Jump to content


Photo

cant get rid of malware


  • This topic is locked This topic is locked
6 replies to this topic

#1 ljh

ljh

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 12 January 2008 - 12:03 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:04 PM, on 1/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Multimedia Card Reader\readericon10.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E6ED01-2C22-4D30-893F-33C2751DE5EF} - c:\windows\system32\dbgengn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D95FCDAD-0554-47F2-A013-08DCAD709247} - C:\WINDOWS\System32\dmdskmgrp.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX5400 on SNOFLAKIE] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P37 "Auto EPSON Stylus CX5400 on SNOFLAKIE" /O20 "\\SNOFLAKIE\Printer2" /M "Stylus CX5400"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [readericon10] C:\Program Files\Multimedia Card Reader\readericon10.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: nlyeibve - C:\WINDOWS\SYSTEM32\dbgengn.dll
O20 - Winlogon Notify: tt - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#2 ljh

ljh

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 12 January 2008 - 12:18 AM

ComboFix 08-01-09.2 - Sean 2008-01-12 0:10:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.1583 [GMT -5:00]
Running from: C:\Documents and Settings\Sean\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\nazslkhq.dll
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\Sean\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Sean\My Documents\MANTEC~1
C:\Documents and Settings\Sean\My Documents\MANTEC~1\??mantec\
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\Temporary
C:\Program Files\wnsxs~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tOasF.log
C:\WINDOWS\764.exe
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.log
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\mwinsys.ini
C:\WINDOWS\ngd.dll
C:\WINDOWS\nwan.dat
C:\WINDOWS\pbar.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\BxdjMfwtXMwp.exe
C:\WINDOWS\spredirect.dll
C:\WINDOWS\System\AlxRes071106.exe
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\adeeg.bak1
C:\WINDOWS\system32\adeeg.bak2
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\adeeg.tmp
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\cubtnpnf.dll
C:\WINDOWS\system32\dbgengn.dll
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dmdskmgrp.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\jtlfovpv.dat
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\ohciusb.syt
C:\WINDOWS\system32\drivers\ohctusb.sys
C:\WINDOWS\system32\drivers\ohctusb.syt
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\edeeg.tmp
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\fnpntbuc.ini
C:\WINDOWS\system32\hnpueghe.exe
C:\WINDOWS\system32\inf\scrsys071106.scr
C:\WINDOWS\system32\inf\scrsys16_071106.dll
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\system32\mlkkj.tmp
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\msmapibx32.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\rlssanur.exe
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\RunOnce.tmp
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\system32\vMW10a
C:\WINDOWS\system32\vMW10a\vMW10a1099.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\vxyxyhzv.dllbox
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\wsusupd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MICROSOFT_INET_SERVICE
-------\LEGACY_OHCIUSB
-------\LEGACY_OLZUBRRH
-------\LEGACY_OZOSHKBU
-------\LEGACY_POOF
-------\olzubrrh
-------\ozoshkbu


((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-10 17:32 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\mtpkcgmfbtsb.sys
2008-01-10 17:32 . 2008-01-10 17:32 5,120 --a------ C:\WINDOWS\system32\1D4.tmp
2008-01-09 23:53 . 2008-01-11 09:54 18,432 --a------ C:\WINDOWS\fkwggshm.exe
2008-01-09 18:12 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\dfknsidulnxd.sys
2008-01-09 17:53 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-01-09 02:56 . 2008-01-09 03:01 1,439,744 --a------ C:\task00000ac7.tmp
2008-01-09 00:49 . 2001-08-17 14:03 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-09 00:06 . 2008-01-09 00:49 4,791,808 --a------ C:\task000021dd.tmp
2008-01-08 19:34 . 2008-01-09 02:55 0 --a------ C:\MWORDS.IDX
2008-01-08 19:34 . 2008-01-09 02:55 0 --a------ C:\MWORDS.DAT
2008-01-08 19:34 . 2008-01-08 19:34 0 --a------ C:\MFILTERS.IDX
2008-01-08 19:34 . 2008-01-08 19:34 0 --a------ C:\MFILTERS.DAT
2008-01-08 19:18 . 2008-01-08 19:18 <DIR> d-------- C:\Program Files\QuickPar
2008-01-08 17:11 . 2008-01-09 17:05 1,922,470,912 --a------ C:\00000006.DAT
2008-01-08 17:11 . 2008-01-09 16:39 587,005,952 --a------ C:\00000007.DAT
2008-01-08 17:11 . 2008-01-09 17:04 7,048,424 --a------ C:\00000007.IDX
2008-01-08 17:11 . 2008-01-09 17:07 6,990,503 --a------ C:\00000006.IDX
2008-01-08 17:11 . 2008-01-09 17:05 2,367,488 --a------ C:\XPOST.DAT
2008-01-08 17:11 . 2008-01-09 16:38 0 --a------ C:\WORDS.IDX
2008-01-08 17:11 . 2008-01-09 16:38 0 --a------ C:\WORDS.DAT
2008-01-08 17:11 . 2008-01-08 17:11 0 --a------ C:\FILTERS.IDX
2008-01-08 17:11 . 2008-01-08 17:11 0 --a------ C:\FILTERS.DAT
2008-01-08 17:05 . 2008-01-09 02:51 3,530,752 --a------ C:\groupdir.dat
2008-01-08 17:04 . 2008-01-09 17:07 9,047 --a------ C:\tasklog.xml
2008-01-08 17:04 . 2008-01-09 17:07 8,192 --a------ C:\folders.dat
2008-01-08 17:04 . 2008-01-08 17:04 8,121 --a------ C:\urltype.dat
2008-01-08 17:04 . 2008-01-09 13:45 5,782 --a------ C:\errorlog.xml
2008-01-08 17:04 . 2008-01-08 17:04 714 --a------ C:\00000003.IDX
2008-01-08 17:04 . 2008-01-09 01:55 680 --a------ C:\grpprops.dat
2008-01-08 17:03 . 2008-01-09 17:07 17,318 --a------ C:\AGENT.INI
2008-01-08 16:58 . 2008-01-08 16:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-08 07:55 . 2008-01-08 07:55 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-08 07:55 . 2008-01-09 18:05 <DIR> d-------- C:\Program Files\Multimedia Card Reader
2008-01-07 03:27 . 2008-01-11 22:59 2,124 --ah----- C:\Documents and Settings\All Users\Application Data\index0.dat
2008-01-07 03:26 . 2008-01-07 03:26 3,638 --a------ C:\winyvwl.exe
2008-01-07 03:25 . 2008-01-07 03:25 18,176 --a------ C:\WINDOWS\system32\drivers\plogg.sys
2008-01-07 03:25 . 2008-01-07 03:25 3,638 --a------ C:\winyvbt.exe
2008-01-07 03:25 . 2008-01-07 03:26 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2008-01-07 01:58 . 2008-01-07 01:58 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\Apple Computer
2008-01-07 01:57 . 2008-01-07 01:57 <DIR> d-------- C:\Program Files\QuickTime
2008-01-07 01:57 . 2008-01-09 18:04 <DIR> d-------- C:\Program Files\iTunes
2008-01-07 01:57 . 2008-01-07 01:57 <DIR> d-------- C:\Program Files\iPod
2008-01-07 01:57 . 2008-01-07 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-07 01:56 . 2008-01-07 01:56 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-07 01:56 . 2008-01-07 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-01 17:33 . 2008-01-08 17:03 <DIR> d-------- C:\Program Files\Agent
2008-01-01 17:33 . 2008-01-01 17:33 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\Forte
2007-12-29 19:09 . 2007-12-29 19:09 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\Talkback
2007-12-29 19:09 . 2007-12-29 19:09 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-20 04:04 . 2007-12-20 04:04 153 --a------ C:\WINDOWS\system32\delFSF.bat
2007-12-19 20:33 . 2007-12-19 20:33 <DIR> d-------- C:\Program Files\DVD X Studios
2007-12-19 20:33 . 2007-12-19 20:33 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys
2007-12-14 19:32 . 2007-12-14 19:32 3,638 --a------ C:\winmeds.exe
2007-12-12 22:17 . 2007-12-12 22:35 746,550 --a------ C:\WINDOWS\TBulbs Wallpaper.bmp
2007-12-12 22:14 . 2008-01-11 22:57 <DIR> d-------- C:\Program Files\Twinkle Bulbs
2007-12-12 00:51 . 2007-12-12 00:51 3,072 --a------ C:\WINDOWS\system32\drivers\6CCBDABD-D156-40B5-A74C-C6DD44ADAA65.cxv
2007-12-12 00:49 . 2007-12-12 00:49 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-12-12 00:49 . 2007-12-12 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 05:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 03:13 --------- d-----w C:\Program Files\City of Heroes
2007-12-28 23:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-28 23:45 --------- d-----w C:\Documents and Settings\Sean\Application Data\SUPERAntiSpyware.com
2007-12-15 00:32 97,280 ----a-w C:\WINDOWS\system32\imm32.dll
2007-12-14 02:46 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-11 00:23 --------- d-----w C:\Documents and Settings\Sean\Application Data\uTorrent
2007-12-04 20:32 8,711 ----a-w C:\winuurm.exe
2007-12-03 03:05 11,376 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-01 23:03 10,000 ----a-w C:\WINDOWS\system32\jkd845jg.dll
2007-11-26 00:41 --------- d-----w C:\Documents and Settings\Sean\Application Data\Move Networks
2007-11-19 09:19 3,456 ----a-w C:\WINDOWS\system32\drivers\ohdusb.sys
2007-11-19 06:31 3,584 ----a-w C:\WINDOWS\system32\drivers\ohcusb.syt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 20:00 99840]
"Auto EPSON Stylus CX5400 on SNOFLAKIE"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 20:00 99840]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"readericon10"="C:\Program Files\Multimedia Card Reader\readericon10.exe" [2007-05-03 11:55 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe

R1 BIOS;BIOS;C:\WINDOWS\System32\drivers\BIOS.sys [2005-03-16 01:23]
R2 ohdusb;Open Host Controller Miniport USB Driver (rev.d);C:\WINDOWS\System32\drivers\ohdusb.sys [2007-11-19 04:19]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 12:26:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 00:13:53
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 0:15:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-12 05:15:11
.

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 14 January 2008 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 18 January 2008 - 02:17 PM

Hi,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 ljh

ljh

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 20 January 2008 - 08:01 PM

ohdusb.sys;c:\windows\system32\drivers;Trojan.NtRootKit.560;Deleted.;
winmeds.exe;C:\;Trojan.DownLoader.origin;Incurable.Moved.;
winuurm.exe;C:\;Trojan.DownLoader.37981;Deleted.;
winyvbt.exe;C:\;Trojan.DownLoader.origin;Incurable.Moved.;
winyvwl.exe;C:\;Trojan.DownLoader.origin;Incurable.Moved.;
dbgengn.dll;C:\!KillBox;Trojan.Click.4871;Deleted.;
dmdskmgrp.9;C:\!KillBox;Trojan.Iespy;Deleted.;
dmdskmgrp.dll;C:\!KillBox;Trojan.DownLoader.37340;Deleted.;
dmdskmgrp.dll( 1);C:\!KillBox;Trojan.DownLoader.37340;Deleted.;
dmdskmgrp.dll( 2);C:\!KillBox;Trojan.DownLoader.37340;Deleted.;
dmdskmgrp.dll( 3);C:\!KillBox;Trojan.DownLoader.37340;Deleted.;
RegUBP2b-Sean.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
dgjeh8.dll;C:\Program Files\DVD X Studios\DVD X Player 4.1 Standard;Trojan.Packed.181;Deleted.;
tvay32.dll;C:\Program Files\DVD X Studios\DVD X Player 4.1 Standard;Trojan.Packed.181;Deleted.;
winjecf5.dll;C:\Program Files\DVD X Studios\DVD X Player 4.1 Standard;Trojan.Packed.181;Deleted.;
winnwmkl32.dll;C:\Program Files\DVD X Studios\DVD X Player 4.1 Standard;Trojan.Packed.181;Deleted.;
wlbuwnf32.dll;C:\Program Files\DVD X Studios\DVD X Player 4.1 Standard;Trojan.Packed.181;Deleted.;
nwan.dat.vir;C:\QooBox\Quarantine\C\WINDOWS;Trojan.Ascesso;Deleted.;
AlxRes071106.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system;Trojan.Hitpop.origin;Incurable.Moved.;
hnpueghe.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Hammer;Deleted.;
lpcywinp.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.395;Deleted.;
mp43.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;BackDoor.Generic.1570;Deleted.;
msmapibx32.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.NtRootKit.560;Deleted.;
rlssanur.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Hammer;Deleted.;
scrsys071106.scr.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\inf;Trojan.Hitpop.origin;Incurable.Moved.;
scrsys16_071106.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\inf;Trojan.Hitpop.origin;Incurable.Moved.;
vMW02a1065.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\vMW02a;Trojan.DownLoader.24715;Deleted.;
vMW10a1099.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\vMW10a;Trojan.DownLoader.24715;Deleted.;
A0014089.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP47;Trojan.Packed.181;Deleted.;
A0020015.exe;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP48;BackDoor.Generic.1570;Deleted.;
A0020301.sys;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP50;Trojan.Click.2068;Deleted.;
A0020302.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP50;Trojan.DownLoader.35872;Deleted.;
A0020791.sys;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.NtRootKit.560;Deleted.;
A0020792.exe;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.origin;Incurable.Moved.;
A0020793.exe;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.37981;Deleted.;
A0020794.exe;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.origin;Incurable.Moved.;
A0020795.exe;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.origin;Incurable.Moved.;
A0020796.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Click.4871;Deleted.;
A0020797.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.37340;Deleted.;
A0020798.reg;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.StartPage.1505;Deleted.;
A0020799.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Packed.181;Deleted.;
A0020800.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Packed.181;Deleted.;
A0020801.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Packed.181;Deleted.;
A0020802.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Packed.181;Deleted.;
A0020803.dll;C:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Packed.181;Deleted.;
dbgengn.dll.bak;C:\WINDOWS\system32;Trojan.Click.4796;Deleted.;
dmdskmgrp.1;C:\WINDOWS\system32;Trojan.Iespy;Deleted.;
dmdskmgrp.2;C:\WINDOWS\system32;Trojan.Sentinel;Incurable.Moved.;
dmdskmgrp.3;C:\WINDOWS\system32;Trojan.PWS.Tanspy.775;Deleted.;
dmdskmgrp.4;C:\WINDOWS\system32;Trojan.Click.4671;Deleted.;
dmdskmgrp.5;C:\WINDOWS\system32;Trojan.Sentinel;Deleted.;
dmdskmgrp.6;C:\WINDOWS\system32;Trojan.Sentinel;Deleted.;
dmdskmgrp.7;C:\WINDOWS\system32;Trojan.Sentinel;Deleted.;
dmdskmgrp.8;C:\WINDOWS\system32;Trojan.Iespy;Deleted.;
phyhvitx.dll.bak;C:\WINDOWS\system32;BackDoor.Pigeon.9123;Deleted.;
rkgda.bak;C:\WINDOWS\system32;Trojan.Click.4796;Deleted.;
rkte.exe;C:\WINDOWS\system32;BackDoor.Roam;Deleted.;
jtlfovpv.sys;C:\WINDOWS\system32\drivers;Trojan.Sentinel;Deleted.;
backup-20071121-232312-111.dll;E:\backups;Trojan.Click.4871;Deleted.;
backup-20071121-232312-153.dll;E:\backups;Trojan.Iespy;Deleted.;
backup-20071201-184625-363.dll;E:\backups;Trojan.DownLoader.37340;Deleted.;
backup-20071201-184625-428.dll;E:\backups;Trojan.Click.4871;Deleted.;
backup-20071201-184625-436.dll;E:\backups;Trojan.DownLoader.35873;Deleted.;
backup-20071201-184625-656.dll;E:\backups;Trojan.DownLoader.35872;Deleted.;
backup-20071201-184747-205.dll;E:\backups;Trojan.Click.4871;Deleted.;
backup-20071201-184747-440.dll;E:\backups;Trojan.DownLoader.37340;Deleted.;
backup-20071202-205421-154.dll;E:\backups;Trojan.Click.4871;Deleted.;
backup-20071202-205421-976.dll;E:\backups;Trojan.DownLoader.37340;Deleted.;
backup-20071202-205505-557.dll;E:\backups;Trojan.DownLoader.37340;Deleted.;
backup-20071202-205505-820.dll;E:\backups;Trojan.Click.4871;Deleted.;
backup-20080107-061920-284.dll;E:\backups;Trojan.Click.4871;Deleted.;
backup-20080107-061920-826.dll;E:\backups;Trojan.Fakealert.394;Deleted.;
A0020806.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Click.4871;Deleted.;
A0020807.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Iespy;Deleted.;
A0020808.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.37340;Deleted.;
A0020809.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Click.4871;Deleted.;
A0020810.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.35873;Deleted.;
A0020811.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.35872;Deleted.;
A0020812.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Click.4871;Deleted.;
A0020813.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.37340;Deleted.;
A0020814.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Click.4871;Deleted.;
A0020815.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.37340;Deleted.;
A0020816.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.DownLoader.37340;Deleted.;
A0020817.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Click.4871;Deleted.;
A0020818.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Click.4871;Deleted.;
A0020819.dll;E:\System Volume Information\_restore{8FF57CE8-65DD-4A35-B1B6-63F0B8BE4DEF}\RP63;Trojan.Fakealert.394;Deleted.;

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 21 January 2008 - 05:25 AM

Hi again,

OK, please do the following:

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Next:

Download and scan with the most recent issue of Combofix:
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 09 February 2008 - 03:32 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button