Jump to content


Photo

wierd temp files multiplying


  • This topic is locked This topic is locked
14 replies to this topic

#1 extreme182

extreme182

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 June 2007 - 12:58 PM

hey there,
Well, i'm running Windows XP Home.
My problem is i somehow got this temp files called win1.tmp, win1A.tmp and other similar forms that multiply exponentially from time to time, (while sometimes creating dialers that i can manually delete anyway). Other thing is that they are the only temp files there are in the win/temp folder.

The thing is, they don't look like they're doing any damage, and the process that fits with their name is not running anymore on the task manager, but i can't delete them tho they're temp (not even with Move On Boot) and it bothers me a lot that there's some kind of invisible threat. NAV doesn't detect it, neither did Panda and some others.
i have done a little research and it seems that a hijack this report helps you . so i have downloaded and scanned. Here is my findings

Logfile of HijackThis v1.99.1
Scan saved at 18:56:01, on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\QuickTime\qttask.exe
D:\Documents and Settings\All Users\Application Data\udinajkv.exe
C:\PROGRA~1\MANTEC~1\netdde.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Documents and Settings\James.main\local settings\Temp\469593.exe
D:\Documents and Settings\James.main\local settings\Temp\654390.exe
D:\Documents and Settings\James.main\local settings\Temp\592734.exe
C:\WINDOWS\explorer.exe
D:\Documents and Settings\James.main\local settings\Temp\654390.exe
D:\Documents and Settings\James.main\local settings\Temp\784234.exe
D:\Documents and Settings\James.main\local settings\Temp\847718.exe
D:\Documents and Settings\James.main\local settings\Temp\912406.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\James.main\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ajjdkqot.dll",realset
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe


thank you for looking and i would appreciate your help :D

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 05 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 EnigmaChick

EnigmaChick

    Computer Geek

  • Full Member
  • PipPipPipPipPip
  • 644 posts

Posted 05 June 2007 - 07:43 PM

Hello extreme182,

We are currently studying your log and will be back to you as soon as possible. Thank you for your patience.
I'm waiting for a average computer that can't be infected with malware unless it's intentionally ........ 5 years later: I am still waiting

A Malware Fighting Tiger's Blog

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 07 June 2007 - 05:39 PM

You have not been forgotten extreme182. We should have a reply for you soon.

Thank you for your patience.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#5 EnigmaChick

EnigmaChick

    Computer Geek

  • Full Member
  • PipPipPipPipPip
  • 644 posts

Posted 08 June 2007 - 05:04 PM

Welcome to SWI, I'll be helping you clean your computer.

Please rename the HijackThis.exe file to something else, it doesn't matter what as long as it's not HijackThis. Then please post a fresh HijackThis(HJT) log.
I'm waiting for a average computer that can't be infected with malware unless it's intentionally ........ 5 years later: I am still waiting

A Malware Fighting Tiger's Blog

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 extreme182

extreme182

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 June 2007 - 03:18 AM

Welcome to SWI, I'll be helping you clean your computer.

Please rename the HijackThis.exe file to something else, it doesn't matter what as long as it's not HijackThis. Then please post a fresh HijackThis(HJT) log.



I'm not quite sure if i have done it correctly but ...

Logfile of HijackThis v1.99.1
Scan saved at 09:18:11, on 09/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\QuickTime\qttask.exe
D:\Documents and Settings\All Users\Application Data\udinajkv.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\PROGRA~1\MANTEC~1\netdde.exe
D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\James.main\Desktop\hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyo...arch/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {861DF07A-ADA5-4995-A2C7-2C747FC5B94C} - C:\WINDOWS\system32\sstqo.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} - C:\WINDOWS\system32\byxwwvw.dll
O2 - BHO: (no name) - {C37F396F-8B8B-DC70-8A7C-89ADACE924CE} - C:\WINDOWS\system32\wniuvjp.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\nyaxwifa.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe
O4 - HKLM\..\Run: [j8241635] rundll32 C:\WINDOWS\system32\j8241635.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\cogovnhg.dll",realset
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Mwlqls] "D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe"
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: byxwwvw - C:\WINDOWS\SYSTEM32\byxwwvw.dll
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll
O20 - Winlogon Notify: winwim32 - C:\WINDOWS\SYSTEM32\winwim32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

#7 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 11 June 2007 - 05:25 PM

Thank you for the log extreme182. We are looking it over and will get back with you.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#8 EnigmaChick

EnigmaChick

    Computer Geek

  • Full Member
  • PipPipPipPipPip
  • 644 posts

Posted 13 June 2007 - 07:56 PM

Please either print out these instructions or save them to a program like Notepad because you wont have Internet access in Safe Mode.


After some of these uninstalls your computer may prompt you to restart, if this happens choose No and continue with the rest of the uninstalls.

Click on the Windows Start button in the left hand corner of your screen.
Go to Control Panel or Settings>Control Panel
Double click on Add or Remove Programs and uninstall
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin

or anything else titled Oin or Outerinfo.
Zolero
Tizzletalk
MediaTickets
Cowabanga


Optional
You have Blueyonder Instant Support Tool installed. This program collects information such as your name, address, etc. and saves it as a log file. For more information please go to this site.
If you want to remove it please also uninstall this
Blueyonder Instant Support Tool

Reboot

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot

Run HijackThis to create a fresh log and post it here

Logs to include in your next reply
ComboFix
HJT

I'm waiting for a average computer that can't be infected with malware unless it's intentionally ........ 5 years later: I am still waiting

A Malware Fighting Tiger's Blog

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 extreme182

extreme182

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 June 2007 - 02:25 PM

hey sorry for the late reply.. :blush:

Combo fix :

ComboFix 07-06-21.3 - D:\Documents and Settings\James.main\My Documents\My Games\mpgh\ComboFix.exe
"James" - 2007-06-22 20:06:33 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\bcnsvnqw.dll
C:\WINDOWS\system32\bptbjosx.dll
C:\WINDOWS\system32\cthyusvi.dll
C:\WINDOWS\system32\cypfegck.dll
C:\WINDOWS\system32\dfcuqngq.dll
C:\WINDOWS\system32\dxhvokqd.dll
C:\WINDOWS\system32\ejjgdrfr.dll
C:\WINDOWS\system32\enuetcpp.dll
C:\WINDOWS\system32\fbmlvoux.dll
C:\WINDOWS\system32\gnvvtfsb.dll
C:\WINDOWS\system32\gpklmnrk.dll
C:\WINDOWS\system32\hkqanxul.dll
C:\WINDOWS\system32\iqgefvvl.dll
C:\WINDOWS\system32\ivqknkff.dll
C:\WINDOWS\system32\jkahvigx.dll
C:\WINDOWS\system32\jtdmwwkl.dll
C:\WINDOWS\system32\kbifpxkc.dll
C:\WINDOWS\system32\lhyplpwj.dll
C:\WINDOWS\system32\lrmenyvf.dll
C:\WINDOWS\system32\moehnbmg.dll
C:\WINDOWS\system32\msywuwfd.dll
C:\WINDOWS\system32\nicljohd.dll
C:\WINDOWS\system32\nyaxwifa.dll
C:\WINDOWS\system32\peqhmgve.dll
C:\WINDOWS\system32\punuixky.dll
C:\WINDOWS\system32\rehnbobe.dll
C:\WINDOWS\system32\rxhcwstl.dll
C:\WINDOWS\system32\shqxcbyh.dll
C:\WINDOWS\system32\tnqcdpvq.dll
C:\WINDOWS\system32\tpbvkfmc.dll
C:\WINDOWS\system32\uuawtfbt.dll
C:\WINDOWS\system32\vopfidxa.dll
C:\WINDOWS\system32\xnqxipav.dll
C:\WINDOWS\system32\awttrsq.dll
C:\WINDOWS\system32\cbxvwuu.dll
C:\WINDOWS\system32\hggebby.dll
C:\WINDOWS\system32\rqrqoli.dll
C:\WINDOWS\system32\tuvtrpp.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winwim32.dll
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\wqnvsncb.ini
C:\WINDOWS\system32\xsojbtpb.ini
C:\WINDOWS\system32\ivsuyhtc.ini
C:\WINDOWS\system32\kcgefpyc.ini
C:\WINDOWS\system32\qgnqucfd.ini
C:\WINDOWS\system32\dqkovhxd.ini
C:\WINDOWS\system32\rfrdgjje.ini
C:\WINDOWS\system32\ppcteune.ini
C:\WINDOWS\system32\xuovlmbf.ini
C:\WINDOWS\system32\krnmlkpg.ini
C:\WINDOWS\system32\luxnaqkh.ini
C:\WINDOWS\system32\lvvfegqi.ini
C:\WINDOWS\system32\ffknkqvi.ini
C:\WINDOWS\system32\xgivhakj.ini
C:\WINDOWS\system32\lkwwmdtj.ini
C:\WINDOWS\system32\ckxpfibk.ini
C:\WINDOWS\system32\gmbnheom.ini
C:\WINDOWS\system32\dfwuwysm.ini
C:\WINDOWS\system32\dhojlcin.ini
C:\WINDOWS\system32\evgmhqep.ini
C:\WINDOWS\system32\ykxiunup.ini
C:\WINDOWS\system32\ebobnher.ini
C:\WINDOWS\system32\ltswchxr.ini
C:\WINDOWS\system32\hybcxqhs.ini
C:\WINDOWS\system32\cmfkvbpt.ini
C:\WINDOWS\system32\tbftwauu.ini
C:\WINDOWS\system32\axdifpov.ini
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\byxwwvw.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwasdc.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe
C:\Program Files\mantec~1
C:\Program Files\mantec~1\netdde.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\WinAntiSpyware 2007
C:\Program Files\WinAntiSpyware 2007\fopnl.dll
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\j8241635.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\winhoo32.dll
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\wintsvcc.exe
C:\WINDOWS\system32\wnsxs~1
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\Abbr
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\ProductCode
D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\pppatc~1
D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\pppatc~1\d?xplore.exe
D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\WinAntiSpyware 2007
D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\WinAntiSpyware 2007\Logs\update.log
D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon
D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\domains.txt
D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\log.txt
D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RUNTIME


((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


2007-06-22 20:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 17:14 122,900 --a------ C:\WINDOWS\system32\ddnockip.exe
2007-06-22 16:58 122,900 --a------ C:\WINDOWS\system32\cgpusmxd.exe
2007-06-21 18:34 122,900 --a------ C:\WINDOWS\system32\swhnokpi.exe
2007-06-21 17:22 122,900 --a------ C:\WINDOWS\system32\nlcyyptc.exe
2007-06-21 17:21 122,900 --a------ C:\WINDOWS\system32\hjgaediy.exe
2007-06-21 17:01 122,900 --a------ C:\WINDOWS\system32\wquwkoer.exe
2007-06-20 20:28 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2007-06-20 18:38 122,900 --a------ C:\WINDOWS\system32\gdkuivrn.exe
2007-06-20 18:13 122,900 --a------ C:\WINDOWS\system32\onevbvwt.exe
2007-06-20 18:03 122,900 --a------ C:\WINDOWS\system32\xxewgkhn.exe
2007-06-20 17:39 122,900 --a------ C:\WINDOWS\system32\enjgtyxb.exe
2007-06-20 17:37 60,928 --a------ C:\WINDOWS\system32\gffy.dll
2007-06-19 16:58 122,900 --a------ C:\WINDOWS\system32\xdufoiwc.exe
2007-06-19 16:47 122,900 --a------ C:\WINDOWS\system32\qmibjrmk.exe
2007-06-16 16:07 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\InstallShield
2007-06-16 16:07 <DIR> d-------- C:\Program Files\WarRock
2007-06-16 12:25 <DIR> d-------- C:\WINDOWS\system32\pmcubosf
2007-06-16 10:17 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
2007-06-13 19:24 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-06-13 19:24 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2007-06-13 18:54 <DIR> d-------- C:\Program Files\Stardock
2007-06-13 18:54 <DIR> d-------- C:\Program Files\Common Files\stardock
2007-06-13 18:44 161,280 --a------ C:\WINDOWS\system32\fmod.dll
2007-06-13 18:44 1,008,128 --a------ C:\WINDOWS\system32\The Matrix Trilogy.scr
2007-06-12 17:12 <DIR> d-------- C:\Program Files\VB
2007-06-11 17:30 <DIR> d-------- C:\Program Files\HackTheGame
2007-06-11 16:15 2,580 --a------ C:\WINDOWS\system32\hbactjaw.exe
2007-06-10 20:54 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\Norman
2007-06-06 20:08 55,316 --a------ C:\WINDOWS\system32\ktsidwcn.dll
2007-06-05 20:38 52,432 --a------ C:\WINDOWS\system32\drivers\FOPN.sys
2007-06-05 17:02 14,868 --a------ C:\WINDOWS\system32\fcyxcfet.exe
2007-06-04 16:15 2,580 --a------ C:\WINDOWS\system32\eutgufha.exe
2007-06-03 16:07 2,580 --a------ C:\WINDOWS\system32\uafdbyji.exe
2007-06-02 18:29 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-02 17:26 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-02 17:25 <DIR> d-------- C:\Program Files\CCleaner
2007-06-02 17:24 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-06-02 17:24 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-06-02 17:24 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\Simply Super Software
2007-06-02 17:24 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-06-02 17:24 <DIR> d-------- C:\Program Files\Trojan Remover
2007-06-02 16:43 <DIR> d--h----- C:\WINDOWS\PIF
2007-06-02 15:52 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\PC Tools
2007-06-02 15:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-02 15:47 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-02 15:43 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-06-02 15:43 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-06-02 10:10 71,168 ---h----- D:\DOCUME~1\ALLUSE~1\APPLIC~1\svchost.exe
2007-06-02 10:00 2,580 --a------ C:\WINDOWS\system32\qsdpmduw.exe
2007-06-02 09:58 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-02 09:53 57,344 --a------ D:\DOCUME~1\ALLUSE~1\APPLIC~1\udinajkv.exe
2007-06-02 09:53 206 --a------ C:\WINDOWS\g438812.exe
2007-06-01 15:11 9,209 --a------ C:\pgob.exe
2007-06-01 15:11 35,840 --a------ C:\WINDOWS\system32\msvcrtd.exe
2007-06-01 15:11 19,968 --a------ C:\gfrlv.exe
2007-06-01 14:31 <DIR> d-------- C:\Program Files\KLC
2007-06-01 13:55 2,079 --a------ C:\WINDOWS\system32\M1achardks.dll
2007-06-01 13:54 4,100 --a------ C:\WINDOWS\system32\hdvirffo.dll
2007-06-01 10:46 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\GetRightToGo
2007-06-01 10:46 <DIR> d-------- C:\Downloads
2007-05-31 19:48 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\My Games
2007-05-31 19:33 <DIR> d-------- C:\Program Files\Firaxis Games
2007-05-26 12:51 <DIR> d-------- D:\DOCUME~1\ELESE~1.MAI\APPLIC~1\Ventrilo
2007-05-23 17:57 <DIR> d-------- C:\Program Files\SCAR 3.02
2007-05-22 19:45 <DIR> d-------- D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\AdobeUM
2007-05-22 19:45 <DIR> d-------- C:\Program Files\SCAR 2.03


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 19:38:51 -------- d-----w C:\Program Files\Common Files\PestPatrol
2007-06-16 15:07:46 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-16 10:41:18 -------- d-----w C:\Program Files\Cheat Engine
2007-06-02 15:10:31 -------- d-----w C:\Program Files\Ares
2007-06-02 10:15:30 -------- d-----w C:\Program Files\GWFreaks
2007-06-01 13:38:15 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-05-31 18:48:47 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-21 17:32:19 -------- d-----w D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\Ventrilo
2007-05-21 17:29:52 -------- d-----w C:\Program Files\Ventrilo
2007-05-21 17:29:33 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:38:34 -------- d-----w C:\Program Files\Disney
2007-05-11 17:56:13 -------- d-----w C:\Program Files\Common Files\Command Software
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 16:27:09 -------- d-----w C:\Program Files\Virtual Villagers
2007-04-22 19:01:26 -------- d-----w C:\Program Files\Yahoo! Games
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}=C:\Program Files\Virgin Broadband\PCguard\pkR.dll [2007-01-24 19:51]
{56071E0D-C61B-11D3-B41C-00E02927A304}=C:\Program Files\Virgin Broadband\PCguard\FBHR.dll [2007-01-24 19:51]
{631F1A8B-DF14-8DE5-181B-838DB82D85C7}=C:\WINDOWS\system32\gffy.dll [2007-06-20 15:49]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]
{C37F396F-8B8B-DC70-8A7C-89ADACE924CE}=C:\WINDOWS\system32\wniuvjp.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 18:33 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 21:04 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 11:31]
"nwiz"="nwiz.exe" [2005-06-15 16:20 C:\WINDOWS\system32\nwiz.exe]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 15:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 19:53]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-29 07:17]
"udinajkv.exe"="D:\Documents and Settings\All Users\Application Data\udinajkv.exe" [2007-06-02 09:53]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 16:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-04-17 07:59]
"Henl"="C:\PROGRA~1\MANTEC~1\netdde.exe" []
"Mwlqls"="D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"="C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll" [2005-05-10 13:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 20:17:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-22 20:19:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-22 20:19

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\bcnsvnqw.dll
C:\WINDOWS\system32\bptbjosx.dll
C:\WINDOWS\system32\cthyusvi.dll
C:\WINDOWS\system32\cypfegck.dll
C:\WINDOWS\system32\dfcuqngq.dll
C:\WINDOWS\system32\dxhvokqd.dll
C:\WINDOWS\system32\ejjgdrfr.dll
C:\WINDOWS\system32\enuetcpp.dll
C:\WINDOWS\system32\fbmlvoux.dll
C:\WINDOWS\system32\gnvvtfsb.dll
C:\WINDOWS\system32\gpklmnrk.dll
C:\WINDOWS\system32\hkqanxul.dll
C:\WINDOWS\system32\iqgefvvl.dll
C:\WINDOWS\system32\ivqknkff.dll
C:\WINDOWS\system32\jkahvigx.dll
C:\WINDOWS\system32\jtdmwwkl.dll
C:\WINDOWS\system32\kbifpxkc.dll
C:\WINDOWS\system32\lhyplpwj.dll
C:\WINDOWS\system32\lrmenyvf.dll
C:\WINDOWS\system32\moehnbmg.dll
C:\WINDOWS\system32\msywuwfd.dll
C:\WINDOWS\system32\nicljohd.dll
C:\WINDOWS\system32\nyaxwifa.dll
C:\WINDOWS\system32\peqhmgve.dll
C:\WINDOWS\system32\punuixky.dll
C:\WINDOWS\system32\rehnbobe.dll
C:\WINDOWS\system32\rxhcwstl.dll
C:\WINDOWS\system32\shqxcbyh.dll
C:\WINDOWS\system32\tnqcdpvq.dll
C:\WINDOWS\system32\tpbvkfmc.dll
C:\WINDOWS\system32\uuawtfbt.dll
C:\WINDOWS\system32\vopfidxa.dll
C:\WINDOWS\system32\xnqxipav.dll
C:\WINDOWS\system32\awttrsq.dll
C:\WINDOWS\system32\cbxvwuu.dll
C:\WINDOWS\system32\hggebby.dll
C:\WINDOWS\system32\rqrqoli.dll
C:\WINDOWS\system32\tuvtrpp.dll
C:\WINDOWS\system32\winuqw32.dll
C:\WINDOWS\system32\winwim32.dll
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\wqnvsncb.ini
C:\WINDOWS\system32\xsojbtpb.ini
C:\WINDOWS\system32\ivsuyhtc.ini
C:\WINDOWS\system32\kcgefpyc.ini
C:\WINDOWS\system32\qgnqucfd.ini
C:\WINDOWS\system32\dqkovhxd.ini
C:\WINDOWS\system32\rfrdgjje.ini
C:\WINDOWS\system32\ppcteune.ini
C:\WINDOWS\system32\xuovlmbf.ini
C:\WINDOWS\system32\krnmlkpg.ini
C:\WINDOWS\system32\luxnaqkh.ini
C:\WINDOWS\system32\lvvfegqi.ini
C:\WINDOWS\system32\ffknkqvi.ini
C:\WINDOWS\system32\xgivhakj.ini
C:\WINDOWS\system32\lkwwmdtj.ini
C:\WINDOWS\system32\ckxpfibk.ini
C:\WINDOWS\system32\gmbnheom.ini
C:\WINDOWS\system32\dfwuwysm.ini
C:\WINDOWS\system32\dhojlcin.ini
C:\WINDOWS\system32\evgmhqep.ini
C:\WINDOWS\system32\ykxiunup.ini
C:\WINDOWS\system32\ebobnher.ini
C:\WINDOWS\system32\ltswchxr.ini
C:\WINDOWS\system32\hybcxqhs.ini
C:\WINDOWS\system32\cmfkvbpt.ini
C:\WINDOWS\system32\tbftwauu.ini
C:\WINDOWS\system32\axdifpov.ini
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.tmp
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\byxwwvw.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwasdc.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwasers.exe
C:\Program Files\mantec~1
C:\Program Files\mantec~1\netdde.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\WinAntiSpyware 2007
C:\Program Files\WinAntiSpyware 2007\fopnl.dll
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\j8241635.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\winhoo32.dll
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\wintsvcc.exe
C:\WINDOWS\system32\wnsxs~1
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\Abbr
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\ProductCode
D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\pppatc~1
D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\pppatc~1\d?xplore.exe
D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\WinAntiSpyware 2007
D:\DOCUME~1\JAMES~1.MAI\APPLIC~1.\WinAntiSpyware 2007\Logs\update.log
D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon
D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\domains.txt
D:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\netmon\log.txt
D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
D:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RUNTIME


((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 19:38:51 -------- d-----w C:\Program Files\Common Files\PestPatrol
2007-06-16 15:07:46 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-16 10:41:18 -------- d-----w C:\Program Files\Cheat Engine
2007-06-02 15:10:31 -------- d-----w C:\Program Files\Ares
2007-06-02 10:15:30 -------- d-----w C:\Program Files\GWFreaks
2007-06-01 13:38:15 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-05-31 18:48:47 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-21 17:32:19 -------- d-----w D:\DOCUME~1\JAMES~1.MAI\APPLIC~1\Ventrilo
2007-05-21 17:29:52 -------- d-----w C:\Program Files\Ventrilo
2007-05-21 17:29:33 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 09:38:34 -------- d-----w C:\Program Files\Disney
2007-05-11 17:56:13 -------- d-----w C:\Program Files\Common Files\Command Software
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 16:27:09 -------- d-----w C:\Program Files\Virtual Villagers
2007-04-22 19:01:26 -------- d-----w C:\Program Files\Yahoo! Games
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}=C:\Program Files\Virgin Broadband\PCguard\pkR.dll [2007-01-24 19:51]
{56071E0D-C61B-11D3-B41C-00E02927A304}=C:\Program Files\Virgin Broadband\PCguard\FBHR.dll [2007-01-24 19:51]
{631F1A8B-DF14-8DE5-181B-838DB82D85C7}=C:\WINDOWS\system32\gffy.dll [2007-06-20 15:49]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]
{C37F396F-8B8B-DC70-8A7C-89ADACE924CE}=C:\WINDOWS\system32\wniuvjp.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 18:33 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 21:04 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 11:31]
"nwiz"="nwiz.exe" [2005-06-15 16:20 C:\WINDOWS\system32\nwiz.exe]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 15:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 19:53]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-29 07:17]
"udinajkv.exe"="D:\Documents and Settings\All Users\Application Data\udinajkv.exe" [2007-06-02 09:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-04-17 07:59]
"Henl"="C:\PROGRA~1\MANTEC~1\netdde.exe" []
"Mwlqls"="D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"="C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll" [2005-05-10 13:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 20:21:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-22 20:22:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-22 20:21

--- E O F ---




HJT:

Logfile of HijackThis v1.99.1
Scan saved at 20:24, on 2007-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\qmibjrmk.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\QuickTime\qttask.exe
D:\Documents and Settings\All Users\Application Data\udinajkv.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {631F1A8B-DF14-8DE5-181B-838DB82D85C7} - C:\WINDOWS\system32\gffy.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C37F396F-8B8B-DC70-8A7C-89ADACE924CE} - C:\WINDOWS\system32\wniuvjp.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Mwlqls] "D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe"
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\qmibjrmk.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe




thnakyou.

#10 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 27 June 2007 - 04:57 PM

So sorry for our delay extreme182. We are going over your logs and will have a reply for you soon.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#11 extreme182

extreme182

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 June 2007 - 12:37 PM

i think im clean havnt had anything come up since i did what they said ^_^

#12 EnigmaChick

EnigmaChick

    Computer Geek

  • Full Member
  • PipPipPipPipPip
  • 644 posts

Posted 02 July 2007 - 07:43 PM

  • Download RogueRemover by malwarebytes.org from here
  • Double-click on rr-free-setup.exe to start the installation of RogueRemover
  • Click Next
  • Click I agree
  • Click Install
  • Untick Show Readme
  • Click Finish
  • This will now launch RogueRemover
  • Close the help window
  • Click Check for updates
  • If there are any updates found click Download
  • Wait for any updates to finish downloading/installing, then click Close in the update window
  • Click on Scan
  • If nothing is found, then close RogueRemover
  • If RogueRemover did find something, it will present a list of detected items
  • Click on Save log
  • Click OK at the prompt
  • Click Remove selected
  • Click YES at the prompt
  • Wait for removal to complete & then close RogueRemover
  • Use notepad to open this file[list]C:\Program Files\RogueRemover\RRLog******.txt
Post a new HJT log and let me know how your computer is running.

Logs to include in your reply
RogueRemover log
HJT

I'm waiting for a average computer that can't be infected with malware unless it's intentionally ........ 5 years later: I am still waiting

A Malware Fighting Tiger's Blog

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 extreme182

extreme182

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 July 2007 - 05:22 AM

Malwarebytes' RogueRemover
Malwarebytes 2007 http://www.malwarebytes.org
5458 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: File
Vendor: WinAntiVirus 2006
Location: C:\WINDOWS\system32\drivers\FOPN.sys
Selected for removal: Yes

Type: Folder
Vendor: WinAntiVirus 2006
Location: D:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
Selected for removal: Yes

Type: Registry Key
Vendor: WinAntiVirus 2006
Location: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FOPN
Selected for removal: Yes

Type: Registry Key
Vendor: WinAntiVirus 2006
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FOPN
Selected for removal: Yes

RogueRemover has found the objects above.






Logfile of HijackThis v1.99.1
Scan saved at 11:22, on 2007-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\QuickTime\qttask.exe
D:\Documents and Settings\All Users\Application Data\udinajkv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Documents and Settings\James.main\Desktop\TheKernelSR.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {631F1A8B-DF14-8DE5-181B-838DB82D85C7} - C:\WINDOWS\system32\gffy.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C37F396F-8B8B-DC70-8A7C-89ADACE924CE} - C:\WINDOWS\system32\wniuvjp.dll (file missing)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Mwlqls] "D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: PCguard Firewall (RP_FWS) - Unknown owner - C:\Program Files\Virgin Broadband\PCguard\fws.exe (file missing)

#14 EnigmaChick

EnigmaChick

    Computer Geek

  • Full Member
  • PipPipPipPipPip
  • 644 posts

Posted 11 July 2007 - 06:15 PM

Please help me to help me to help you extreme182. I asked you for an update on how your PC was now performing and you did not answer. Kindly leave me an update at the end of your next post.

File::
C:\gfrlv.exe
C:\WINDOWS\g438812.exe
C:\WINDOWS\system32\cgpusmxd.exe
C:\WINDOWS\system32\ddnockip.exe
C:\WINDOWS\system32\enjgtyxb.exe
C:\WINDOWS\system32\eutgufha.exe
C:\WINDOWS\system32\fcyxcfet.exe
C:\WINDOWS\system32\gdkuivrn.exe
C:\WINDOWS\system32\hbactjaw.exe
C:\WINDOWS\system32\hjgaediy.exe
C:\WINDOWS\system32\msvcrtd.exe
C:\WINDOWS\system32\nlcyyptc.exe
C:\WINDOWS\system32\onevbvwt.exe
C:\WINDOWS\system32\qmibjrmk.exe
C:\WINDOWS\system32\qsdpmduw.exe
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\swhnokpi.exe
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\uafdbyji.exe
C:\WINDOWS\system32\wquwkoer.exe
C:\WINDOWS\system32\xdufoiwc.exe
C:\WINDOWS\system32\xxewgkhn.exe
C:\WINDOWS\system32\gffy.dll
C:\WINDOWS\system32\hdvirffo.dll
C:\WINDOWS\system32\ktsidwcn.dll
C:\WINDOWS\system32\M1achardks.dll
D:\DOCUME~1\ALLUSE~1\APPLIC~1\svchost.exe
D:\DOCUME~1\ALLUSE~1\APPLIC~1\udinajkv.exe

Folder::
C:\WINDOWS\system32\pmcubosf

Please copy the contents above into a Notepad document and save it as ComboFix-do.txt
Save it to the Desktop and then drag it onto ComboFix.exe(as shown below) and it will automatically start running.

Posted Image
A log will be created, please post it in your next post.


Open up HijackThis, do a System Scan and select the following entries(if present)
O2 - BHO: (no name) - {631F1A8B-DF14-8DE5-181B-838DB82D85C7} - C:\WINDOWS\system32\gffy.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C37F396F-8B8B-DC70-8A7C-89ADACE924CE} - C:\WINDOWS\system32\wniuvjp.dll (file missing)
O4 - HKLM\..\Run: [udinajkv.exe] D:\Documents and Settings\All Users\Application Data\udinajkv.exe
O4 - HKCU\..\Run: [Henl] "C:\PROGRA~1\MANTEC~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Mwlqls] "D:\Documents and Settings\James.main\Application Data\?ppPatch\d?xplore.exe"

Press Fix checked and close the program.



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Please go to www.virustotal.com and upload this file
C:\WINDOWS\system32\The Matrix Trilogy.scr and scan it. Then please past the results of the scan into your next post.

Post a new HJT log and let me know how your computer is running.

Logs to include in your reply
ComboFix-do log
HJT
Dr.WebCureIT
VirusTotal results

Edited by EnigmaChick, 11 July 2007 - 06:15 PM.

I'm waiting for a average computer that can't be infected with malware unless it's intentionally ........ 5 years later: I am still waiting

A Malware Fighting Tiger's Blog

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 24 July 2007 - 03:20 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button