how-to block ads
|
halfHAVOC
14
join:2002-05-30
New Jersey
edit:
April 15th, @06:52AM
| reply to halfHAVOC
Re: [HJT Log] Slowdown + Can't go on websites
ok weird. i have like 3 combofix logs from before, so i dont know where the latest one is from yesterday....im pretty sure it saved? but ill post this i guess unless it posted the date wrong idk.
combofix: idk it might be from before i posted cuz i can't find the latest one, where is it located?
ComboFix 08-04-12.7 - Administrator 2008-04-13 17:33:53.7 - NTFSx86
Running from: C:\Documents and Settings\Administrator\desktop\cf.exe
Command switches used :: /killall
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\My Documents\MANTEC~1
C:\Documents and Settings\Administrator\My Documents\MANTEC~1\??mantec\
C:\Documents and Settings\Administrator\My Documents\MANTEC~1\msiexec.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mantec~1\??xplore.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\awucbnde.dll
C:\WINDOWS\system32\bqgpbbrf.ini
C:\WINDOWS\system32\eobxrmdf.dll
C:\WINDOWS\system32\frbbpgqb.dll
C:\WINDOWS\system32\geBtSIBs.dll
C:\WINDOWS\system32\gynokvko.dll
C:\WINDOWS\system32\hglshnkk.dll
C:\WINDOWS\system32\hkuvonkf.dll
C:\WINDOWS\system32\ibflwwyk.dll
C:\WINDOWS\system32\ieqstsip.dll
C:\WINDOWS\system32\iifefEUl.dll
C:\WINDOWS\system32\kywwlfbi.ini
C:\WINDOWS\system32\llogagvo.ini
C:\WINDOWS\system32\lsqxslns.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\ovgagoll.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqRIaaXr.dll
C:\WINDOWS\system32\wjhpojwc.dll
C:\WINDOWS\system32\wli.dll
C:\WINDOWS\system32\wuenfygh.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.
2008-04-13 17:28 . 2008-04-13 17:28 3,648 --a------ C:\WINDOWS\system32\vrcvjnpm.dll
2008-04-13 17:26 . 2008-04-13 17:26 3,648 --a------ C:\WINDOWS\system32\giupqxhj.dll
2008-04-13 13:37 . 2008-04-13 13:37 3,648 --a------ C:\WINDOWS\system32\jmtmlbgv.dll
2008-04-13 13:23 . 2008-04-13 13:23 d--hs---- C:\WINDOWS\U2FtaXIgQWhtYWQ
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\pinz1
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\iFi
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\IDE2
2008-04-13 13:23 . 2008-04-13 17:15 d-------- C:\WINDOWS\system32\ExTmp
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\bharebio01
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\WINDOWS\system32\axV
2008-04-13 13:23 . 2008-04-13 13:23 d-------- C:\Temp\wdlw14
2008-04-13 13:23 . 2008-04-13 13:23 63,839 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe
2008-04-13 13:23 . 2008-04-13 13:23 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-04-13 10:48 . 2008-04-13 10:48 d-------- C:\Program Files\Lavasoft
2008-04-13 10:29 . 2008-04-13 10:29 3,648 --a------ C:\WINDOWS\system32\orxvmfos.dll
2008-04-13 09:55 . 2008-04-13 09:55 3,648 --a------ C:\WINDOWS\system32\ttcbnthi.dll
2008-04-13 00:15 . 2008-04-13 00:15 3,648 --a------ C:\WINDOWS\system32\rlllduoj.dll
2008-04-11 20:26 . 2008-04-13 12:04 101,110 --a------ C:\WINDOWS\BMd7bd0422.xml
2008-04-11 20:26 . 2008-04-11 20:26 3,648 --a------ C:\WINDOWS\system32\wxoghvke.dll
2008-04-11 19:45 . 2008-04-11 19:45 3,648 --a------ C:\WINDOWS\system32\dvfskqyd.dll
2008-04-10 18:53 . 2008-03-29 13:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-10 18:53 . 2008-03-29 13:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-10 11:13 . 2008-04-10 11:13 3,648 --a------ C:\WINDOWS\system32\cmeujpiy.dll
2008-04-09 11:18 . 2008-04-09 16:13 878 --ahs---- C:\WINDOWS\system32\cbqoqefk.ini
2008-04-09 11:12 . 2008-04-09 11:12 3,648 --a------ C:\WINDOWS\system32\oqbmuvua.dll
2008-04-08 11:08 . 2008-04-08 11:08 3,648 --a------ C:\WINDOWS\system32\lafonvhy.dll
2008-04-05 14:56 . 2008-04-05 14:56 d-------- C:\Program Files\ATI Technologies
2008-04-04 14:55 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-04 07:35 . 2008-04-04 07:35 329,728 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll
2008-04-01 14:26 . 2008-04-01 14:27 1,597,294 --ahs---- C:\WINDOWS\system32\cpukaqck.ini
2008-03-31 09:04 . 2008-03-31 22:30 1,597,234 --ahs---- C:\WINDOWS\system32\hgwbxirw.ini
2008-03-30 09:01 . 2008-03-30 09:21 1,583,982 --ahs---- C:\WINDOWS\system32\vjvkpctk.ini
2008-03-29 13:21 . 2008-03-30 08:58 1,583,757 --ahs---- C:\WINDOWS\system32\hhuoiwga.ini
2008-03-28 13:25 . 2008-03-28 13:25 1,583,959 --ahs---- C:\WINDOWS\system32\uggjpiei.ini
2008-03-28 12:10 . 2008-03-28 12:51 1,584,259 --ahs---- C:\WINDOWS\system32\qcbvelel.ini
2008-03-27 12:07 . 2008-03-28 12:07 1,584,079 --ahs---- C:\WINDOWS\system32\egjaiwsd.ini
2008-03-16 10:27 . 2008-03-16 10:27 315,472 --a------ C:\WINDOWS\system32\geeba.dll
2008-03-16 00:23 . 2008-03-16 00:23 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-03-15 18:56 . 2008-03-15 18:57 1,366,923 --ahs---- C:\WINDOWS\system32\hcvncvih.ini
2008-03-14 23:34 . 2008-03-14 23:34 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-03-14 18:57 . 2008-03-14 18:57 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-14 18:55 . 2008-03-15 18:55 1,366,863 --ahs---- C:\WINDOWS\system32\quiswxto.ini
2008-03-14 18:44 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-03-13 18:30 . 2008-03-29 13:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-13 18:30 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-13 18:30 . 2008-03-29 13:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-13 18:30 . 2008-03-29 13:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-13 18:30 . 2008-01-17 11:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-13 18:30 . 2008-03-29 13:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-13 18:30 . 2008-03-29 13:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-13 18:30 . 2008-03-29 13:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-13 18:29 . 2008-03-13 18:29 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:51 1,201,184 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-13 22:44 699,044 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-13 22:44 56,039,456 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-13 22:44 113,636 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-13 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-13 15:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 19:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 19:55 --------- d-----w C:\Program Files\Java
2008-03-13 23:29 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-13 23:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-13 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-02 18:16 --------- d-----w C:\Program Files\The KMPlayer
2008-02-27 03:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-02-25 23:32 --------- d-----w C:\Program Files\ffdshow
2008-02-25 03:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-02-25 03:03 --------- d-----w C:\Program Files\SopCast
2008-02-25 02:54 --------- d-----w C:\Program Files\NBA Live Player
2008-02-24 22:15 --------- d-----w C:\Program Files\Winamp
2008-02-14 18:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-15 21:52 140,800 --sha-w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2007-08-11 02:24 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-08-11 02:24 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-08-11 02:24 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-08-11 02:24 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-08-11 02:24 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-08-11 02:24 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-08-11 02:24 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-08-11 02:24 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-08-11 02:24 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2007-07-24 14:21 6,471 --sha-w C:\WINDOWS\system32\kjjlm.bak1
2007-07-24 14:36 1,807,725 --sha-w C:\WINDOWS\system32\kjjlm.bak2
2007-07-24 21:37 1,846,866 --sha-w C:\WINDOWS\system32\kjjlm.ini2
2005-07-29 21:24 472 --sha-r C:\WINDOWS\U2FtaXIgQWhtYWQ\oZIQurK0kq1Qsqk.vbs
.
((((((((((((((((((((((((((((( snapshot_2008-04-13_ 9.46.01.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 14:39:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-13 22:51:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-13 15:49:43 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-04-13 15:49:43 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-04-13 15:49:43 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-04-13 15:49:43 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-04-13 18:23:33 63,839 ----a-w C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe
+ 2008-04-04 12:35:02 329,728 ----a-w C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll
+ 2008-04-09 15:35:36 8,278 ----a-w C:\WINDOWS\system32\axV\retmwav3.exe
+ 2008-04-02 12:32:16 32,768 ----a-w C:\WINDOWS\system32\bharebio01\bharebio011065.exe
+ 2007-07-11 19:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 18:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 18:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-04-04 21:31:58 126,976 ----a-w C:\WINDOWS\system32\IDE2\mdllcom2.exe
+ 2008-04-11 22:34:16 400,987 ----a-w C:\WINDOWS\system32\iFi\prodll384.exe
+ 2007-12-14 17:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2008-02-14 14:42:16 49,152 ----a-w C:\WINDOWS\system32\pinz1\cegmgr76.exe
+ 2008-04-13 22:51:26 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_674.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E3BE2B4-9688-443D-BACD-DD267AA674AE}]
2008-03-16 10:27 315472 --a------ C:\WINDOWS\system32\geeba.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BED0D7-0938-4700-9060-A436B69EB7BC}]
C:\Program Files\Common Files\horev4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C3831AF-F271-4DB6-BB2C-DCD46F9BF462}]
C:\Program Files\MSN\comeqoc89104.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A67DA44A-58A5-4161-B77D-848247B6748C}]
C:\Program Files\Common Files\horev7.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9457564-1FAB-4C4C-818D-417BA5F56D9C}]
C:\WINDOWS\system32\jkkli.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDBA5775-1351-4F21-881E-A4ADC9BEAB75}]
C:\Program Files\Common Files\horev83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed76bfd-a0ff-938f-507d-216c8ab86a74}]
2008-04-04 07:35 329728 --a------ C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 07:00 15360]
"Rusc"="C:\DOCUME~1\ADMINI~1\MYDOCU~1\MANTEC~1\msiexec.exe" [ ]
"Gzchx"="C:\Program Files\Common Files\??mantec\??xplore.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-07-07 05:09 954368]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 08:33 892928]
"dmxvp.exe"="C:\WINDOWS\system32\dmxvp.exe" [ ]
"dmotx.exe"="C:\WINDOWS\system32\dmotx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"{E3-37-71-11-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-13 17:52 49173]
"spa_start"="C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" [2008-04-04 07:35 329728]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\scntokdn.exe" [2008-04-13 17:53 196674]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\scntokdn.exe [2008-04-13 17:53:11 196674]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-04-13 17:52:58 49173]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccaa]
efcccaa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefEUl]
iifefEUl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnklmk]
opnklmk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrstqn]
rqrstqn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrrpo]
ssqrrpo.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geeba.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bffeeuso]
C:\Program Files\?ymantec\j?vaw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
C:\WINDOWS\system32\qjjofwjh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbvmnemA]
C:\WINDOWS\pbvmnemA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.0\webbuying.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
"zBrowser Launcher"=C:\Program Files\Logitech\iTouch\iTouch.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"nwiz"=nwiz.exe /install
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2002-12-31 07:00]
S2 ATIBTCAP;ATI TV Wonder Video Capture;C:\WINDOWS\system32\drivers\atibtcap.sys [2002-11-05 00:00]
S2 ATIBTXBAR;ATI TV Wonder Video Crossbar;C:\WINDOWS\system32\drivers\atibtxbr.sys [2002-11-05 00:00]
S2 ATIVTUTW;ATI TV Wonder TV Tuner;C:\WINDOWS\system32\drivers\ativtutw.sys [2002-11-05 00:00]
S2 ATIVXSTW;ATI TV Wonder Audio Crossbar;C:\WINDOWS\system32\drivers\ativxstw.sys [2002-11-05 00:00]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\WINDOWS\system32\UnlockerDriver4.sys [2005-04-24 04:08]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-10 03:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-13 17:51:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\scntokdn.exe 196674 bytes executable
C:\WINDOWS\system32\winpfz33.sys 936 bytes
C:\WINDOWS\system32\msnav32.ax 148 bytes
C:\WINDOWS\system32\rwwnw64d.exe 49173 bytes executable
C:\WINDOWS\system32\g46.exe 400547 bytes executable
C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes
scan completed successfully
hidden files: 6
**************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\scntokdn.exe DWram"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-13 17:58:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 22:58:03
ComboFix2.txt 2008-04-13 15:21:30
ComboFix3.txt 2008-04-13 14:46:44
ComboFix4.txt 2008-04-12 03:35:17
ComboFix5.txt 2008-04-12 01:08:10
Pre-Run: 49,116,758,016 bytes free
Post-Run: 49,101,164,544 bytes free
---------------------
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:06 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.30.66.65:80
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll" DllInit
O4 - HKLM\..\Run: [BMd7bd0422] Rundll32.exe "C:\WINDOWS\system32\mtyicqmn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5356 bytes
-------------------
sdfix
SDFix: Version 1.170
Run by Administrator on Sun 04/13/2008 at 11:02 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service
Rebooting
Checking Files :
Trojan Files Found:
C:\PROGRA~1\COMPLU~1\LADUPAJ - Deleted
C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32KBRunOnce2.tm_ - Deleted
C:\WINDOWS\system32KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\lich.dat - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-13 23:11:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 31 Dec 2002 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 31 Dec 2002 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 24 Jul 2007 1,845,858 A.SH. --- "C:\WINDOWS\system32\kjjlm.tmp"
Tue 24 Jul 2007 6,471 A.SH. --- "C:\WINDOWS\system32\kjjlm.bak1"
Tue 24 Jul 2007 1,807,725 A.SH. --- "C:\WINDOWS\system32\kjjlm.bak2"
Fri 9 Nov 2007 923,066 A.SH. --- "C:\WINDOWS\system32\ogvfofdn.tmp"
Wed 28 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 26 Nov 2004 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL0001.tmp"
Sat 25 Feb 2006 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL0005.tmp"
Sat 25 Feb 2006 22,016 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Typed Documents\~WRL2653.tmp"
Thu 16 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sun 1 Sep 2002 45,056 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\Desktop\minibrowser_v1.0.dll"
Sun 10 Apr 2005 22,528 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\My Documents\Farhan's Documents\~WRL1675.tmp"
Thu 7 Apr 2005 21,504 A..H. --- "C:\Documents and Settings\Administrator\My Documents\xeo\My Documents\school\English\Research Paper\~WRL0291.tmp"
Finished!
----
wareout:
Username "Administrator" - 04/14/2008 14:24:06 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3E5BEC1F-998E-4766-A5ED-5CB6CFEF3B26}
"DhcpNameServer"="85.255.113.114,85.255.112.8" Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D8951C65-92EC-4161-9459-B755EB19927C}
"DhcpNameServer"="85.255.113.114,85.255.112.8" Value cleared.
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FCF0F8737177-CBCB-56F4-4256-0D409B28{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A81021EEEA11-B2AA-0584-EF34-AA942AD1{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "elfmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FDE62E469FBB-A1AB-5D44-A456-6E9D93DE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}11576FF2B5C3-3FDB-2734-E2BD-4F584BE8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}71BDEC5CBBF9-7EE8-F6D4-F690-0F38C327{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C17FA5D49981-A7F9-4974-34E8-4BDDF0EE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}461231CCCB50-2968-7954-02BB-035410ED{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "djxmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}996423FA06AA-11AA-2EC4-DD37-8FAA33CB{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EAAADD02793F-E6AA-43B4-0DEE-2D67489B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "fpcmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8CBA0B891534-8AC8-A814-E12F-FA0FED00{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EBC911BEBB5A-09DB-1BD4-5530-490DCDCF{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3F1E1AA224F1-2308-3864-B546-23D505B2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0E0D4AD0CD77-059A-A084-4269-E0A2A644{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "pvxmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ugcmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "xtomd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ztvmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "zfimd" Deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmfle.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmcpf.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmcgu.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmvtz.exe" Value deleted
....
~~~~~ Misc files.
C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll-uninst.exe Deleted
C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll Deleted
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Athan"="C:\\Program Files\\Athan\\Athan.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"spa_start"="C:\\WINDOWS\\System32\\Rundll32.exe \"C:\\WINDOWS\\system32\\{12fdb189-6534-5715-5717-a9c2868b4931}.dll\" DllInit"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
should i send mbam to my computer and try using it now or what?i really need my computer back up and running like tommrow or so, please if you can work with me to figure this out as quickly as possible, i will appreciate it moreeee than ever.
edit: im going to go now use mbam and then post the log.
/////////////////////////////////
MBAM ADDED
Malwarebytes' Anti-Malware 1.11
Database version: 599
Scan type: Quick Scan
Objects scanned: 29306
Time elapsed: 9 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 22
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 18
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\geeba.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\nkqtkmpa.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58448347-2553-452e-8e97-e8e4b5120e01} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{58448347-2553-452e-8e97-e8e4b5120e01} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMd7bd0422 (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geeba.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geeba.dll -> Delete on reboot.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\geeba.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\abeeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\abeeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nkqtkmpa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\apmktqkn.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rggodyor.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roydoggr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rundll32.exe (Adware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mtyicqmn.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iefpmod.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qshl.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ierql.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehrdata.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ielog.dll (Malware.Trace) -> Quarantined and deleted successfully. | |
halfHAVOC
14
join:2002-05-30
New Jersey
| errr sorry about this double post but i needed to seperate the last hjt log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:22 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »us.rd.yahoo.com/customize/ie/def···rch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.30.66.65:80
O2 - BHO: (no name) - {27BED0D7-0938-4700-9060-A436B69EB7BC} - C:\Program Files\Common Files\horev4444.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9C3831AF-F271-4DB6-BB2C-DCD46F9BF462} - C:\Program Files\MSN\comeqoc89104.dll (file missing)
O2 - BHO: (no name) - {A67DA44A-58A5-4161-B77D-848247B6748C} - C:\Program Files\Common Files\horev7.dll (file missing)
O2 - BHO: (no name) - {A9457564-1FAB-4C4C-818D-417BA5F56D9C} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {DDBA5775-1351-4F21-881E-A4ADC9BEAB75} - C:\Program Files\Common Files\horev83122.dll (file missing)
O2 - BHO: {539d0426-5fb5-aa88-b654-46c17524fb1e} - {e1bf4257-1c64-456b-88aa-5bf56240d935} - C:\WINDOWS\system32\xcldfjbb.dll
O2 - BHO: nextads browser optimizer - {fed76bfd-a0ff-938f-507d-216c8ab86a74} - C:\WINDOWS\system32\{12fdb189-6534-5715-5717-a9c2868b4931}.dll (file missing)
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [d48e37be] rundll32.exe "C:\WINDOWS\system32\nkqtkmpa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: efcccaa - efcccaa.dll (file missing)
O20 - Winlogon Notify: iifefEUl - iifefEUl.dll (file missing)
O20 - Winlogon Notify: opnklmk - opnklmk.dll (file missing)
O20 - Winlogon Notify: rqrstqn - rqrstqn.dll (file missing)
O20 - Winlogon Notify: ssqrrpo - ssqrrpo.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6450 bytes
oddly the Q2's show up now. | |
|
