Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijack This Log


  • This topic is locked This topic is locked
15 replies to this topic

#1 Tameilau

Tameilau

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2007 - 04:00 AM

This my Log

Logfile of HijackThis v1.99.1
Scan saved at 9:58:52 p.m., on 5/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\TWEAKM~1\TMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.botsgame.com/
O1 - Hosts: 81.95.149.173 81.95.149.173
O1 - Hosts: 72.14.253.103 www.google.co.nz
O1 - Hosts: 70.84.70.85 forums.tomcoyote.org
O1 - Hosts: 209.85.167.165 pagead2.googlesyndication.com
O1 - Hosts: 72.14.253.147 www.google.com
O1 - Hosts: 209.85.199.83 mail.google.com
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRA~1\TWEAKM~1\TMTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Startup: LimeWire Turbo Accelerator.lnk = C:\Program Files\LimeWire Turbo Accelerator\LimeWire Turbo Accelerator.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/229?0c9650ac257244cfb2320900d04543eb
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/230?0c9650ac257244cfb2320900d04543eb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://nathandattong...ad/MsnPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 June 2007 - 04:20 AM

Is this the same one we are working on here?
http://forums.tomcoy...0...15&start=15

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Tameilau

Tameilau

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2007 - 04:26 AM

yea it is duno y i went dis 1 lol go bak 2 other 1

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 June 2007 - 04:29 AM

Lets stay with this one. It looks like the last one. I'll close the other one.


Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Post a new HijackThis Log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 Tameilau

Tameilau

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2007 - 04:33 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:32:10 p.m., on 5/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccUpdUI.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\Program Files\TweakMASTER\TMTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.botsgame.com/
O1 - Hosts: 72.14.253.104 www.google.co.nz
O1 - Hosts: 81.95.149.173 81.95.149.173
O1 - Hosts: 64.152.4.81 www.wwe.com
O1 - Hosts: 70.84.70.85 forums.tomcoyote.org
O1 - Hosts: 209.85.171.166 pagead2.googlesyndication.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39E1A2E5-5CFE-4245-87AB-2194E91737AA} - C:\WINDOWS\system32\ddabx.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\awtstsq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRA~1\TWEAKM~1\TMTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Startup: LimeWire Turbo Accelerator.lnk = C:\Program Files\LimeWire Turbo Accelerator\LimeWire Turbo Accelerator.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/229?0c9650ac257244cfb2320900d04543eb
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/230?0c9650ac257244cfb2320900d04543eb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://nathandattong...ad/MsnPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtstsq - C:\WINDOWS\SYSTEM32\awtstsq.dll
O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 June 2007 - 04:43 AM

I'm not sure what all you've been trying to do, but you're making it worse.
You need to try and follow every suggested fix in the order I have posted.

Please do not delete anything unless instructed to.

1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
SpywareBot


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O1 - Hosts: 72.14.253.104 www.google.co.nz
O1 - Hosts: 81.95.149.173 81.95.149.173
O1 - Hosts: 64.152.4.81 www.wwe.com
O1 - Hosts: 70.84.70.85 forums.tomcoyote.org
O1 - Hosts: 209.85.171.166 pagead2.googlesyndication.com
O2 - BHO: (no name) - {39E1A2E5-5CFE-4245-87AB-2194E91737AA} - C:\WINDOWS\system32\ddabx.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\awtstsq.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O20 - Winlogon Notify: awtstsq - C:\WINDOWS\SYSTEM32\awtstsq.dll
O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
C:\Program Files\SpywareBot\SpywareBot.exe
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\awtstsq.dll
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\WINDOWS\SYSTEM32\awtstsq.dll
C:\WINDOWS\system32\ddabx.dll


Delete this Folder if listed:
C:\Program Files\SpywareBot



Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt.Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 Tameilau

Tameilau

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2007 - 04:55 AM

couldent delete Delete these Files if listed: C:\Program Files\SpywareBot\SpywareBot.exe C:\WINDOWS\system32\ddabx.dll C:\WINDOWS\system32\awtstsq.dll C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe C:\WINDOWS\SYSTEM32\awtstsq.dll C:\WINDOWS\system32\ddabx.dll all in use!!??

#8 Tameilau

Tameilau

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2007 - 04:56 AM

Here

"Nathan" - 2007-06-05 18:49:43 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Nathan.JOHN-648963B169\Desktop\Programs\"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\puobpmbs.dll
C:\WINDOWS\system32\wincsg32.dll
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak2
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\ihhkj.tmp
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak2
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\ihhkj.tmp
C:\WINDOWS\system32\ihhkj.bak1
C:\WINDOWS\system32\ihhkj.bak2
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\ihhkj.tmp
C:\WINDOWS\system32\jkhhi.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outlook
C:\Program Files\winupdates
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ipv6monl.dll
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))


2007-06-05 18:24 2,580 --a------ C:\WINDOWS\system32\emtacqjw.exe
2007-06-05 17:23 2,580 --a------ C:\WINDOWS\system32\iuasvryi.exe
2007-06-05 17:18 2,580 --a------ C:\WINDOWS\system32\rwydyffc.exe
2007-06-05 16:18 131,124 --a------ C:\WINDOWS\system32\ksuvwaut.dll
2007-06-05 16:16 2,580 --a------ C:\WINDOWS\system32\fukkbnkq.exe
2007-06-05 16:15 2,580 --a------ C:\WINDOWS\system32\gtgwinld.exe
2007-06-05 16:05 33,302 --a------ C:\WINDOWS\system32\byxxxus.dll
2007-06-05 15:59 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\jmrotsvu.exe
2007-06-05 15:59 33,302 --a------ C:\WINDOWS\system32\rqrrrqp.dll
2007-06-05 15:59 33,302 --a------ C:\WINDOWS\system32\gebxyxu.dll
2007-06-05 15:57 33,302 --a------ C:\WINDOWS\system32\awtstsq.dll
2007-06-05 15:52 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\SpywareBot
2007-06-05 15:40 <DIR> d-------- C:\Program Files\TweakMASTER
2007-06-05 09:01 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 06:43 6,970 --a------ C:\dnsbak.reg
2007-06-04 23:27 <DIR> d-------- C:\Program Files\New Folder
2007-06-04 23:27 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-06-04 23:27 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\WINDOWS
2007-06-04 23:26 <DIR> d---s---- C:\DOCUME~1\NATHAN~2.JOH\UserData
2007-06-04 23:26 <DIR> d-------- C:\Program Files\Space Tunnels 3D Screensaver
2007-06-04 23:26 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\Shared
2007-06-04 23:26 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\OpenOffice.org2
2007-06-04 23:26 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\DivX
2007-06-04 23:26 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\AdobeUM
2007-06-04 20:46 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-04 20:34 182,272 --a------ C:\WINDOWS\patchw32.dll
2007-06-03 20:47 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\WinPatrol
2007-06-03 19:58 <DIR> d-------- C:\Program Files\RegCleaner
2007-06-03 19:12 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\Incomplete
2007-06-03 19:12 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\Contacts
2007-06-03 19:12 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\LimeWire
2007-06-03 19:12 <DIR> d-------- C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\Apple Computer
2007-06-03 17:52 <DIR> d-------- C:\DOCUME~1\NATHAN~1.JOH\APPLIC~1\Adobe(2)
2007-06-03 17:00 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-06-03 16:00 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-03 15:21 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-06-03 15:18 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-03 15:05 <DIR> d-------- C:\MSOCache
2007-06-03 14:48 <DIR> d-------- C:\DOCUME~1\Johny\Incomplete
2007-06-03 14:48 <DIR> d-------- C:\DOCUME~1\Johny\APPLIC~1\LimeWire
2007-06-02 21:24 <DIR> d-------- C:\Program Files\ubi.com
2007-06-02 21:15 <DIR> d-------- C:\Program Files\Red Storm Entertainment
2007-06-02 19:37 <DIR> d-------- C:\Program Files\Acoustica MP3 CD Burner
2007-06-02 19:15 <DIR> d---s---- C:\DOCUME~1\NATHAN~1.JOH\UserData(2)
2007-06-02 18:13 <DIR> d-------- C:\DOCUME~1\NATHAN~1.JOH\Incomplete(2)
2007-06-02 18:13 <DIR> d-------- C:\DOCUME~1\NATHAN~1.JOH\APPLIC~1\LimeWire(2)
2007-06-02 18:09 <DIR> d-------- C:\DOCUME~1\NATHAN~1.JOH\APPLIC~1\Macromedia(2)
2007-06-02 18:01 1,048,576 --ah----- C:\DOCUME~1\NATHAN~1.JOH\NTUSER.DAT
2007-06-02 18:01 <DIR> d--h----- C:\DOCUME~1\NATHAN~1.JOH\Local Settings(2)
2007-06-02 18:01 <DIR> d--h----- C:\DOCUME~1\NATHAN~1.JOH\Application Data(2)
2007-06-02 18:01 <DIR> d-------- C:\DOCUME~1\NATHAN~1.JOH\Templates(2)
2007-06-02 18:01 <DIR> d-------- C:\DOCUME~1\NATHAN~1.JOH\Desktop(2)
2007-06-02 18:01 <DIR> d-------- C:\DOCUME~1\NATHAN~1.JOH\APPLIC~1\Microsoft(2)
2007-05-31 21:25 2,097,152 --a------ C:\DOCUME~1\NATHAN~2.JOH\ntuser.dat
2007-05-30 16:08 348,075 --a------ C:\WINDOWS\b133.exe.bin
2007-05-28 17:48 <DIR> d-------- C:\DOCUME~1\Johny\APPLIC~1\AdobeUM
2007-05-28 08:41 8,443 --a------ C:\WINDOWS\system32\pmnnnoo.dll
2007-05-28 08:41 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-05-28 08:40 8,443 --a------ C:\WINDOWS\system32\gebyxww.dll
2007-05-27 18:43 <DIR> d-------- C:\My Downloads
2007-05-25 20:16 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-05-25 20:16 <DIR> d-------- C:\Program Files\BlueVoda Website Builder
2007-05-18 18:06 <DIR> d-------- C:\DOCUME~1\Johny\APPLIC~1\OpenOffice.org2
2007-05-17 19:38 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-05-16 17:59 <DIR> d-------- C:\DOCUME~1\Johny\APPLIC~1\Apple Computer
2007-05-16 15:54 24,576 --a------ C:\WINDOWS\system32\IdleTrac1.dll
2007-05-16 15:54 <DIR> d-------- C:\Program Files\Mailinfo
2007-05-16 15:53 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-05-16 15:32 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-16 15:32 <DIR> d-------- C:\Program Files\DAP
2007-05-14 18:01 <DIR> d-------- C:\DOCUME~1\Johny\Contacts
2007-05-14 07:58 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-05-14 07:58 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-05-14 07:58 <DIR> d-------- C:\Program Files\Stardock
2007-05-13 13:59 796,672 --a------ C:\WINDOWS\GPInstall.exe
2007-05-13 13:59 <DIR> d-------- C:\Program Files\Evrox
2007-05-10 09:23 <DIR> d-------- C:\Program Files\BearShare Applications
2007-05-10 09:22 <DIR> d-------- C:\Program Files\IrfanView
2007-05-10 09:22 <DIR> d-------- C:\Program Files\BearFlix
2007-05-07 12:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-05-07 08:40 <DIR> d-------- C:\Program Files\Common Files\àppPatch
2007-05-07 08:26 1,056,768 --a------ C:\WINDOWS\system32\FreeImage.dll
2007-05-06 15:46 <DIR> d-------- C:\Program Files\Bots
2007-05-05 14:35 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-05-05 14:35 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-05-05 14:35 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-05-05 14:35 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-05-05 14:35 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-05-05 14:35 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-05-05 13:16 <DIR> d-------- C:\Program Files\MindArk


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 09:23:59 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 09:28:55 -------- d-----w C:\Program Files\OpenOffice.org 2.0
2007-05-14 09:43:26 -------- d-----w C:\Program Files\LimeWire
2007-05-07 03:27:28 -------- d-----w C:\Program Files\Common Files\?ppPatch
2007-05-05 09:53:56 -------- d-----w C:\Program Files\QuickTime
2007-05-05 09:42:53 -------- d-----w C:\Program Files\Apple Software Update
2007-05-02 03:26:20 -------- d-----w C:\Program Files\inKline Global
2007-04-25 08:50:56 -------- d-----w C:\Program Files\iTunes
2007-04-25 08:50:34 -------- d-----w C:\Program Files\iPod
2007-04-23 09:34:56 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-22 15:00:36 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-21 02:58:20 -------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2007-04-20 22:36:52 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-20 01:33:20 -------- d-----w C:\Program Files\DivX
2007-04-20 00:52:43 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-04-20 00:46:27 -------- d-----w C:\Program Files\MSN Messenger
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
2007-03-25 21:38:37 0 --sha-r C:\MSDOS.SYS
2007-03-25 21:38:37 0 --sha-r C:\IO.SYS
2007-03-25 21:38:37 0 ----a-w C:\CONFIG.SYS
2007-03-25 21:38:37 0 ----a-w C:\AUTOEXEC.BAT
2007-03-25 21:34:59 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{54CBB12C-3481-4C5D-942D-4976C0F0A406}=C:\WINDOWS\system32\awtstsq.dll [2007-06-05 15:57]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C}=C:\PROGRA~1\TWEAKM~1\TweakBHO.dll [2006-11-27 15:25]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2006-09-27 17:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 23:25]
"SiSPower"="SiSPower.dll" [2005-10-04 10:56 C:\WINDOWS\system32\SiSPower.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TweakMASTER"="C:\PROGRA~1\TWEAKM~1\TMTray.exe" [2006-11-27 15:25]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"jmrotsvu.exe"="C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe" [2007-06-05 15:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 04:24]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54CBB12C-3481-4C5D-942D-4976C0F0A406}"="C:\WINDOWS\system32\awtstsq.dll" [2007-06-05 15:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtstsq]
awtstsq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-02 06:43:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-05 06:28:02 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2007-06-05 04:24:32 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
2007-06-05 06:59:46 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-04 15:00:00 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-05 19:00:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-05 19:02:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-05 19:02

--- E O F ---


and hijack log!!

Logfile of HijackThis v1.99.1
Scan saved at 10:55:09 p.m., on 5/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\TweakMASTER\TMTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
C:\Program Files\HijackThis\spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.botsgame.com/
O1 - Hosts: 72.14.253.99 www.google.co.nz
O1 - Hosts: 81.95.149.173 81.95.149.173
O1 - Hosts: 64.152.4.81 www.wwe.com
O1 - Hosts: 70.84.70.85 forums.tomcoyote.org
O1 - Hosts: 209.85.171.166 pagead2.googlesyndication.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39E1A2E5-5CFE-4245-87AB-2194E91737AA} - C:\WINDOWS\system32\ddabx.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\awtstsq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRA~1\TWEAKM~1\TMTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - Startup: LimeWire Turbo Accelerator.lnk = C:\Program Files\LimeWire Turbo Accelerator\LimeWire Turbo Accelerator.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/229?0c9650ac257244cfb2320900d04543eb
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/230?0c9650ac257244cfb2320900d04543eb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://nathandattong...ad/MsnPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtstsq - C:\WINDOWS\SYSTEM32\awtstsq.dll
O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#9 Tameilau

Tameilau

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2007 - 05:10 AM

hey i gotta go bed im tired um can u plz take a look at topic under other computer problemz plz be bak 2 mrw thx!

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 June 2007 - 05:11 AM

Download Avenger by Swandog, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).
http://swandog46.gee...com/avenger.zip

Note: The Avenger must be run from a user account with administrator privileges,

and ONLY works on Windows 2000 and XP, and only on 32-bit versions!



Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.

Click Format, and ensure Word Wrap is unchecked.

Copy and Paste all the text inside the box below into Notepad.

Now save the file as RemoveFiles.txt in a location where you can find it.


Files to delete:
C:\WINDOWS\system32\emtacqjw.exe
C:\WINDOWS\system32\iuasvryi.exe
C:\WINDOWS\system32\rwydyffc.exe
C:\WINDOWS\system32\ksuvwaut.dll
C:\WINDOWS\system32\fukkbnkq.exe
C:\WINDOWS\system32\gtgwinld.exe
C:\WINDOWS\system32\byxxxus.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\jmrotsvu.exe
C:\WINDOWS\system32\rqrrrqp.dll
C:\WINDOWS\system32\gebxyxu.dll
C:\WINDOWS\system32\awtstsq.dll
C:\WINDOWS\b133.exe.bin
C:\WINDOWS\iun6002.exe

Folders to delete:
C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\SpywareBot




Start Avenger by double clicking on Avenger.exe.

Check Load script from file:

Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.

Double click it to enter it into Avenger.

Click the green traffic light symbol.

You will be asked if you want to execute the script, answer Yes.

At this point you may get prompts from your protection systems, allow them please.

Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.

Answer Yes, and allow your computer to re-boot.

Upon re-boot a command window will briefly appear on screen (this is normal).

A Notepad text file will be created C:\avenger.txt.

Copy and Paste it into your next post please, along with a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 Tameilau

Tameilau

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2007 - 02:07 PM

Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\humclpjb ******************* Script file located at: \??\C:\WINDOWS\system32\wuhyisei.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\emtacqjw.exe deleted successfully. File C:\WINDOWS\system32\iuasvryi.exe deleted successfully. File C:\WINDOWS\system32\rwydyffc.exe deleted successfully. File C:\WINDOWS\system32\ksuvwaut.dll deleted successfully. File C:\WINDOWS\system32\fukkbnkq.exe deleted successfully. File C:\WINDOWS\system32\gtgwinld.exe deleted successfully. File C:\WINDOWS\system32\byxxxus.dll deleted successfully. File C:\DOCUME~1\ALLUSE~1\APPLIC~1\jmrotsvu.exe deleted successfully. File C:\WINDOWS\system32\rqrrrqp.dll deleted successfully. File C:\WINDOWS\system32\gebxyxu.dll deleted successfully. File C:\WINDOWS\system32\awtstsq.dll deleted successfully. File C:\WINDOWS\b133.exe.bin deleted successfully. File C:\WINDOWS\iun6002.exe deleted successfully. Folder C:\DOCUME~1\NATHAN~2.JOH\APPLIC~1\SpywareBot deleted successfully. Completed script processing. ******************* Finished! Terminate.

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 June 2007 - 09:20 PM

Post a new HijackThis log. How's it running?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 Tameilau

Tameilau

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2007 - 09:31 PM

yeah! it fixed!!!

could i get some help on this 2?????? http://forums.tomcoy...net_t80044.html

heres log

Logfile of HijackThis v1.99.1
Scan saved at 3:30:01 p.m., on 6/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\TWEAKM~1\TMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\SoftwareClub.ws\SC Net Speed Booster\ISpBos.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.botsgame.com/
O1 - Hosts: 72.14.253.99 www.google.co.nz
O1 - Hosts: 81.95.149.173 81.95.149.173
O1 - Hosts: 64.152.4.81 www.wwe.com
O1 - Hosts: 70.84.70.85 forums.tomcoyote.org
O1 - Hosts: 209.85.171.166 pagead2.googlesyndication.com
O1 - Hosts: 210.55.204.225 www.trendmicro.com
O1 - Hosts: 72.232.135.12 swandog46.geekstogo.com
O1 - Hosts: 66.29.50.174 www.gold-software.com
O1 - Hosts: 141.161.61.163 uis.georgetown.edu
O1 - Hosts: 216.40.230.4 www.robust.ws
O1 - Hosts: 208.109.14.3 www.internet-tips.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\awtstsq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {EA33C6E6-8015-4926-BDB1-B57CA321B8E3} - C:\WINDOWS\system32\ddabx.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRA~1\TWEAKM~1\TMTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jmrotsvu.exe] C:\Documents and Settings\All Users\Application Data\jmrotsvu.exe
O4 - Startup: LimeWire Turbo Accelerator.lnk = C:\Program Files\LimeWire Turbo Accelerator\LimeWire Turbo Accelerator.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/229?0c9650ac257244cfb2320900d04543eb
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/230?0c9650ac257244cfb2320900d04543eb
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://nathandattong...ad/MsnPUpld.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtstsq - awtstsq.dll (file missing)
O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 June 2007 - 09:45 PM

Your computer still has a infection:

Please download HoxtXpert.
  • Unzip HostsXpert.zip
  • Double click on HostsXpert.exe
  • Then click on "Restore Original Hosts" to restore your Hosts file to its default condidtion..
  • Click on Make Hosts Read Only to secure it against further infection.
  • Close program when complete.
Next:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 10 June 2007 - 02:28 PM

How's it going?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users