proceeding.
Running 2 of these at once can cause unwanted system lockup's and conflicts that can fight against your system resulting in poor performance and less protection.
I recommend removing McAfee.

Try to do so from normal mode if you cannot then do it in Safe Mode.
====================
Then Boot into normal mode to do the following.
If your system tries to shut itself down do the following.
Go to Start>Run type in this shutdown -a then hit ok this will prevent it from shutting down.
Do this as many times as neccessary.

Then

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose no, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.
  • 0

#14
Mechana
Posted 08 August 2008 - 09:08 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I will follow the steps you have described tomorrow. At the moment it is too late for me, so I'll need to go to sleep now.

Thank you so much for what you have done so far. The computer that is currently infected is very important to me.
  • 0

#15
kahdah
Posted 08 August 2008 - 09:11 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok we will continue tomorrow
You are welcome.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP