Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91634 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Infected with Deewoo: PLEASE HELP!


  • This topic is locked This topic is locked
12 replies to this topic

#1 charlienovember6

charlienovember6

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 05 May 2008 - 02:04 PM

Hello Everyone,

My name is Chris and I am new in this forum and I would greatly appreciate any help from any of you. I've been having problems with my PC for the past few days (IE pop ups, can't open Mozilla Firefox browsers, computer acting up, etc) and I am in DIRE NEED of your help!

I seem to have been infected by some spyware called Deewoo. I am not a computer expert so please bear with me. Thanks for your attention.

Here is my HiJackThis Log:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\Q2hyaXMgQW5pY2lldGU\command.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\vidmon\vidmon.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\scntokdm.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\system32\??plorer.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AdwarePunisher\AdwarePunisher.exe
C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pdx.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vidmon] C:\WINNT\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{EE-E8-82-2E-DW}] C:\WINNT\system32\bTMP\binx12l.exe DWrvgXX
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\System32\scntokdm.exe DWrvgXX
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe
O4 - HKLM\..\Run: [ec8ee881] rundll32.exe "C:\WINNT\System32\pfjymsrp.dll",b
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Igthrh] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [smanp] C:\DOCUME~1\CHRISA~1\LOCALS~1\Temp\app8DD.tmp
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Adware Punisher] C:\Program Files\AdwarePunisher\AdwarePunisher.exe
O4 - HKCU\..\Run: [Adware Punisher Monitor] C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [VnrPack16] "C:\Program Files\VnrPack\VnrPack16.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - Startup: Deewoo.lnk = C:\WINNT\system32\scntokdm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bull...UNCHMEDIA_1.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nesunex.mht!http://sniper34.100f...ysb_regular.cab
O16 - DPF: {444A44BE-514F-4EDE-95FE-F748AE370109} (StreamerHTML Class) - http://www.idistream...treamServer.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...abs/diamond.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab30149.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fredmeyer.dig...oad/XUpload.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q2hyaXMgQW5pY2lldGU\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Workstation NetLogon Service (%AF) - Unknown owner - C:\WINNT\system32\mfcpt32.exe (file missing)


Thank you again and looking forward to your help!!! :unsure:

Edited by charlienovember6, 05 May 2008 - 02:47 PM.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 06 May 2008 - 05:30 PM

Hello and Welcome to the forum.

I need to see the top part of your log as well. It will look like something like this.

Logfile of HijackThis v1.99.1
Scan saved at 5:37:12 PM, on 9/19/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Please rescan and post a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 charlienovember6

charlienovember6

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 07 May 2008 - 01:28 AM

Here you go!

Thanks for your attention and I look forward to hearing from you soon!

Logfile of HijackThis v1.99.1
Scan saved at 12:56:44 PM, on 5/6/2008
Platform: Windows 2000 SP4, RC 3.154 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\Q2hyaXMgQW5pY2lldGU\command.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\vidmon\vidmon.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\scntokdm.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\system32\??plorer.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AdwarePunisher\AdwarePunisher.exe
C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pdx.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vidmon] C:\WINNT\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{EE-E8-82-2E-DW}] C:\WINNT\system32\bTMP\binx12l.exe DWrvgXX
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\System32\scntokdm.exe DWrvgXX
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe
O4 - HKLM\..\Run: [ec8ee881] rundll32.exe "C:\WINNT\System32\pfjymsrp.dll",b
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Igthrh] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [smanp] C:\DOCUME~1\CHRISA~1\LOCALS~1\Temp\app8DD.tmp
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Adware Punisher] C:\Program Files\AdwarePunisher\AdwarePunisher.exe
O4 - HKCU\..\Run: [Adware Punisher Monitor] C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [VnrPack16] "C:\Program Files\VnrPack\VnrPack16.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - Startup: Deewoo.lnk = C:\WINNT\system32\scntokdm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bull...UNCHMEDIA_1.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nesunex.mht!http://sniper34.100f...ysb_regular.cab
O16 - DPF: {444A44BE-514F-4EDE-95FE-F748AE370109} (StreamerHTML Class) - http://www.idistream...treamServer.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...abs/diamond.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab30149.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fredmeyer.dig...oad/XUpload.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q2hyaXMgQW5pY2lldGU\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Workstation NetLogon Service (%AF) - Unknown owner - C:\WINNT\system32\mfcpt32.exe (file missing)

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 07 May 2008 - 05:50 AM

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Next:

Please download the Fix_Protocol reg file from http://downloads.mal...om/Nel/FixP.zip and unzip it to your desktop.
Double click Fix_Protocol_zones_ranges.reg and allow it to merge with the registry.

Reboot your machine for the changes to take effect.


Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 charlienovember6

charlienovember6

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 07 May 2008 - 06:51 PM

:thumbup: Thank you very much for your detailed instructions!

I greatly appreciate it. Here are the requested codes:

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 56833
Time elapsed: 31 minute(s), 57 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 58
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 10
Files Infected: 58

Memory Processes Infected:
c:\WINNT\q2hyaxmgqw5py2lldgu\command.exe (AdWare.CommAd) -> No action taken.

Memory Modules Infected:
c:\WINNT\q2hyaxmgqw5py2lldgu\asappsrv.dll (AdWare.CommAd) -> No action taken.
c:\program files\netmeeting\jinarube66225.dll (Adware.TTC) -> No action taken.
C:\WINNT\system32\cbXNDWOe.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\pfjymsrp.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdservice (AdWare.CommAd) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdservice (AdWare.CommAd) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdservice (AdWare.CommAd) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f515ed08-8ec9-4b78-a931-00408bdcc97b} (Adware.TTC) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f515ed08-8ec9-4b78-a931-00408bdcc97b} (Adware.TTC) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0a7389f5-5b3f-41e2-9ada-760e2cf1cd5e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0a7389f5-5b3f-41e2-9ada-760e2cf1cd5e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{03b800f9-2536-4441-8cda-2a3e6d15b4f8} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0985c112-2562-46f2-8da6-92648ba4630f} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\ysbactivex.installer (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{dfbcc1eb-b149-487e-80c1-cc1562021542} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{4ee12b71-aa5e-45ec-8666-2db3ad3fdf44} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\ysbactivex.installer.1 (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{771a1334-6b08-4a6b-aedc-cf994ba2cebe} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\ysb.ysbobj (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\ysb.ysbobj.1 (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{86227d9c-0efe-4f8a-aa55-30386a3f5686} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{bf06da8e-2beb-4816-9bbd-f7625246e245} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{db447818-96b4-40df-8a55-720da496f514} (Adware.ISTBar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1037b06c-84b7-4240-8d80-485810a0497d} (Adware.Mirar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{54b287f9-fd90-4457-b65e-cb91560c021d} (Adware.Mirar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f} (Adware.Mirar) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49} (Adware.Mirar) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\nn_bar_dummy.nn_bardummy (Adware.Mirar) -> No action taken.
HKEY_CLASSES_ROOT\nn_bar_dummy.nn_bardummy.1 (Adware.Mirar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610} (Adware.Delphinmediaviewer) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{41700749-a109-4254-af13-be54011e8783} (Adware.Delphinmediaviewer) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} (Adware.NetOptimizer) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} (Adware.NetOptimizer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e1412445-4ff8-410e-8d24-f2cf86b171a4} (Adware.Popups) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Banker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar (Adware.ISTBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar (Adware.ISTBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\DBReg (Adware.SoftMate) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysb.YsbObj (Trojan.Istbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysb.YsbObj.1 (Trojan.Istbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{86227d9c-0efe-4f8a-aa55-30386a3f5686} (Adware.ISTBar) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{86227d9c-0efe-4f8a-aa55-30386a3f5686} (Adware.ISTBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExploreUpdSched (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\cbxndwoe -> No action taken.

Folders Infected:
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> No action taken.
C:\Program Files\PeDevice (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\tmp (Adware.Popups) -> No action taken.
C:\Program Files\YourSiteBar (Trojan.Istbar) -> No action taken.
C:\Program Files\dbar (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\dsktp (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\temp (Adware.SoftMate) -> No action taken.
C:\Documents and Settings\Default User\Application Data\NetMon (Trojan.NetMon) -> No action taken.

Files Infected:
c:\WINNT\q2hyaxmgqw5py2lldgu\asappsrv.dll (AdWare.CommAd) -> No action taken.
c:\WINNT\q2hyaxmgqw5py2lldgu\command.exe (AdWare.CommAd) -> No action taken.
c:\program files\netmeeting\jinarube66225.dll (Adware.TTC) -> No action taken.
C:\WINNT\system32\cbXNDWOe.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\eOWDNXbc.ini (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\eOWDNXbc.ini2 (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\pfjymsrp.dll (Trojan.Vundo) -> No action taken.
C:\WINNT\system32\prsmyjfp.ini (Trojan.Vundo) -> No action taken.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
C:\Documents and Settings\Chris Aniciete\Local Settings\Temp\cmdinst.exe (Trojan.Proxy) -> No action taken.
C:\WINNT\system32\atmtd.dll (Adware.TargetSaver) -> No action taken.
C:\WINNT\system32\atmtd.dll._ (Adware.TargetSaver) -> No action taken.
C:\WINNT\uninstall_nmon.vbs (Malware.Trace) -> No action taken.
C:\Program Files\Network Monitor\netmon.exe (Trojan.DNSChanger) -> No action taken.
C:\Program Files\PeDevice\communication.xml (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\Domain.Watchlist.txt (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\pae-options.xml (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\pae_url.xml (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\pedev.exe (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\pedevPS.dll (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\Preparation.dll (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\search.watchlist.txt (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\statistic.xml (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\watchlist.xml (Adware.Popups) -> No action taken.
C:\Program Files\PeDevice\tmp\tmp.html (Adware.Popups) -> No action taken.
C:\Program Files\YourSiteBar\imagemap_normal.bmp (Trojan.Istbar) -> No action taken.
C:\Program Files\YourSiteBar\imagemap_over.bmp (Trojan.Istbar) -> No action taken.
C:\Program Files\YourSiteBar\version.txt (Trojan.Istbar) -> No action taken.
C:\Program Files\YourSiteBar\yoursitebar.xml (Trojan.Istbar) -> No action taken.
C:\Program Files\dbar\dbaruninst.exe (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\version.ini (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\dsktp\desktop.html (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\dsktp\internetDetection.swf (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\dsktp\settings.sol (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\bufferthis.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\flashfunpages.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\funnies.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\funnyfunpages.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\goodcleanvideos.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\newfunpages.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\positivethoughts.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\removespyware.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\icons\thissiterocks.ico (Adware.SoftMate) -> No action taken.
C:\Program Files\winvi\temp\version.ini (Adware.SoftMate) -> No action taken.
C:\Documents and Settings\Default User\Application Data\NetMon\domains.txt (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\Default User\Application Data\NetMon\log.txt (Trojan.NetMon) -> No action taken.
C:\WINNT\system32\scntokdm.exe (Trojan.Agent) -> No action taken.
C:\WINNT\system32\IExplorer.dll .dbt (Trojan.Agent) -> No action taken.
C:\WINNT\system32\pac.txt (Malware.Trace) -> No action taken.
C:\WINNT\Fonts\a.zip (Trojan.Downloader) -> No action taken.
C:\WINNT\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINNT\system32\msnav32.ax (Malware.Trace) -> No action taken.
C:\WINNT\system32\zxdnt3d.cfg (Malware.Trace) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> No action taken.
C:\WINNT\system32\vx.tll (Malware.Trace) -> No action taken.
C:\Documents and Settings\Chris Aniciete\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> No action taken.





Logfile of HijackThis v1.99.1
Scan saved at 5:50:15 PM, on 5/8/2008
Platform: Windows 2000 SP4, RC 3.154 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\Q2hyaXMgQW5pY2lldGU\command.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\vidmon\vidmon.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\??plorer.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AdwarePunisher\AdwarePunisher.exe
C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINNT\System32\rundll32.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pdx.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vidmon] C:\WINNT\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{EE-E8-82-2E-DW}] C:\WINNT\system32\bTMP\binx12l.exe DWrvgXX
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe
O4 - HKLM\..\Run: [ec8ee881] rundll32.exe "C:\WINNT\System32\qncoattq.dll",b
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Igthrh] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [smanp] C:\DOCUME~1\CHRISA~1\LOCALS~1\Temp\app8DD.tmp
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Adware Punisher] C:\Program Files\AdwarePunisher\AdwarePunisher.exe
O4 - HKCU\..\Run: [Adware Punisher Monitor] C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [VnrPack16] "C:\Program Files\VnrPack\VnrPack16.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - HKCU\..\RunOnce: [ntdll.dll] C:\Program Files\Mozilla Firefox\xpicleanup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bull...UNCHMEDIA_1.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {444A44BE-514F-4EDE-95FE-F748AE370109} (StreamerHTML Class) - http://www.idistream...treamServer.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab30149.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fredmeyer.dig...oad/XUpload.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q2hyaXMgQW5pY2lldGU\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Workstation NetLogon Service (%AF) - Unknown owner - C:\WINNT\system32\mfcpt32.exe (file missing)


My PC seems to be a lot more normal and calm than before. There seems to be some remnants of whatever I had on my PC as I am still getting a few random pop ups and somehow, everytime I click on my Internet Browsers (Mozilla and Mozilla Firefox), I am unable to open them until several attempts. It is definitely better though; unlike before, I would get a bunch of pop ups and then my start bar would disappear and I would have to reboot the PC.

Could you tell me exactly what happened or what bug I had on my PC? Do you have additional suggestions?

Thank you very much again for the help so far. It's greatly appreciated.

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 07 May 2008 - 06:56 PM

Could you tell me exactly what happened or what bug I had on my PC?

As you can see you have Trojans and Malware

Did you select Remove Selected?
They all show No-Action Taken

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 charlienovember6

charlienovember6

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 07 May 2008 - 08:12 PM

DONE.

How does it look to you now?
:unsure:


ComboFix 08-05-01.3 - Chris Aniciete 05/08/2008 18:07:15.1 - NTFSx86
Running from: C:\Documents and Settings\Chris Aniciete\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\picsvr
C:\Documents and Settings\All Users\Application Data\vidmon
C:\Documents and Settings\All Users\Application Data\vidmon\vidmon.inf
C:\Documents and Settings\All Users\Application Data\vidmon\vidmonsh.inf
C:\Documents and Settings\Chris Aniciete\Application Data\macromedia\Flash Player\#SharedObjects\7G3JF8J5\www.broadcaster.com
C:\Documents and Settings\Chris Aniciete\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Chris Aniciete\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Chris Aniciete\Local Settings\Temporary Internet Files\search.html
C:\install.exe
C:\lswmv.ini
C:\Program Files\appliedsearch_autoinstall
C:\Program Files\appliedsearch_autoinstall\bar.ini
C:\Program Files\appliedsearch_autoinstall\logo.bmp
C:\Program Files\Common Files\uninstall information
C:\Program Files\Common Files\uninstall information\RemoveDisplayUtility.exe
C:\Program Files\Common Files\uninstall information\RemoveWebDP.exe
C:\Program Files\Common Files\WinSoftware
C:\Program Files\Common Files\WinSoftware\CrXML.dll
C:\Program Files\Common Files\WinSoftware\PCheck.dll
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINNT\cookies.ini
C:\WINNT\Downloaded Program Files\UWFX5_0001_MNINetInstaller.exe
C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe
C:\WINNT\Fonts\'
C:\WINNT\Q2hyaXMgQW5pY2lldGU\
C:\WINNT\Q2hyaXMgQW5pY2lldGU\\asappsrv.dll
C:\WINNT\Q2hyaXMgQW5pY2lldGU\\command.exe
C:\WINNT\Q2hyaXMgQW5pY2lldGU\\kZ1Vurg0kqcDsZ55x3o.vbs
C:\WINNT\Q2hyaXMgQW5pY2lldGU\command.exe
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._
C:\WINNT\system32\cbXNDWOe.dll
C:\WINNT\system32\drivers\cdfss.sys
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\dugyvqah.dll
C:\WINNT\system32\eOWDNXbc.ini
C:\WINNT\system32\eOWDNXbc.ini2
C:\WINNT\system32\fijqudci.dll
C:\WINNT\system32\iaxeiynm.dll
C:\WINNT\system32\instsrv.exe
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\pmfknhpn.dll
C:\WINNT\system32\qncoattq.dll
C:\WINNT\system32\qttaocnq.ini
C:\WINNT\system32\uninstall.exe
C:\WINNT\system32\vidmon
C:\WINNT\system32\vidmon\vidmon.exe
C:\WINNT\system32\wnsapitr.exe
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDFSS
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_cdfss
-------\Service_cmdService


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 17:44 . 08-05-08 17:44 2,112 --a------ C:\WINNT\system32\kykefbsk.exe
2008-05-08 16:43 . 08-05-05 20:46 27,048 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-05-08 16:43 . 08-05-05 20:46 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-05-08 16:16 . 08-05-08 16:16 9,662 --a------ C:\WINNT\system32\pinkip.ico
2008-05-08 00:32 . 08-05-08 00:32 335 --a------ C:\WINNT\mozregistry.dat
2008-05-08 00:26 . 08-05-08 00:26 2,112 --a------ C:\WINNT\system32\ldplsvvj.exe
2008-05-06 13:47 . 08-05-06 13:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 13:05 . 08-05-08 16:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 13:05 . 08-05-06 13:05 <DIR> d-------- C:\Documents and Settings\Chris Aniciete\Application Data\Malwarebytes
2008-05-06 13:05 . 08-05-06 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 05:18 . 08-05-08 00:26 706 ---hs---- C:\WINNT\system32\prsmyjfp.ini
2008-05-06 03:23 . 08-05-06 03:23 9,662 --a------ C:\WINNT\system32\iphone-6y.ico
2008-05-05 20:19 . 08-05-05 20:19 <DIR> d-------- C:\Program Files\Firefox Portable
2008-05-05 20:18 . 08-05-05 20:18 6,323,464 --a------ C:\Program Files\Firefox_Portable_2.0.0.14_en-us.paf.exe
2008-05-05 20:17 . 08-05-05 20:17 190,064 --a------ C:\Program Files\Morpheus.exe
2008-05-05 20:12 . 08-05-05 20:12 6,039,048 --a------ C:\Program Files\Firefox Setup 2.0.0.14.exe
2008-05-05 17:51 . 08-05-05 17:51 404 --a------ C:\WINNT\system32\es.dat
2008-05-05 15:06 . 08-05-08 17:57 20,480 --a------ C:\WINNT\quit.exe
2008-05-05 15:04 . 08-05-05 15:04 147,456 --a------ C:\WINNT\system32\vbzip10.dll
2008-05-05 15:01 . 08-05-05 15:01 <DIR> d-a------ C:\WINNT\system32\px4
2008-05-05 15:01 . 08-05-05 15:01 <DIR> d-a------ C:\WINNT\system32\in3
2008-05-05 15:01 . 08-05-05 15:01 <DIR> d-a------ C:\WINNT\system32\dvb1
2008-05-05 15:01 . 08-05-05 17:14 <DIR> d-a------ C:\WINNT\system32\bTMP
2008-05-05 15:01 . 08-05-05 15:01 <DIR> d-a------ C:\WINNT\system32\bkEur18
2008-05-05 15:01 . 08-05-05 15:01 <DIR> d-------- C:\Temp\maxsv15
2008-05-05 14:43 . 08-05-05 14:43 399,957 --a------ C:\WINNT\system32\g95.exe
2008-05-05 14:43 . 08-05-05 14:58 399,943 --a------ C:\WINNT\four444444.exe
2008-05-05 14:43 . 08-05-05 14:58 266,607 --a------ C:\WINNT\two222222.exe
2008-05-05 14:43 . 08-05-05 14:43 200,768 --------- C:\WINNT\system32\scntokdm.exe
2008-05-05 14:43 . 08-05-05 14:58 136,627 --a------ C:\WINNT\LOT66225.exe
2008-05-05 14:43 . 08-05-08 16:16 860 --a------ C:\WINNT\system32\winpfz33.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 15:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-05-06 08:24 84,264 ----a-w C:\Documents and Settings\Chris Aniciete\Application Data\GDIPFONTCACHEV1.DAT
2008-05-06 02:17 --------- d-----w C:\Program Files\LimeWire
2008-05-06 01:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 23:53 --------- d-----w C:\Program Files\Yahoo!
2008-05-05 23:07 --------- d-----w C:\Documents and Settings\Chris Aniciete\Application Data\LimeWire
2008-05-05 22:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-05 22:40 --------- d-----w C:\Program Files\Ares
2008-04-10 14:11 --------- d-----w C:\Documents and Settings\Chris Aniciete\Application Data\SolidDocuments
2007-12-26 09:13 54,330,664 ----a-w C:\Program Files\iTunesSetup.exe
2007-11-12 11:28 239 ----a-w C:\Program Files\deliverStreaming.asx
2007-10-20 22:52 1,164,456 ----a-w C:\Program Files\install_flash_player.exe
2007-03-13 06:09 19,755,560 ----a-w C:\Program Files\avg75free_446a965.exe
2007-02-20 07:27 17,207,032 ----a-w C:\Program Files\avg75free_428a818.exe
2007-01-15 04:26 2,961,088 ----a-w C:\Program Files\vbsetup.exe
2006-12-11 10:01 1,672,336 ----a-w C:\Program Files\install_easyshare.exe
2006-12-09 07:13 14,084 ----a-w C:\Documents and Settings\Chris Aniciete\Application Data\ViewerApp.dat
2006-11-21 06:58 172,710,624 ----a-w C:\Program Files\SPSS15Evaluation.exe
2006-11-04 08:25 37,889 ----a-w C:\Program Files\10-31-06_1644.jpg
2006-11-04 06:59 11,351,672 ----a-w C:\Program Files\widgetsus.exe
2006-10-08 19:13 78,562,818 ----a-w C:\Program Files\MTB1420_30DAY.exe
2006-08-21 06:18 9,143,496 ----a-w C:\Program Files\INSTALL_MSN_MESSENGER_NT.EXE
2006-06-30 09:30 13,951,112 ----a-w C:\Program Files\MPSetup.exe
2006-03-28 04:27 5,271,552 ----a-w C:\Program Files\PStory.msi
2006-02-20 10:02 11,144,586 ----a-w C:\Program Files\WSFTP_ProT128_Install.exe
2006-02-20 09:54 3,090,160 ----a-w C:\Program Files\aceftp3free.exe
2005-12-17 08:07 486,408 ----a-w C:\Program Files\WalgreensPhotoShow.exe
2004-07-01 01:28 4,354,084 ----a-w C:\Program Files\spybotsd13.exe
2004-06-15 05:23 271 ---h--w C:\Program Files\desktop.ini
2004-06-15 05:23 21,952 ---h--w C:\Program Files\folder.htt
2005-01-18 23:39 10,856 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2005-01-11 14:13 401,408 --sha-r C:\WINNT\system32\??plorer.exe
.

------- Sigcheck -------

01-02-20 14:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83C35173-E029-42f1-9692-0341EE379A0D}]
C:\Program Files\QdrDrive\QdrDrive16.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f79fd28e-36ee-4989-aa61-9dd8e30a82fa}]
C:\WINNT\System32\hp100.tmp

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [ ]
"Igthrh"="C:\WINNT\system32\??plorer.exe" [05-01-11 07:13 401408]
"ctfmon.exe"="ctfmon.exe" [01-02-20 14:09 8192 C:\WINNT\system32\CTFMON.EXE]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [06-05-30 20:52 1003520]
"Adware Punisher"="C:\Program Files\AdwarePunisher\AdwarePunisher.exe" [04-11-20 18:13 928768]
"Adware Punisher Monitor"="C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe" [05-12-07 14:26 458752]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [07-10-23 14:18 443968]
"VnrPack16"="C:\Program Files\VnrPack\VnrPack16.exe" [ ]
"WinUpdater"="C:\Program Files\winvi\update.exe" [ ]
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [02-07-24 05:00 111376 C:\WINNT\system32\mobsync.exe]
"NeroCheck"="C:\WINNT\System32\\NeroCheck.exe" [01-07-09 03:50 155648]
"SoundMan"="SOUNDMAN.EXE" [03-08-04 22:59 57344 C:\WINNT\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-05-08 09:43 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 14:03 36975]
"vidmon"="C:\WINNT\System32\vidmon\vidmon.exe" [ ]
"FilmLoop"="C:\Program Files\FilmLoop Player\FilmLoop.exe" [06-07-20 14:27 3719168]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 10:36 256576]
"{EE-E8-82-2E-DW}"="C:\WINNT\system32\bTMP\binx12l.exe" [ ]
"dbar_starter"="C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-06 09:42 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]
"FlashPlayerUpdate"="C:\WINNT\System32\Macromed\Flash\NPSWF32_FlashUtil.exe" [08-03-24 20:21 218496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"1"= C:\WINNT\System32\service\explorer.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{64ba30a2-811a-4597-b0af-d551128be340}"= C:\WINNT\System32\appmagr.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcARIcB]
efcARIcB.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"vidc.dvsd"= dvc.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\System32\cbXNDWOe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001


*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 18:26:39
Windows 5.0.2195 Service Pack 4, RC 3.154 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\C:\WINNT\TEMP\2A.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\Ati2evxx.dll
.
Completion time: 2008-05-08 18:41:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 01:40:05

Pre-Run: 7,140,892,672 bytes free
Post-Run: 11,013,787,648 bytes free

211



Logfile of HijackThis v1.99.1
Scan saved at 7:15:38 PM, on 5/8/2008
Platform: Windows 2000 SP4, RC 3.154 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AdwarePunisher\AdwarePunisher.exe
C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\WINNT\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pdx.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BeSideit IE Helper - {83C35173-E029-42f1-9692-0341EE379A0D} - C:\Program Files\QdrDrive\QdrDrive16.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINNT\System32\hp100.tmp (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vidmon] C:\WINNT\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{EE-E8-82-2E-DW}] C:\WINNT\system32\bTMP\binx12l.exe DWrvgXX
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Igthrh] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Adware Punisher] C:\Program Files\AdwarePunisher\AdwarePunisher.exe
O4 - HKCU\..\Run: [Adware Punisher Monitor] C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [VnrPack16] "C:\Program Files\VnrPack\VnrPack16.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bull...UNCHMEDIA_1.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {444A44BE-514F-4EDE-95FE-F748AE370109} (StreamerHTML Class) - http://www.idistream...treamServer.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab30149.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fredmeyer.dig...oad/XUpload.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: efcARIcB - efcARIcB.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Workstation NetLogon Service (%AF) - Unknown owner - C:\WINNT\system32\mfcpt32.exe (file missing)

#8 charlienovember6

charlienovember6

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 07 May 2008 - 08:16 PM

Computer seems to be A LOT BETTER! :thumbup: Internet browsers are functioning normally again and so far, no pop ups or irregularities. I am waiting to see what the next steps I should take based on your observations. I am also curious to know what suggestions you might have to prevent something like this from happening again. It surely was a painful thing to go through....

#9 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 07 May 2008 - 08:41 PM

I can't find any information on these files. If you know what they are and are safe, remove them from the fix.
C:\WINNT\system32\g95.exe
C:\WINNT\four444444.exe
C:\WINNT\two222222.exe
C:\WINNT\system32\scntokdm.exe
C:\WINNT\LOT66225.exe



Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system32\kykefbsk.exe
C:\WINNT\system32\ldplsvvj.exe
C:\WINNT\system32\prsmyjfp.ini
C:\WINNT\system32\vbzip10.dll
C:\WINNT\system32\g95.exe
C:\WINNT\four444444.exe
C:\WINNT\two222222.exe
C:\WINNT\system32\scntokdm.exe
C:\WINNT\LOT66225.exe
C:\WINNT\system32\winpfz33.sys
C:\WINNT\system32\??plorer.exe
C:\Program Files\QdrDrive\QdrDrive16.dll
C:\Program Files\VnrPack\VnrPack16.exe
C:\Program Files\winvi\update.exe
C:\Program Files\winvi\wupda.exe
C:\WINNT\System32\vidmon\vidmon.exe
C:\WINNT\system32\bTMP\binx12l.exe
C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe
C:\WINNT\System32\service\explorer.exe
C:\WINNT\System32\cbXNDWOe
C:\WINNT\TEMP\2A.tmp

Folder::
C:\Temp\maxsv15
C:\Program Files\QdrDrive
C:\Program Files\VnrPack
C:\Program Files\winvi
C:\WINNT\System32\vidmon
C:\WINNT\system32\bTMP
C:\WINNT\system32\px4
C:\WINNT\system32\in3
C:\WINNT\system32\dvb1
C:\WINNT\system32\bTMP
C:\WINNT\system32\bkEur18


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83C35173-E029-42f1-9692-0341EE379A0D}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Igthrh"=-
"VnrPack16"=-
"WinUpdater"=-
"WebSUpdater"=-
"vidmon"=-
"{EE-E8-82-2E-DW}"=-
"dbar_starter"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"1"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcARIcB]

Save this as Save this as "CFScript"


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 charlienovember6

charlienovember6

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 07 May 2008 - 09:25 PM

Here are the new logs....

My PC seems to be acting alright. It seems to be a lot faster and again, so far no pop ups or irregularities.

What do you think? :smack:


ComboFix 08-05-01.3 - Chris Aniciete 05/08/2008 19:59:50.2 - NTFSx86
Running from: C:\Documents and Settings\Chris Aniciete\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris Aniciete\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe
C:\Program Files\QdrDrive\QdrDrive16.dll
C:\Program Files\VnrPack\VnrPack16.exe
C:\Program Files\winvi\update.exe
C:\Program Files\winvi\wupda.exe
C:\WINNT\four444444.exe
C:\WINNT\LOT66225.exe
C:\WINNT\system32\bTMP\binx12l.exe
C:\WINNT\System32\cbXNDWOe
C:\WINNT\system32\g95.exe
C:\WINNT\system32\kykefbsk.exe
C:\WINNT\system32\ldplsvvj.exe
C:\WINNT\system32\prsmyjfp.ini
C:\WINNT\system32\scntokdm.exe
C:\WINNT\System32\service\explorer.exe
C:\WINNT\system32\vbzip10.dll
C:\WINNT\System32\vidmon\vidmon.exe
C:\WINNT\system32\winpfz33.sys
C:\WINNT\TEMP\2A.tmp
C:\WINNT\two222222.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\maxsv15
C:\Temp\maxsv15\rLCubd.log
C:\WINNT\four444444.exe
C:\WINNT\LOT66225.exe
C:\WINNT\system32\bkEur18
C:\WINNT\system32\bkEur18\bkEur182328.exe
C:\WINNT\system32\bTMP
C:\WINNT\system32\dvb1
C:\WINNT\system32\dvb1\evb5ui.exe
C:\WINNT\system32\g95.exe
C:\WINNT\system32\in3
C:\WINNT\system32\in3\wmsdir3.exe
C:\WINNT\system32\kykefbsk.exe
C:\WINNT\system32\ldplsvvj.exe
C:\WINNT\system32\prsmyjfp.ini
C:\WINNT\system32\px4
C:\WINNT\system32\px4\gradodv3.exe
C:\WINNT\system32\scntokdm.exe
C:\WINNT\system32\vbzip10.dll
C:\WINNT\system32\winpfz33.sys
C:\WINNT\two222222.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 16:43 . 08-05-05 20:46 27,048 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-05-08 16:43 . 08-05-05 20:46 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-05-08 16:16 . 08-05-08 16:16 9,662 --a------ C:\WINNT\system32\pinkip.ico
2008-05-08 00:32 . 08-05-08 00:32 335 --a------ C:\WINNT\mozregistry.dat
2008-05-06 13:47 . 08-05-06 13:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 13:05 . 08-05-08 16:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 13:05 . 08-05-06 13:05 <DIR> d-------- C:\Documents and Settings\Chris Aniciete\Application Data\Malwarebytes
2008-05-06 13:05 . 08-05-06 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 03:23 . 08-05-06 03:23 9,662 --a------ C:\WINNT\system32\iphone-6y.ico
2008-05-05 20:19 . 08-05-05 20:19 <DIR> d-------- C:\Program Files\Firefox Portable
2008-05-05 20:18 . 08-05-05 20:18 6,323,464 --a------ C:\Program Files\Firefox_Portable_2.0.0.14_en-us.paf.exe
2008-05-05 20:17 . 08-05-05 20:17 190,064 --a------ C:\Program Files\Morpheus.exe
2008-05-05 20:12 . 08-05-05 20:12 6,039,048 --a------ C:\Program Files\Firefox Setup 2.0.0.14.exe
2008-05-05 17:51 . 08-05-05 17:51 404 --a------ C:\WINNT\system32\es.dat
2008-05-05 15:06 . 08-05-08 17:57 20,480 --a------ C:\WINNT\quit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 15:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-05-06 08:24 84,264 ----a-w C:\Documents and Settings\Chris Aniciete\Application Data\GDIPFONTCACHEV1.DAT
2008-05-06 02:17 --------- d-----w C:\Program Files\LimeWire
2008-05-06 01:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-05 23:53 --------- d-----w C:\Program Files\Yahoo!
2008-05-05 23:07 --------- d-----w C:\Documents and Settings\Chris Aniciete\Application Data\LimeWire
2008-05-05 22:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-05 22:40 --------- d-----w C:\Program Files\Ares
2008-04-10 14:11 --------- d-----w C:\Documents and Settings\Chris Aniciete\Application Data\SolidDocuments
2007-12-26 09:13 54,330,664 ----a-w C:\Program Files\iTunesSetup.exe
2007-11-12 11:28 239 ----a-w C:\Program Files\deliverStreaming.asx
2007-10-20 22:52 1,164,456 ----a-w C:\Program Files\install_flash_player.exe
2007-03-13 06:09 19,755,560 ----a-w C:\Program Files\avg75free_446a965.exe
2007-02-20 07:27 17,207,032 ----a-w C:\Program Files\avg75free_428a818.exe
2007-01-15 04:26 2,961,088 ----a-w C:\Program Files\vbsetup.exe
2006-12-11 10:01 1,672,336 ----a-w C:\Program Files\install_easyshare.exe
2006-12-09 07:13 14,084 ----a-w C:\Documents and Settings\Chris Aniciete\Application Data\ViewerApp.dat
2006-11-21 06:58 172,710,624 ----a-w C:\Program Files\SPSS15Evaluation.exe
2006-11-04 08:25 37,889 ----a-w C:\Program Files\10-31-06_1644.jpg
2006-11-04 06:59 11,351,672 ----a-w C:\Program Files\widgetsus.exe
2006-10-08 19:13 78,562,818 ----a-w C:\Program Files\MTB1420_30DAY.exe
2006-08-21 06:18 9,143,496 ----a-w C:\Program Files\INSTALL_MSN_MESSENGER_NT.EXE
2006-06-30 09:30 13,951,112 ----a-w C:\Program Files\MPSetup.exe
2006-03-28 04:27 5,271,552 ----a-w C:\Program Files\PStory.msi
2006-02-20 10:02 11,144,586 ----a-w C:\Program Files\WSFTP_ProT128_Install.exe
2006-02-20 09:54 3,090,160 ----a-w C:\Program Files\aceftp3free.exe
2005-12-17 08:07 486,408 ----a-w C:\Program Files\WalgreensPhotoShow.exe
2004-07-01 01:28 4,354,084 ----a-w C:\Program Files\spybotsd13.exe
2004-06-15 05:23 271 ---h--w C:\Program Files\desktop.ini
2004-06-15 05:23 21,952 ---h--w C:\Program Files\folder.htt
2005-01-18 23:39 10,856 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2005-01-11 14:13 401,408 --sha-r C:\WINNT\system32\??plorer.exe
.

------- Sigcheck -------

01-02-20 14:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f79fd28e-36ee-4989-aa61-9dd8e30a82fa}]
C:\WINNT\System32\hp100.tmp

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [ ]
"ctfmon.exe"="ctfmon.exe" [01-02-20 14:09 8192 C:\WINNT\system32\CTFMON.EXE]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [06-05-30 20:52 1003520]
"Adware Punisher"="C:\Program Files\AdwarePunisher\AdwarePunisher.exe" [04-11-20 18:13 928768]
"Adware Punisher Monitor"="C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe" [05-12-07 14:26 458752]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [07-10-23 14:18 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [02-07-24 05:00 111376 C:\WINNT\system32\mobsync.exe]
"NeroCheck"="C:\WINNT\System32\\NeroCheck.exe" [01-07-09 03:50 155648]
"SoundMan"="SOUNDMAN.EXE" [03-08-04 22:59 57344 C:\WINNT\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-05-08 09:43 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 14:03 36975]
"vidmon"="C:\WINNT\System32\vidmon\vidmon.exe" [ ]
"FilmLoop"="C:\Program Files\FilmLoop Player\FilmLoop.exe" [06-07-20 14:27 3719168]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 10:36 256576]
"{EE-E8-82-2E-DW}"="C:\WINNT\system32\bTMP\binx12l.exe" [ ]
"dbar_starter"="C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-06 09:42 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]
"FlashPlayerUpdate"="C:\WINNT\System32\Macromed\Flash\NPSWF32_FlashUtil.exe" [08-03-24 20:21 218496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{64ba30a2-811a-4597-b0af-d551128be340}"= C:\WINNT\System32\appmagr.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"vidc.dvsd"= dvc.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\System32\DRIVERS\SONYPVM1.SYS [00-05-27 04:37 ]
R1 Avg7RsNT;AVG7 Rezident Driver;C:\WINNT\System32\Drivers\avg7rsnt.sys [07-03-12 23:10 ]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINNT\TEMP\2A.tmp []
S3 viafilter;VIA USB Filter;C:\WINNT\System32\Drivers\viausb.sys [03-06-18 16:48 ]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 20:15:14
Windows 5.0.2195 Service Pack 4, RC 3.154 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\C:\WINNT\TEMP\2A.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\Ati2evxx.dll
.
Completion time: 2008-05-08 20:22:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 03:22:11
ComboFix2.txt 2008-05-09 01:41:25

Pre-Run: 11,061,334,016 bytes free
Post-Run: 11,049,336,832 bytes free

172




Logfile of HijackThis v1.99.1
Scan saved at 8:26:50 PM, on 5/8/2008
Platform: Windows 2000 SP4, RC 3.154 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pdx.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINNT\System32\hp100.tmp (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vidmon] C:\WINNT\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{EE-E8-82-2E-DW}] C:\WINNT\system32\bTMP\binx12l.exe DWrvgXX
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Adware Punisher] C:\Program Files\AdwarePunisher\AdwarePunisher.exe
O4 - HKCU\..\Run: [Adware Punisher Monitor] C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bull...UNCHMEDIA_1.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {444A44BE-514F-4EDE-95FE-F748AE370109} (StreamerHTML Class) - http://www.idistream...treamServer.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20....es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab30149.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fredmeyer.dig...oad/XUpload.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Workstation NetLogon Service (%AF) - Unknown owner - C:\WINNT\system32\mfcpt32.exe (file missing)

#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 08 May 2008 - 05:52 AM

Click Start > Run and copy / paste these commands hitting enter after each one if listed:

sc stop %AF

sc delete %AF


Next:

1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove if listed:
AdwarePunisher



Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINNT\System32\hp100.tmp (file missing)
O4 - HKLM\..\Run: [vidmon] C:\WINNT\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [{EE-E8-82-2E-DW}] C:\WINNT\system32\bTMP\binx12l.exe DWrvgXX
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Chris Aniciete\Application Data\Deskbar_{4013CD1D-C3A2-43fd-BB4C-9A9ECDF5213B}\starter.exe
O4 - HKCU\..\Run: [Adware Punisher] C:\Program Files\AdwarePunisher\AdwarePunisher.exe
O4 - HKCU\..\Run: [Adware Punisher Monitor] C:\Program Files\AdwarePunisher\AdwarePunisher_monitor.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...od/install.html
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Workstation NetLogon Service (%AF) - Unknown owner - C:\WINNT\system32\mfcpt32.exe (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
C:\WINNT\System32\vidmon\vidmon.exe
C:\WINNT\system32\bTMP\binx12l.exe
C:\Program Files\AdwarePunisher\AdwarePunisher.exe
C:\WINNT\system32\mfcpt32.exe



Delete these Folders if listed:
C:\WINNT\System32\vidmon
C:\WINNT\system32\bTMP
C:\Program Files\AdwarePunisher


If you still have ATF Cleaner, just run it.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 15 May 2008 - 06:13 PM

Do you still need help with this?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 19 May 2008 - 03:37 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users