WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
im new here hello i need help with a .dll
Started by
shoebox1.1
, Oct 02 2007 10:16 PM
30 replies to this topic
#16
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
Posted 07 October 2007 - 12:09 PM
Register to Remove
#17
Markka
-
- Banned
-
- 784 posts
Advanced Member
Posted 07 October 2007 - 12:12 PM
Hi,
Copy the contents of C:\ComboFix.txt and paste all texts here: http://pastebin.ca/
And give me a link
Copy the contents of C:\ComboFix.txt and paste all texts here: http://pastebin.ca/
And give me a link
#18
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
#19
Markka
-
- Banned
-
- 784 posts
Advanced Member
Posted 08 October 2007 - 06:18 AM
Hello 
Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\SYSTEM32\netmanm.dll
Folder::
C:\VundoFix Backups
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
#20
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
Posted 08 October 2007 - 09:34 AM
http://pastebin.ca/729887 is my new combofix txt log and heres HJT
Logfile of HijackThis v1.99.1
Scan saved at 10:28:55 AM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\gg\Desktop\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {460EF089-7F9E-427A-BE1F-72587251EF40} - c:\windows\system32\netmanm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O20 - Winlogon Notify: wuhausyx - C:\WINDOWS\SYSTEM32\netmanm.dll
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logfile of HijackThis v1.99.1
Scan saved at 10:28:55 AM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\gg\Desktop\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {460EF089-7F9E-427A-BE1F-72587251EF40} - c:\windows\system32\netmanm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O20 - Winlogon Notify: wuhausyx - C:\WINDOWS\SYSTEM32\netmanm.dll
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
#21
Markka
-
- Banned
-
- 784 posts
Advanced Member
Posted 09 October 2007 - 11:20 AM
Hello
Disable teatimer:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
__________________
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
___________________
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________
Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
____________________
Create a new folder to desktp called HJT and drag the HijackThis.exe into the HJT folder.
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.
O2 - BHO: (no name) - {460EF089-7F9E-427A-BE1F-72587251EF40} - c:\windows\system32\netmanm.dll
O20 - Winlogon Notify: wuhausyx - C:\WINDOWS\SYSTEM32\netmanm.dll
___________________
Please download ATF-cleaner and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following:
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
_____________________
Post:
- A fresh HijackThis log
- Logfile of ComboFix
- AVG Anti-Spyware's report
Disable teatimer:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
__________________
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
___________________
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\SYSTEM32\netmanm.dll
C:\WINDOWS\SYSTEM32\axaadgua.dat
C:\WINDOWS\SYSTEM32\blursnbw.dat
C:\WINDOWS\SYSTEM32\hzihaumx.dat
C:\WINDOWS\SYSTEM32\ksusyvoa.dat
C:\WINDOWS\SYSTEM32\DRIVERS\chcibkdz.dat
C:\WINDOWS\SYSTEM32\DRIVERS\kvlaxgws.dat
C:\DOCUME~1\gg\LOCALS~1\Temp\cdiskdun.sys
C:\WINDOWS\SYSTEM32\dfrgresk.dll
C:\WINDOWS\SYSTEM32\advpackn.dll
C:\WINDOWS\SYSTEM32\apphelpv.dll
Driver::
cdiskdun
Save this as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
____________________
Create a new folder to desktp called HJT and drag the HijackThis.exe into the HJT folder.
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.
O2 - BHO: (no name) - {460EF089-7F9E-427A-BE1F-72587251EF40} - c:\windows\system32\netmanm.dll
O20 - Winlogon Notify: wuhausyx - C:\WINDOWS\SYSTEM32\netmanm.dll
___________________
Please download ATF-cleaner and save it to your desktop.
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
If you use Firefox browser:
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Exit on the Main menu to close the program.
Please then reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Under How to act?
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
_____________________
Post:
- A fresh HijackThis log
- Logfile of ComboFix
- AVG Anti-Spyware's report
#22
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
Posted 10 October 2007 - 12:50 AM
well ive done everything youve asked for TO THE LETTER as best as i can tell...... heres the HJT log and combofix log. the AVG spyware scan came back negative. no faults found. and no report log to post http://pastebin.ca/731625
ComboFix 07-10-07.2 - gg 2007-10-10 1:36:34.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.314 [GMT -5:00]
Running from: C:\Documents and Settings\gg\Desktop\spyware stuff\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.
2007-10-09 23:58 741,632 --a------ C:\WINDOWS\SYSTEM32\axaadgua.dat
2007-10-09 23:58 35,584 --a------ C:\WINDOWS\SYSTEM32\blursnbw.dat
2007-10-09 23:58 34,560 --a------ C:\WINDOWS\SYSTEM32\hzihaumx.dat
2007-10-09 23:58 118,528 --a------ C:\WINDOWS\SYSTEM32\ksusyvoa.dat
2007-10-09 22:55 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-10-07 12:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 22:20 <DIR> d-------- C:\Documents and Settings\gg\Application Data\Leadertech
2007-10-06 16:20 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-10-06 16:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-06 16:19 7,680 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx2.dll
2007-10-06 16:19 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-10-06 16:19 7,168 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx3.dll
2007-10-06 16:19 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-10-06 16:19 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-10-06 16:19 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-10-06 16:19 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-10-06 16:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-10-06 16:17 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-10-06 16:17 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-10-06 16:17 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-10-06 16:17 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-10-06 11:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-06 11:23 <DIR> d-------- C:\WINDOWS\ehome
2007-10-06 11:13 2,028,640 --a------ C:\sp1aexpress_usa.exe
2007-10-03 00:12 <DIR> d-------- C:\Program Files\ToniArts
2007-10-02 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-10-02 22:01 <DIR> d-------- C:\Program Files\backups
2007-09-30 19:55 34,816 --a------ C:\WINDOWS\SYSTEM32\dllcache\admwprox.dll
2007-09-30 19:52 73,728 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwtutor.exe
2007-09-30 19:52 61,440 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwres.dll
2007-09-30 19:52 57,344 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwconn.dll
2007-09-30 19:52 45,056 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwutil.dll
2007-09-30 19:52 40,960 --a------ C:\WINDOWS\SYSTEM32\dllcache\trialoc.dll
2007-09-30 19:52 24,576 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwrmind.exe
2007-09-30 19:52 155,648 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwhelp.dll
2007-09-30 19:47 153,631 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\el90xnd5.sys
2007-09-30 19:45 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-09-30 19:45 24,661 --a------ C:\WINDOWS\SYSTEM32\dllcache\spxcoins.dll
2007-09-30 19:45 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-09-30 19:45 13,312 --a------ C:\WINDOWS\SYSTEM32\dllcache\irclass.dll
2007-09-30 19:10 <DIR> d--hs---- C:\FOUND.051
2007-09-30 18:52 <DIR> d--hs---- C:\FOUND.050
2007-09-30 18:27 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-09-30 18:27 1,188,375 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-09-30 17:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
2007-09-30 17:00 92,672 --a------ C:\WINDOWS\SYSTEM32\netmanm.dll
2007-09-15 20:38 <DIR> d-------- C:\Program Files\City Interactive
2007-09-15 20:27 <DIR> d--hs---- C:\FOUND.049
2007-09-14 11:02 <DIR> d--hs---- C:\FOUND.048
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2006-03-28 09:49 1381 --a------ C:\Program Files\hijackthis.log
2006-03-26 18:15 271 ---hs---- C:\Program Files\desktop.ini
2006-03-26 18:15 23357 ---h----- C:\Program Files\folder.htt
2005-02-16 11:06 218112 --a------ C:\Program Files\HijackThis.exe
.
((((((((((((((((((((((((((((( snapshot@2007-10-07_12.34.37.31 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,532 2007-10-08 15:12:06 C:\WINDOWS\SYSTEM32\perfc009.dat
----a-w 374,064 2007-10-08 15:12:06 C:\WINDOWS\SYSTEM32\perfh009.dat
----a-w 821,728 2007-10-10 03:52:04 C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
----a-w 4,224 2007-10-10 03:52:10 C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
----a-w 27,776 2007-10-10 03:52:10 C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
----a-w 19,904 2007-10-10 03:52:12 C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
----a-w 4,960 2007-10-10 03:52:12 C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
----a-w 3,968 2007-10-10 03:52:12 C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
----a-w 372,736 2007-10-10 04:48:06 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-10-10 06:33:58 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-10-10 06:36:18 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-10-10 06:33:58 C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
----a-w 163,328 2007-03-13 15:57:12 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
----a-w 50,532 2007-10-07 04:11:38 C:\WINDOWS\SYSTEM32\perfc009.dat
----a-w 374,064 2007-10-07 04:11:38 C:\WINDOWS\SYSTEM32\perfh009.dat
----a-w 372,736 2007-10-07 17:26:32 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-10-07 17:23:16 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-07 17:23:16 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-10-07 17:23:16 C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{460EF089-7F9E-427A-BE1F-72587251EF40}]
2007-10-09 23:49 92672 --a------ c:\windows\system32\netmanm.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 15:29]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"nwiz"="nwiz.exe" [2006-03-09 15:29 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 15:29]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-09 22:52]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wuhausyx]
netmanm.dll 2007-10-09 23:49 92672 C:\WINDOWS\SYSTEM32\netmanm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R2 dtaioade;3Com EtherLink XL 90X Adapter Controller;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\System32\DRIVERS\el90xnd5.sys
R3 wdm_opl3sax;YAMAHA OPL3-SAx Audio Driver (WDM);C:\WINDOWS\System32\drivers\opl3sax.sys
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dtaioade
.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-10 04:41:02 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-10-10 04:01:02 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 01:38:19
Windows 5.1.2600 Service Pack 1 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-10 1:41:02
C:\ComboFix3.txt ... 2007-10-08 10:25
C:\ComboFix2.txt ... 2007-10-09 23:55
C:\ComboFix-quarantined-files.txt ... 2007-10-10 01:40
.
-
ComboFix 07-10-07.2 - gg 2007-10-10 1:36:34.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.314 [GMT -5:00]
Running from: C:\Documents and Settings\gg\Desktop\spyware stuff\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.
2007-10-09 23:58 741,632 --a------ C:\WINDOWS\SYSTEM32\axaadgua.dat
2007-10-09 23:58 35,584 --a------ C:\WINDOWS\SYSTEM32\blursnbw.dat
2007-10-09 23:58 34,560 --a------ C:\WINDOWS\SYSTEM32\hzihaumx.dat
2007-10-09 23:58 118,528 --a------ C:\WINDOWS\SYSTEM32\ksusyvoa.dat
2007-10-09 22:55 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-10-07 12:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 22:20 <DIR> d-------- C:\Documents and Settings\gg\Application Data\Leadertech
2007-10-06 16:20 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-10-06 16:20 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-06 16:19 7,680 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx2.dll
2007-10-06 16:19 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-10-06 16:19 7,168 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx3.dll
2007-10-06 16:19 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-10-06 16:19 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-10-06 16:19 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-10-06 16:19 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-10-06 16:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-10-06 16:17 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-10-06 16:17 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-10-06 16:17 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-10-06 16:17 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-10-06 11:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-06 11:23 <DIR> d-------- C:\WINDOWS\ehome
2007-10-06 11:13 2,028,640 --a------ C:\sp1aexpress_usa.exe
2007-10-03 00:12 <DIR> d-------- C:\Program Files\ToniArts
2007-10-02 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-10-02 22:01 <DIR> d-------- C:\Program Files\backups
2007-09-30 19:55 34,816 --a------ C:\WINDOWS\SYSTEM32\dllcache\admwprox.dll
2007-09-30 19:52 73,728 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwtutor.exe
2007-09-30 19:52 61,440 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwres.dll
2007-09-30 19:52 57,344 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwconn.dll
2007-09-30 19:52 45,056 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwutil.dll
2007-09-30 19:52 40,960 --a------ C:\WINDOWS\SYSTEM32\dllcache\trialoc.dll
2007-09-30 19:52 24,576 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwrmind.exe
2007-09-30 19:52 155,648 --a------ C:\WINDOWS\SYSTEM32\dllcache\icwhelp.dll
2007-09-30 19:47 153,631 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\el90xnd5.sys
2007-09-30 19:45 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-09-30 19:45 24,661 --a------ C:\WINDOWS\SYSTEM32\dllcache\spxcoins.dll
2007-09-30 19:45 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-09-30 19:45 13,312 --a------ C:\WINDOWS\SYSTEM32\dllcache\irclass.dll
2007-09-30 19:10 <DIR> d--hs---- C:\FOUND.051
2007-09-30 18:52 <DIR> d--hs---- C:\FOUND.050
2007-09-30 18:27 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-09-30 18:27 1,188,375 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-09-30 17:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
2007-09-30 17:00 92,672 --a------ C:\WINDOWS\SYSTEM32\netmanm.dll
2007-09-15 20:38 <DIR> d-------- C:\Program Files\City Interactive
2007-09-15 20:27 <DIR> d--hs---- C:\FOUND.049
2007-09-14 11:02 <DIR> d--hs---- C:\FOUND.048
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2006-03-28 09:49 1381 --a------ C:\Program Files\hijackthis.log
2006-03-26 18:15 271 ---hs---- C:\Program Files\desktop.ini
2006-03-26 18:15 23357 ---h----- C:\Program Files\folder.htt
2005-02-16 11:06 218112 --a------ C:\Program Files\HijackThis.exe
.
((((((((((((((((((((((((((((( snapshot@2007-10-07_12.34.37.31 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,532 2007-10-08 15:12:06 C:\WINDOWS\SYSTEM32\perfc009.dat
----a-w 374,064 2007-10-08 15:12:06 C:\WINDOWS\SYSTEM32\perfh009.dat
----a-w 821,728 2007-10-10 03:52:04 C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
----a-w 4,224 2007-10-10 03:52:10 C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
----a-w 27,776 2007-10-10 03:52:10 C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
----a-w 19,904 2007-10-10 03:52:12 C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
----a-w 4,960 2007-10-10 03:52:12 C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
----a-w 3,968 2007-10-10 03:52:12 C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
----a-w 372,736 2007-10-10 04:48:06 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-10-10 06:33:58 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-10-10 06:36:18 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-10-10 06:33:58 C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
----a-w 163,328 2007-03-13 15:57:12 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
----a-w 50,532 2007-10-07 04:11:38 C:\WINDOWS\SYSTEM32\perfc009.dat
----a-w 374,064 2007-10-07 04:11:38 C:\WINDOWS\SYSTEM32\perfh009.dat
----a-w 372,736 2007-10-07 17:26:32 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-10-07 17:23:16 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-07 17:23:16 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 32,768 2007-10-07 17:23:16 C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{460EF089-7F9E-427A-BE1F-72587251EF40}]
2007-10-09 23:49 92672 --a------ c:\windows\system32\netmanm.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 15:29]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"nwiz"="nwiz.exe" [2006-03-09 15:29 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 15:29]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-09 22:52]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wuhausyx]
netmanm.dll 2007-10-09 23:49 92672 C:\WINDOWS\SYSTEM32\netmanm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R2 dtaioade;3Com EtherLink XL 90X Adapter Controller;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\System32\DRIVERS\el90xnd5.sys
R3 wdm_opl3sax;YAMAHA OPL3-SAx Audio Driver (WDM);C:\WINDOWS\System32\drivers\opl3sax.sys
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dtaioade
.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-10-10 04:41:02 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-10-10 04:01:02 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 01:38:19
Windows 5.1.2600 Service Pack 1 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-10 1:41:02
C:\ComboFix3.txt ... 2007-10-08 10:25
C:\ComboFix2.txt ... 2007-10-09 23:55
C:\ComboFix-quarantined-files.txt ... 2007-10-10 01:40
.
-
#23
Markka
-
- Banned
-
- 784 posts
Advanced Member
Posted 10 October 2007 - 11:41 AM
Hello
Download OTMoveIt by OldTimer to your Desktop.
Kaspersky online scanner works only with Internet Explorer!
Please run an online scanner with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Post:
- A fresh HijackThis log
- Logfile of OTMoveIt
- Kaspersky's report
Download OTMoveIt by OldTimer to your Desktop.
- Double click OTMoveIt.exe to launch it.
- Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.
C:\WINDOWS\SYSTEM32\axaadgua.dat
C:\WINDOWS\SYSTEM32\blursnbw.dat
C:\WINDOWS\SYSTEM32\hzihaumx.dat
C:\WINDOWS\SYSTEM32\ksusyvoa.dat
C:\WINDOWS\SYSTEM32\netmanm.dll
- Click the Move It button.
- The list will be processed and the results will appear in the right hand pane.
- If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
- When finished click Exit to exit the programme.
- A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
- Post the log back here please.
Kaspersky online scanner works only with Internet Explorer!
Please run an online scanner with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button
- Save the file to your desktop.
- Copy and paste that information in your next post.
Post:
- A fresh HijackThis log
- Logfile of OTMoveIt
- Kaspersky's report
#24
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
Posted 11 October 2007 - 02:27 AM
http://www.pastebin.ca/732805 kaspersky log
http://www.pastebin.ca/732807 otmovit
http://www.pastebin.ca/732811 fresh HJT
on a side note i'll always do the HJT last thanks for all the help again.. it means a lot to me!
hopefully we can get this bug out of there without a full reformat
http://www.pastebin.ca/732807 otmovit
http://www.pastebin.ca/732811 fresh HJT
on a side note i'll always do the HJT last thanks for all the help again.. it means a lot to me!
hopefully we can get this bug out of there without a full reformat
#25
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
Posted 11 October 2007 - 10:49 AM
check this out..... i might have fixed it!!!! i was playing around with HJT, and i saw in AVG that there was a infected file in the HJT backups... i deleted the HJT backup folder and that allowed me to delete the 02 BHO netmanm.dll and the 020 wunhauzx netmanm.dll whatever lol heres a brand new HJT log did i fix it?????
http://pastebin.ca/733207
http://pastebin.ca/733207
Register to Remove
#26
Markka
-
- Banned
-
- 784 posts
Advanced Member
Posted 11 October 2007 - 11:29 AM
Hello
1. Please download The Avenger by Swandog46 to your Desktop.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
_____________________
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.
O2 - BHO: (no name) - {460EF089-7F9E-427A-BE1F-72587251EF40} - c:\windows\system32\netmanm.dll
O20 - Winlogon Notify: wuhausyx - C:\WINDOWS\SYSTEM32\netmanm.dll
____________________
Re-run with Kaspersky online scanner!
Post:
- A fresh HijackThis log
- Content of C:\avenger.txt
- Kaspersky's report
1. Please download The Avenger by Swandog46 to your Desktop.
- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
(How to extract (decompress) zipped or compressed files, help in the link here:
http://www.lvsonline...ut/index.shtml)
Files to delete:
C:\WINDOWS\SYSTEM32\netmanm.dll
C:\Documents and Settings\gg\Desktop\ATT_SST_Installer.exe
C:\Documents and Settings\gg\Desktop\ApacheAirAssault_Setup-dm.exe
Folders to delete:
C:\qoobox
C:\Documents and Settings\gg\Desktop\spyware stuff\backups
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text you copied above to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
_____________________
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.
O2 - BHO: (no name) - {460EF089-7F9E-427A-BE1F-72587251EF40} - c:\windows\system32\netmanm.dll
O20 - Winlogon Notify: wuhausyx - C:\WINDOWS\SYSTEM32\netmanm.dll
____________________
Re-run with Kaspersky online scanner!
Post:
- A fresh HijackThis log
- Content of C:\avenger.txt
- Kaspersky's report
#27
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
Posted 11 October 2007 - 08:54 PM
http://pastebin.ca/733800 HJT
http://pastebin.ca/733801 avernger
http://pastebin.ca/733929 kapersky
i think we got it??? !!!!
http://pastebin.ca/733801 avernger
http://pastebin.ca/733929 kapersky
i think we got it??? !!!!
Edited by shoebox1.1, 11 October 2007 - 11:55 PM.
#28
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
Posted 13 October 2007 - 07:16 PM
markka do you think im fixed?
#29
Markka
-
- Banned
-
- 784 posts
Advanced Member
Posted 14 October 2007 - 02:51 AM
Hello
Delete this folder: (Using Windows Explorer; Windows key +e)
C:\avenger
____________________
Disable system restore:
Otherwise all log are clean! How is your computer running now?
Here are a couple of things how to stay clean:
Delete this folder: (Using Windows Explorer; Windows key +e)
C:\avenger
____________________
Disable system restore:
- Right click on my computer icon
- Choose properties
- Click on system restore tab
- Select Turn off System Restore
- Click apply and click OK
- Reboot!
- Right click on my computer icon
- Choose properties
- Click on system restore tab
- un-check Turn off System Restore
- Click apply and click OK
- Reboot!
Otherwise all log are clean! How is your computer running now?
Here are a couple of things how to stay clean:
- Clean speech:
- Use Mozilla firefox or Opera as your browser!
Mozilla firefox or Opera are better than Internet Explorer.
Download Mozilla firefox from here!
Download Opera from here!
- Install Hosts-file!
Hosts-file blocks bad web addresses. Remember to update hosts-file regularly.
Download Hosts-file from here!
- Install Winpatrol!
Winpatrol monitors your system and blocks hijacks.
Download Winpatrol from here!
- Install AVG Anti-Spyware!
AVG anti-spyware detecs and removes malware and cleans your register too. Run a scan with Ad-aware regularly and update it before the scan.
Download AVG anti-spyware from here!
- Install Ccleaner!
CCleaner cleans your temporary files and also cleans your register. Run CCleaner regularly.
Download CCleaner from here!
- Install Ad-Aware!
Ad-aware detecs and removes malware and cleans your register too. Run a scan with Ad-aware regularly and update it before the scan.
Download Ad-aware from here!
- Install SpywareBlaster!
Spywareblaster blocks bad activeX-components. Update it regularly.
Download Spywareblaster from here!
- System restore!
Clean and create a new system restore point regularly.
How do I clean my system restore and create the new system restore point?
Here are instructions!
- Keep all programs updated!
Remember to keep all programs up-to-date, also Windows. So please visit here regularly and install all critical updates.
#30
shoebox1.1
-
- Authentic Member
-
- 44 posts
Authentic Member
Posted 14 October 2007 - 08:21 PM
running great. ive done all you asked and it worked perfectly!! thank you so much!!! ill get some protection and hopefully stay clean. i will be back here if i need more help. this is a great forum and i thank you all again!!!!!!!!!!!!!! gus
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
