Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Removel Dropper.Agent.GIT--taking over my pc HELPPP


  • This topic is locked This topic is locked
11 replies to this topic

#1 conn242

conn242

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 23 January 2008 - 09:58 AM

I have tried running AVG because it find the trojan...than everytime i reboot it keeps coming right back...its taking over my exe's....i updated my automatic updates and got the malicious thing...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:47 AM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\windows\system32\rlvknlg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\iTunes\iTunes.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvts.exe
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [8ccc1ae7] rundll32.exe "C:\WINDOWS\system32\guymwpoj.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [NudgeMania] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\Azureus\ICQ6\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\Azureus\ICQ6\ICQ.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193368626000
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193368620000
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\pbblandf.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8136 bytes

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 23 January 2008 - 03:48 PM

Hello conn242 and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem. It appears likely that your system has been infected with a Vundo trojan file infector. This trojan renames legitimate startup executables and replaces them with malware. We will attempt to reverse the process but please be advised that most often, there are programs that can not be salvaged and will need to be reinstalled.


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingc...to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 conn242

conn242

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 23 January 2008 - 04:40 PM

ComboFix 08-01-23.2 - nick 2008-01-23 17:27:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.648 [GMT -5:00]
Running from: C:\Documents and Settings\nick\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\icroso~1.net
C:\Program Files\icroso~1.net\?icrosoft.NET\
C:\Program Files\icroso~1.net\wowexec.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\_000907_.tmp.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2

<pre>
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NTNDIS
-------\DomainService
-------\ntndis


((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 17:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 14:30 . 2008-01-23 14:30 3,584 --a------ C:\WINDOWS\system32\awvts.exe
2008-01-23 11:46 . 2008-01-23 11:46 0 --a------ C:\windows.win.ini
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-23 11:32 . 2006-10-04 09:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-23 11:32 . 2006-10-04 09:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-23 11:32 . 2006-10-04 09:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-23 11:31 . 2008-01-23 11:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-22 14:20 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-22 14:19 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-22 14:19 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-22 14:19 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-22 14:10 . 2008-01-22 14:10 0 -----c--- C:\WINDOWS\system32\dllcache\HFX140.tmp
2008-01-22 14:09 . 2007-07-09 08:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-22 14:07 . 2007-10-25 22:34 8,460,288 -----c--- C:\WINDOWS\system32\dllcache\shell32.dll
2008-01-22 14:04 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-22 13:59 . 2008-01-22 14:10 <DIR> d-------- C:\e3cc8cac73e21004145abe30
2008-01-22 13:44 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-22 13:44 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-22 13:42 . 2008-01-22 13:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 08:45 . 2008-01-22 13:51 <DIR> d-------- C:\Program Files\ICQToolbar
2008-01-21 18:24 . 2008-01-21 18:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 09:35 . 2008-01-21 09:35 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-21 09:35 . 2008-01-21 09:35 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-21 09:26 . 2008-01-21 09:27 1,086,143 --ahs---- C:\WINDOWS\system32\jopwmyug.ini
2008-01-21 09:24 . 2008-01-21 09:24 1,086,083 --ahs---- C:\WINDOWS\system32\inijqafx.ini
2008-01-20 18:49 . 2008-01-20 19:03 1,073,832 --ahs---- C:\WINDOWS\system32\tfmppqbm.ini
2008-01-20 18:46 . 2008-01-20 18:47 1,073,712 --ahs---- C:\WINDOWS\system32\jhtlbwxj.ini
2008-01-19 09:46 . 2008-01-20 18:41 1,073,652 --ahs---- C:\WINDOWS\system32\ajfdengd.ini
2008-01-19 09:43 . 2008-01-19 09:43 1,073,472 --ahs---- C:\WINDOWS\system32\mdephgyr.ini
2008-01-18 17:59 . 2008-01-18 18:00 <DIR> d-------- C:\Program Files\DivX
2008-01-18 17:59 . 2008-01-04 16:58 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-01-18 17:59 . 2008-01-04 16:58 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-01-18 17:59 . 2008-01-04 16:58 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-01-17 11:01 . 2008-01-19 09:34 1,073,412 --ahs---- C:\WINDOWS\system32\oanvwoyw.ini
2008-01-17 10:57 . 2008-01-17 10:57 1,173,462 --ahs---- C:\WINDOWS\system32\ishbeawg.ini
2008-01-14 18:51 . 2008-01-14 18:56 <DIR> d-------- C:\Program Files\Network Associates
2008-01-14 17:04 . 2008-01-17 10:45 1,217,485 --ahs---- C:\WINDOWS\system32\cslvongs.ini
2008-01-14 16:58 . 2008-01-14 16:58 1,057,456 --ahs---- C:\WINDOWS\system32\feqmcyfh.ini
2008-01-14 16:04 . 2008-01-14 16:04 1,057,396 --ahs---- C:\WINDOWS\system32\guiuadls.ini
2008-01-14 15:55 . 2008-01-14 15:55 1,057,336 --ahs---- C:\WINDOWS\system32\elmhqcxh.ini
2008-01-13 10:24 . 2008-01-14 15:46 1,057,276 --ahs---- C:\WINDOWS\system32\pppcraba.ini
2008-01-13 10:18 . 2008-01-13 10:18 1,060,622 --ahs---- C:\WINDOWS\system32\gylxsboq.ini
2008-01-12 21:59 . 2008-01-12 22:10 <DIR> d-------- C:\Program Files\LimeWire
2008-01-11 15:52 . 2008-01-13 10:06 1,060,562 --ahs---- C:\WINDOWS\system32\oymijaqa.ini
2008-01-11 15:46 . 2008-01-11 15:46 1,060,382 --ahs---- C:\WINDOWS\system32\ljbsinbc.ini
2008-01-10 19:29 . 2008-01-10 19:29 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-07 18:59 . 2008-01-07 18:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-04 16:59 . 2008-01-04 16:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-01 15:13 . 2008-01-01 15:13 <DIR> d-------- C:\Program Files\Skype
2008-01-01 15:13 . 2008-01-01 15:13 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-31 12:40 . 2007-12-31 14:06 <DIR> d-------- C:\Program Files\Picasa2
2007-12-31 12:40 . 2007-12-31 12:40 <DIR> d-------- C:\Program Files\Google
2007-12-31 12:40 . 2006-10-04 21:42 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-31 12:40 . 2006-10-04 21:42 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-31 01:25 . 2007-12-31 01:25 220,157 --a------ C:\fsdafsdafdsafsd.JPG
2007-12-30 16:55 . 2007-12-31 16:40 <DIR> d-------- C:\Program Files\MoparScape
2007-12-30 16:47 . 2007-12-30 16:48 <DIR> d-------- C:\WINDOWS\.mpr_file_store_32
2007-12-30 02:12 . 2007-12-30 02:12 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-12-27 02:03 . 2007-12-31 16:09 <DIR> d-------- C:\Program Files\SwiftSwitch
2007-12-26 10:39 . 2008-01-22 10:11 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 22:11 . 2007-12-26 00:09 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-12-24 22:36 . 2007-12-24 22:36 <DIR> d-------- C:\Program Files\DIFX
2007-12-24 22:36 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-12-24 22:36 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-12-24 22:36 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2007-12-24 21:50 . 2007-12-24 21:50 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-24 21:39 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 22:31 --------- d-----w C:\Program Files\iTunes
2008-01-23 22:27 --------- d-----w C:\Program Files\MSN Messenger
2008-01-23 17:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 20:54 --------- d-----w C:\Program Files\Ares
2008-01-22 13:50 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-22 13:44 --------- d-----w C:\Program Files\Azureus
2008-01-22 13:34 --------- d-----w C:\Program Files\ICQ6
2008-01-22 13:34 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-19 04:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-17 19:56 --------- d-----w C:\Program Files\Steam
2008-01-17 18:12 --------- d-----w C:\Program Files\Xfire
2008-01-17 16:01 --------- d-----w C:\Program Files\Microsoft Xbox 360 Accessories
2008-01-17 03:37 --------- d-----w C:\Program Files\Call of Duty Game of the Year Edition
2008-01-15 12:54 --------- d-----w C:\Program Files\Morpheus
2008-01-13 15:14 --------- d-----w C:\Program Files\Frets on Fire
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-01 19:06 --------- d-----w C:\Program Files\mIRC
2008-01-01 17:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-30 20:47 --------- d-----w C:\Program Files\World of Warcraft
2007-12-24 18:28 --------- d-----w C:\Program Files\Diablo II
2007-12-09 21:53 --------- d-----w C:\Program Files\i-Sound Pro
2007-12-08 17:42 --------- d-----w C:\Program Files\MSAR3.0_Alpha
2007-12-05 03:33 --------- d-----w C:\Program Files\All Sound Recorder
2007-12-05 03:30 --------- d-----w C:\Program Files\Advanced Sound Recorder
2007-11-28 21:59 --------- d-----w C:\Program Files\Activision
2007-11-27 21:33 --------- d-----w C:\Program Files\Java
2007-11-27 21:31 --------- d-----w C:\Program Files\Common Files\Java
2007-11-23 21:57 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-23 03:04 --------- d-----w C:\Program Files\Ventrilo
2007-11-03 15:36 5,582 ----a-w C:\Program Files\install.log
2007-10-03 21:37 967 ----a-w C:\Program Files\setup.bat
2004-12-20 05:00 111,104 ----a-w C:\Program Files\uha.exe
.
<pre>
----a-w		   167,368 2008-01-21 14:15:01  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   177,400 2008-01-21 14:15:01  C:\Program Files\ICQ6\ICQ .exe
----a-w			32,768 2008-01-21 14:14:58  C:\Program Files\Ideazon\ZEngine\Zboard .exe
----a-w		   132,496 2008-01-21 14:15:00  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   734,264 2008-01-17 15:45:36  C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat .exe
----a-w		 5,674,352 2008-01-21 14:15:07  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   266,240 2008-01-21 14:14:57  C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw .exe
----a-w		 1,266,936 2008-01-17 15:45:38  C:\Program Files\Steam\Steam .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60d74777-4d96-4091-b7ff-804734e89ed3}]
C:\WINDOWS\system32\srlyoeen.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="C:\Program Files\Steam\Steam.exe" [ ]
"NudgeMania"="C:\Program Files\NudgeMania\NudgeMania.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"8ccc1ae7"="C:\WINDOWS\system32\guymwpoj.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2004-08-04 00:56 208896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 09:35 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklmnm]
jkklmnm.dll

R3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 13:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 17:34:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {3de98e43-7408-ff7b-1904-69d477747d06} - {60d74777-4d96-4091-b7ff-804734e89ed3} - C:\WINDOWS\system32\srlyoeen.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [8ccc1ae7] rundll32.exe "C:\WINDOWS\system32\guymwpoj.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [NudgeMania] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\Azureus\ICQ6\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\Azureus\ICQ6\ICQ.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193368626000
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193368620000
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: jkklmnm - jkklmnm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8028 bytes





I also thought i would pass along this...before i found wtt i ran this.

Symantec Trojan.Vundo Removal Tool 1.5.0
C:\System Volume Information: (not scanned)
Trojan.Vundo has not been found on your computer.

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 23 January 2008 - 07:55 PM

A. There is a file in your log of which I am unsure. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\Program Files\uha.exe

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.



B. Is this a picture that you know is located there and that you recognize?

C:\fsdafsdafdsafsd.JPG


C.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\awvts.exe
C:\WINDOWS\system32\dllcache\HFX140.tmp
C:\WINDOWS\system32\jopwmyug.ini
C:\WINDOWS\system32\inijqafx.ini
C:\WINDOWS\system32\tfmppqbm.ini
C:\WINDOWS\system32\jhtlbwxj.ini
C:\WINDOWS\system32\ajfdengd.ini
C:\WINDOWS\system32\mdephgyr.ini
C:\WINDOWS\system32\oanvwoyw.ini
C:\WINDOWS\system32\ishbeawg.ini
C:\WINDOWS\system32\cslvongs.ini
C:\WINDOWS\system32\feqmcyfh.ini
C:\WINDOWS\system32\guiuadls.ini
C:\WINDOWS\system32\elmhqcxh.ini
C:\WINDOWS\system32\pppcraba.ini
C:\WINDOWS\system32\gylxsboq.ini
C:\WINDOWS\system32\oymijaqa.ini
C:\WINDOWS\system32\ljbsinbc.ini
C:\Program Files\setup.bat

Dir::
C:\e3cc8cac73e21004145abe30

RenV::
----a-w		   167,368 2008-01-21 14:15:01  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   177,400 2008-01-21 14:15:01  C:\Program Files\ICQ6\ICQ .exe
----a-w			32,768 2008-01-21 14:14:58  C:\Program Files\Ideazon\ZEngine\Zboard .exe
----a-w		   132,496 2008-01-21 14:15:00  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   734,264 2008-01-17 15:45:36  C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat .exe
----a-w		 5,674,352 2008-01-21 14:15:07  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   266,240 2008-01-21 14:14:57  C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw .exe
----a-w		 1,266,936 2008-01-17 15:45:38  C:\Program Files\Steam\Steam .exe

DirLook::
C:\WINDOWS\.mpr_file_store_32
C:\WINDOWS\.jagex_cache_32

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60d74777-4d96-4091-b7ff-804734e89ed3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklmnm]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NudgeMania"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8ccc1ae7"=-
"QuickTime Task"=-
"AVG7_CC"=-
"iTunesHelper"=-
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 conn242

conn242

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 23 January 2008 - 08:25 PM

Yess i know that that jpg is...


File: uha.exe
Status:
OK
MD5: 040eabbf01d06b0fcd3c8c2ecac67ddf
Packers detected:
UPX
Bit9 reports: No threat detected (more info)


A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing




Does this mean anything?

Last file scanned at least one scanner reported something about: bandook.exe (MD5: dec144cbaea7422e85bc898087c2ea16, size: 47616 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast Win32:Bandok-W
AVG Antivirus X
BitDefender DeepScan:Generic.Malware.SYddld.23D981FD
ClamAV X
CPsecure BackDoor.W32.Iroffer.af
Dr.Web BackDoor.Iam
F-Prot Antivirus X
F-Secure Anti-Virus Backdoor.Win32.Bandok.av
Fortinet X
Ikarus X
Kaspersky Anti-Virus Backdoor.Win32.Bandok.av
NOD32 Win32/Bandok.AV
Norman Virus Control X
Panda Antivirus Bck/Bandok.BG
Rising Antivirus X
Sophos Antivirus Mal/Bandook-A
VirusBuster Trojan.DR.Horst.OW.Gen
VBA32 Embedded.BackDoor.Iam

___________________________________________________



ComboFix 08-01-23.2 - nick 2008-01-23 21:16:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.616 [GMT -5:00]
Running from: C:\Documents and Settings\nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nick\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\setup.bat
C:\WINDOWS\system32\ajfdengd.ini
C:\WINDOWS\system32\awvts.exe
C:\WINDOWS\system32\cslvongs.ini
C:\WINDOWS\system32\dllcache\HFX140.tmp
C:\WINDOWS\system32\elmhqcxh.ini
C:\WINDOWS\system32\feqmcyfh.ini
C:\WINDOWS\system32\guiuadls.ini
C:\WINDOWS\system32\gylxsboq.ini
C:\WINDOWS\system32\inijqafx.ini
C:\WINDOWS\system32\ishbeawg.ini
C:\WINDOWS\system32\jhtlbwxj.ini
C:\WINDOWS\system32\jopwmyug.ini
C:\WINDOWS\system32\ljbsinbc.ini
C:\WINDOWS\system32\mdephgyr.ini
C:\WINDOWS\system32\oanvwoyw.ini
C:\WINDOWS\system32\oymijaqa.ini
C:\WINDOWS\system32\pppcraba.ini
C:\WINDOWS\system32\tfmppqbm.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\setup.bat
C:\WINDOWS\system32\ajfdengd.ini
C:\WINDOWS\system32\awvts.exe
C:\WINDOWS\system32\cslvongs.ini
C:\WINDOWS\system32\dllcache\HFX140.tmp
C:\WINDOWS\system32\elmhqcxh.ini
C:\WINDOWS\system32\feqmcyfh.ini
C:\WINDOWS\system32\guiuadls.ini
C:\WINDOWS\system32\gylxsboq.ini
C:\WINDOWS\system32\inijqafx.ini
C:\WINDOWS\system32\ishbeawg.ini
C:\WINDOWS\system32\jhtlbwxj.ini
C:\WINDOWS\system32\jopwmyug.ini
C:\WINDOWS\system32\ljbsinbc.ini
C:\WINDOWS\system32\mdephgyr.ini
C:\WINDOWS\system32\oanvwoyw.ini
C:\WINDOWS\system32\oymijaqa.ini
C:\WINDOWS\system32\pppcraba.ini
C:\WINDOWS\system32\tfmppqbm.ini
.
---- Previous Run -------
.
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\icroso~1.net
C:\Program Files\icroso~1.net\?icrosoft.NET\
C:\Program Files\icroso~1.net\wowexec.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\_000907_.tmp.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2

<pre>
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NTNDIS
-------\DomainService
-------\ntndis




((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 17:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 11:46 . 2008-01-23 11:46 0 --a------ C:\windows.win.ini
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-23 11:32 . 2006-10-04 09:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-23 11:32 . 2006-10-04 09:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-23 11:32 . 2006-10-04 09:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-23 11:31 . 2008-01-23 11:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-22 14:20 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-22 14:19 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-22 14:19 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-22 14:19 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-22 14:09 . 2007-07-09 08:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-22 14:07 . 2007-10-25 22:34 8,460,288 -----c--- C:\WINDOWS\system32\dllcache\shell32.dll
2008-01-22 14:04 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-22 13:59 . 2008-01-22 14:10 <DIR> d-------- C:\e3cc8cac73e21004145abe30
2008-01-22 13:44 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-22 13:44 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-22 13:42 . 2008-01-22 13:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 08:45 . 2008-01-23 17:37 <DIR> d-------- C:\Program Files\ICQToolbar
2008-01-21 18:24 . 2008-01-21 18:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 09:35 . 2008-01-21 09:35 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-21 09:35 . 2008-01-21 09:35 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-18 17:59 . 2008-01-18 18:00 <DIR> d-------- C:\Program Files\DivX
2008-01-18 17:59 . 2008-01-04 16:58 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-01-18 17:59 . 2008-01-04 16:58 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-01-18 17:59 . 2008-01-04 16:58 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-01-14 18:51 . 2008-01-14 18:56 <DIR> d-------- C:\Program Files\Network Associates
2008-01-12 21:59 . 2008-01-12 22:10 <DIR> d-------- C:\Program Files\LimeWire
2008-01-10 19:29 . 2008-01-10 19:29 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-07 18:59 . 2008-01-07 18:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-04 16:59 . 2008-01-04 16:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-01 15:13 . 2008-01-01 15:13 <DIR> d-------- C:\Program Files\Skype
2008-01-01 15:13 . 2008-01-01 15:13 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-31 12:40 . 2007-12-31 14:06 <DIR> d-------- C:\Program Files\Picasa2
2007-12-31 12:40 . 2007-12-31 12:40 <DIR> d-------- C:\Program Files\Google
2007-12-31 12:40 . 2006-10-04 21:42 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-31 12:40 . 2006-10-04 21:42 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-31 01:25 . 2007-12-31 01:25 220,157 --a------ C:\fsdafsdafdsafsd.JPG
2007-12-30 16:55 . 2007-12-31 16:40 <DIR> d-------- C:\Program Files\MoparScape
2007-12-30 16:47 . 2007-12-30 16:48 <DIR> d-------- C:\WINDOWS\.mpr_file_store_32
2007-12-30 02:12 . 2007-12-30 02:12 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-12-27 02:03 . 2007-12-31 16:09 <DIR> d-------- C:\Program Files\SwiftSwitch
2007-12-26 10:39 . 2008-01-22 10:11 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 22:11 . 2007-12-26 00:09 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-12-24 22:36 . 2007-12-24 22:36 <DIR> d-------- C:\Program Files\DIFX
2007-12-24 22:36 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-12-24 22:36 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-12-24 22:36 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2007-12-24 21:50 . 2007-12-24 21:50 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-24 21:39 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 02:20 --------- d-----w C:\Program Files\Steam
2008-01-24 02:16 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 02:16 --------- d-----w C:\Program Files\Microsoft Xbox 360 Accessories
2008-01-24 02:16 --------- d-----w C:\Program Files\ICQ6
2008-01-24 02:16 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-23 22:31 --------- d-----w C:\Program Files\iTunes
2008-01-23 17:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 20:54 --------- d-----w C:\Program Files\Ares
2008-01-22 13:50 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-22 13:44 --------- d-----w C:\Program Files\Azureus
2008-01-19 04:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-19 04:01 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-17 18:12 --------- d-----w C:\Program Files\Xfire
2008-01-17 03:37 --------- d-----w C:\Program Files\Call of Duty Game of the Year Edition
2008-01-15 12:54 --------- d-----w C:\Program Files\Morpheus
2008-01-13 15:14 --------- d-----w C:\Program Files\Frets on Fire
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-01 19:06 --------- d-----w C:\Program Files\mIRC
2008-01-01 17:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-30 20:47 --------- d-----w C:\Program Files\World of Warcraft
2007-12-28 04:08 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-25 02:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-24 18:28 --------- d-----w C:\Program Files\Diablo II
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-09 21:53 --------- d-----w C:\Program Files\i-Sound Pro
2007-12-08 17:42 --------- d-----w C:\Program Files\MSAR3.0_Alpha
2007-12-05 03:33 --------- d-----w C:\Program Files\All Sound Recorder
2007-12-05 03:30 --------- d-----w C:\Program Files\Advanced Sound Recorder
2007-11-28 21:59 --------- d-----w C:\Program Files\Activision
2007-11-27 21:33 --------- d-----w C:\Program Files\Java
2007-11-27 21:31 --------- d-----w C:\Program Files\Common Files\Java
2007-11-24 16:16 712,704 ----a-w C:\WINDOWS\system32\rlph.dll
2007-11-21 18:23 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-11-11 01:18 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-03 15:36 5,582 ----a-w C:\Program Files\install.log
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:59 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-10-27 17:59 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-10-27 17:59 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2004-12-20 05:00 111,104 ----a-w C:\Program Files\uha.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\.jagex_cache_32 ----

2007-12-31 16:09 96 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx255
2007-12-31 16:09 9438 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx5
2007-12-31 16:09 774 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx15
2007-12-31 16:09 7122 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx8
2007-12-31 16:09 6 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx9
2007-12-31 16:09 6 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx6
2007-12-31 16:09 4920 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx13
2007-12-31 16:09 4422 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx12
2007-12-31 16:09 3966 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx3
2007-12-31 16:09 24570 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx4
2007-12-31 16:09 24 --a------ C:\WINDOWS\.jagex_cache_32\random.dat
2007-12-31 16:09 1932 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx14
2007-12-31 16:09 182052 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx7
2007-12-31 16:09 162 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx2
2007-12-31 16:09 13922537 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.dat2
2007-12-31 16:09 12 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx10
2007-12-31 16:09 11754 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx0
2007-12-31 16:09 10536 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx1
2007-12-30 02:13 275903 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.dat0
2007-12-30 02:12 0 --a------ C:\WINDOWS\.jagex_cache_32\runescape\main_file_cache.idx11

---- Directory of C:\WINDOWS\.mpr_file_store_32 ----

2007-12-31 16:29 0 --a------ C:\WINDOWS\.mpr_file_store_32\Mopar_error.log
2007-12-30 16:48 98729 --a------ C:\WINDOWS\.mpr_file_store_32\zko34
2007-12-30 16:48 83646 --a------ C:\WINDOWS\.mpr_file_store_32\main_file_cache.idx1
2007-12-30 16:48 8004 --a------ C:\WINDOWS\.mpr_file_store_32\main_file_cache.idx4
2007-12-30 16:48 6659 --a------ C:\WINDOWS\.mpr_file_store_32\sound3.wav
2007-12-30 16:48 63685 --a------ C:\WINDOWS\.mpr_file_store_32\zn12n
2007-12-30 16:48 61436 --a------ C:\WINDOWS\.mpr_file_store_32\jingle1.mid
2007-12-30 16:48 59481 --a------ C:\WINDOWS\.mpr_file_store_32\a2155
2007-12-30 16:48 58819 --a------ C:\WINDOWS\.mpr_file_store_32\1jfds
2007-12-30 16:48 5814 --a------ C:\WINDOWS\.mpr_file_store_32\main_file_cache.idx2
2007-12-30 16:48 5777 --a------ C:\WINDOWS\.mpr_file_store_32\sound4.wav
2007-12-30 16:48 5777 --a------ C:\WINDOWS\.mpr_file_store_32\sound1.wav
2007-12-30 16:48 57762 --a------ C:\WINDOWS\.mpr_file_store_32\vanhat\main_file_cache.idx1
2007-12-30 16:48 5556 --a------ C:\WINDOWS\.mpr_file_store_32\sound0.wav
2007-12-30 16:48 54 --a------ C:\WINDOWS\.mpr_file_store_32\vanhat\main_file_cache.idx0
2007-12-30 16:48 54 --a------ C:\WINDOWS\.mpr_file_store_32\main_file_cache.idx0
2007-12-30 16:48 4990 --a------ C:\WINDOWS\.mpr_file_store_32\k23lk
2007-12-30 16:48 48212 --a------ C:\WINDOWS\.mpr_file_store_32\lam3n
2007-12-30 16:48 4663304 --a------ C:\WINDOWS\.mpr_file_store_32\vanhat\main_file_cache.dat
2007-12-30 16:48 4620 --a------ C:\WINDOWS\.mpr_file_store_32\vanhat\main_file_cache.idx4
2007-12-30 16:48 4454 --a------ C:\WINDOWS\.mpr_file_store_32\sound2.wav
2007-12-30 16:48 42540 --a------ C:\WINDOWS\.mpr_file_store_32\jingle4.mid
2007-12-30 16:48 4152 --a------ C:\WINDOWS\.mpr_file_store_32\vanhat\main_file_cache.idx2
2007-12-30 16:48 4 --a------ C:\WINDOWS\.mpr_file_store_32\vanhat\uid.dat
2007-12-30 16:48 4 --a------ C:\WINDOWS\.mpr_file_store_32\uid.dat
2007-12-30 16:48 37629 --a------ C:\WINDOWS\.mpr_file_store_32\k4o2n
2007-12-30 16:48 3684 --a------ C:\WINDOWS\.mpr_file_store_32\main_file_cache.idx3
2007-12-30 16:48 353054 --a------ C:\WINDOWS\.mpr_file_store_32\mopar.jpg
2007-12-30 16:48 330292 --a------ C:\WINDOWS\.mpr_file_store_32\worldmap.dat
2007-12-30 16:48 29365 --a------ C:\WINDOWS\.mpr_file_store_32\jingle3.mid
2007-12-30 16:48 29365 --a------ C:\WINDOWS\.mpr_file_store_32\jingle2.mid
2007-12-30 16:48 289822 --a------ C:\WINDOWS\.mpr_file_store_32\plam3
2007-12-30 16:48 270317 --a------ C:\WINDOWS\.mpr_file_store_32\main_file_cache.icx4
2007-12-30 16:48 244467 --a------ C:\WINDOWS\.mpr_file_store_32\94jfj
2007-12-30 16:48 21466 --a------ C:\WINDOWS\.mpr_file_store_32\jingle0.mid
2007-12-30 16:48 15521827 --a------ C:\WINDOWS\.mpr_file_store_32\main_file_cache.dat
2007-12-30 16:48 154683 --a------ C:\WINDOWS\.mpr_file_store_32\zl3kp
2007-12-30 16:48 15377 --a------ C:\WINDOWS\.mpr_file_store_32\cht3f
2007-12-30 16:48 142383 --a------ C:\WINDOWS\.mpr_file_store_32\mn24j
2007-12-30 16:48 118029 --a------ C:\WINDOWS\.mpr_file_store_32\g34zx
2007-12-30 16:48 114375 --a------ C:\WINDOWS\.mpr_file_store_32\zck35
2007-12-30 16:48 0 --a------ C:\WINDOWS\.mpr_file_store_32\vanhat\main_file_cache.idx3


((((((((((((((((((((((((((((( snapshot@2008-01-23_17.35.38.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 22:26:59 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 02:16:46 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 22:26:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 02:16:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 22:26:59 3,121,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 02:16:46 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 22:26:59 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 02:16:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 22:26:59 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 02:16:46 3,260,416 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 22:26:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 02:16:46 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-22 20:55:04 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2008-01-24 00:58:38 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-17 10:45 1266936]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-01-21 09:15 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2008-01-17 10:45 734264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-21 09:15 132496]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2004-08-04 00:56 208896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 09:35 219136]

R3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 13:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 21:20:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:25, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\Azureus\ICQ6\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\Azureus\ICQ6\ICQ.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193368626000
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193368620000
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7703 bytes

Edited by conn242, 23 January 2008 - 08:27 PM.


#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 23 January 2008 - 08:56 PM

A. You may want to DELETE these folders from your computer:

C:\WINDOWS\.mpr_file_store_32
C:\WINDOWS\.jagex_cache_32


B. Where did this come from?

Last file scanned at least one scanner reported something about: bandook.exe (MD5: dec144cbaea7422e85bc898087c2ea16, size: 47616 bytes), detected by:



C. I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 conn242

conn242

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 23 January 2008 - 09:50 PM

A. ok i done that B. idk it was on that site under all the stuff you made me look about the exe. C. # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=2818 (20080123) # vers_arch_module=1.063 (20080117) # vers_adv_heur_module=1.060 (20070601) # EOSSerial=f4e9e605f6a555489aac9f8532a51fb6 # end=finished # remove_checked=false # unwanted_checked=false # utc_time=2008-01-24 03:43:33 # local_time=2008-01-23 10:43:33 (-0500, Eastern Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=279116 # found=6 # scan_time=2314 C:\Documents and Settings\nick\Local Settings\Temp\TMP11.tmp Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000 C:\Program Files\Mozilla Firefox\zzqq.exe Win32/TrojanDownloader.PurityScan.EG trojan 3F7EE259E3DCF0B8C1D2DA314378B941 C:\Program Files\Mozilla Firefox\zzqq.exe »NSIS »Yazzle1552OinAdmin.exe Win32/TrojanDownloader.PurityScan.EG trojan 00000000000000000000000000000000 C:\QooBox\Quarantine\C\Program Files\ICROSO~1.NET\wowexec.exe.vir a variant of Win32/TrojanDownloader.PurityScan trojan 2254457213510DF63C482BE5A95F2625 C:\QooBox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000 C:\QooBox\Quarantine\C\WINDOWS\system32\awvts.exe.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000 theres the problem right there

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 23 January 2008 - 10:05 PM

The items in Qoobox are quarantined and thus inoffensive. We will be getting rid of them during the final cleanup procedures.


A. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
C:\Documents and Settings\nick\Local Settings\Temp\TMP11.tmp
C:\Program Files\Mozilla Firefox\zzqq.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply after you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



After deleting the above files and before posting a new HJT log:

The following 3 programs have been damaged by the file infector and can not be repaired. I recommend that you download new versions of all 3 if you still want them on your system.

QuickTime Task
AVG7
iTunes


Note: Download AVG, then disconnect from the internet, uninstall the old version and install the new one. Next reconnect to the internet, update AVG to its latest definitions. Do not leave your system vulnerable by staying online while you do not have an antivirus in proper running order.

Tell me how everything is running. If all is well, we can proceed with the final cleanup procedures.


Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 conn242

conn242

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 23 January 2008 - 10:34 PM

Everything is running fine...

_____________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:33, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Azureus\ICQ6\ICQ.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\Azureus\ICQ6\ICQ.exe" silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\Azureus\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\Azureus\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193368626000
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193368620000
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8458 bytes

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 23 January 2008 - 10:49 PM

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


  • Posted Image



The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

7. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#11 conn242

conn242

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 24 January 2008 - 08:26 AM

I thank you VERY much for your time and patience with this....you guys are really great. THANKS!!!!!

#12 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 24 January 2008 - 08:28 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users