View Full Version : Smitfraud.C Removal
Accidentally opened a file sent by my friend whose email account got haxxored. :oops:-.-" I've run spybot and smitfraudfix several times, but it's persisted. Additionally, I cannot access safe mode; every time I try the computer freezes and restarts. HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:43:00 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1151955035\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\g4356cbvy63.exe
C:\WINDOWS\BillGatesLoh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pscdfvvt\pqmegncl.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Tensons.Application.DownloadAcceleratorManager.BHO - {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {397E4B56-67D2-47D5-9A04-80986EE4D927} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F2C9C90-529E-8145-2E89-06A7789C150D} - C:\Program Files\Nkmwmiut\wfahopid.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151955035\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ShellONStartup] D:\Program Files\ShellON\ShellONInstall\ShellONStartup.exe
O4 - HKLM\..\Run: [nebyzkdm.exe] C:\Documents and Settings\All Users\Application Data\nebyzkdm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BCWipeTM Startup] "D:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [BillGatesLoh.exe] C:\WINDOWS\BillGatesLoh.exe
O4 - HKLM\..\Run: [yxyzunkh] rundll32.exe "C:\Program Files\yxyzunkh\gpwjcjox.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [pqmegncl] C:\Program Files\Pscdfvvt\pqmegncl.exe
O4 - HKLM\..\Run: [vngaosxj] C:\Program Files\Upsvzujh\vngaosxj.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: HoverDesk.lnk = D:\Program Files\HoverDesk\HoverDesk.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with DAM - D:\Program Files\Tensons\Download Accelerator Manager\Free Edition\addUrl.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: wbsys.dll c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WBSrv - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuns32 - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
random/random
2007-07-30, 20:43
Download the latest version of ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I ran ComboFix, and after it produces the message "Do not change it back. It will be restored later." it seems to stop scanning. It has not frozen, because the cursor in the window is still blinking, but it won't respond to any commands. What should I do?
Never mind...it was just slow :red: here's the combofix log and a new HJT log:
ComboFix 07-07-30.2 - "ALEX" 2007-07-30 19:28:43.4 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\ssqrq.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\d.exe
C:\DOCUME~1\ALEX\APPLIC~1.\addon.dat
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\ppatch~1
C:\Program Files\icroso~1.net
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe~
C:\WINDOWS\csrss.exe
C:\WINDOWS\smsys.dat
C:\WINDOWS\system32\0315215441.dll
C:\WINDOWS\system32\b06FdUe
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\DefLib.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\scchk32.exe.bak
C:\WINDOWS\system32\wpcap.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_ASC3550U
-------\LEGACY_ICF
-------\LEGACY_NPF
-------\LEGACY_SYSLIBRARY
-------\LEGACY_TKA23
-------\ICF
-------\NPF
-------\SysLibrary
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))
2007-07-30 19:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 19:00 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-30 18:54 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-07-30 18:50 90,624 --a------ C:\WINDOWS\system32\msoert2.dll
2007-07-30 18:50 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2007-07-30 18:50 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2007-07-30 18:50 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-07-30 18:50 70,400 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-07-30 18:50 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2007-07-30 18:50 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2007-07-30 18:50 61,952 --a------ C:\WINDOWS\system32\srclient.dll
2007-07-30 18:50 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-07-30 18:50 47,616 --a------ C:\WINDOWS\system32\inetres.dll
2007-07-30 18:50 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2007-07-30 18:50 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-07-30 18:50 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-07-30 18:50 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-07-30 18:50 32,384 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-07-30 18:50 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-07-30 18:50 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-07-30 18:50 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2007-07-30 18:50 249,856 --a------ C:\WINDOWS\system32\mstask.dll
2007-07-30 18:50 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-07-30 18:50 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-07-30 18:50 218,112 --a------ C:\WINDOWS\system32\srrstr.dll
2007-07-30 18:50 179,200 --a------ C:\WINDOWS\system32\qmgr.dll
2007-07-30 18:50 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-07-30 18:50 158,720 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-07-30 18:50 155,136 --a------ C:\WINDOWS\system32\srsvc.dll
2007-07-30 18:48 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-07-30 18:48 95,744 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:48 88,576 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-07-30 18:48 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-07-30 18:48 8,704 --a------ C:\WINDOWS\system32\icaapi.dll
2007-07-30 18:48 73,864 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-07-30 18:48 61,952 --a------ C:\WINDOWS\system32\rdshost.exe
2007-07-30 18:48 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-07-30 18:48 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-07-30 18:48 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-07-30 18:48 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-07-30 18:48 503,296 --a------ C:\WINDOWS\system32\mstscax.dll
2007-07-30 18:48 41,984 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-07-30 18:48 40,448 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-07-30 18:48 4,096 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-07-30 18:48 385,536 --a------ C:\WINDOWS\system32\mstsc.exe
2007-07-30 18:48 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-07-30 18:48 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-07-30 18:48 20,232 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-07-30 18:48 197,632 --a------ C:\WINDOWS\system32\termsrv.dll
2007-07-30 18:48 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2007-07-30 18:48 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2007-07-30 18:48 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-07-30 18:48 134,656 --a------ C:\WINDOWS\system32\rdchost.dll
2007-07-30 18:48 130,048 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-07-30 18:48 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-07-30 18:48 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-07-30 18:48 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2007-07-30 18:48 112,128 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:48 11,144 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-07-30 18:47 57,344 --a------ C:\WINDOWS\system32\licwmi.dll
2007-07-30 18:47 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2007-07-30 18:47 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2007-07-30 18:47 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-07-30 18:43 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-07-30 18:43 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-30 18:42 55,808 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-07-30 18:42 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-30 18:41 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-07-30 18:38 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-07-30 18:30 37,896 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-07-30 18:30 181,632 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-07-30 18:29 70,656 --a------ C:\WINDOWS\system32\storprop.dll
2007-07-30 18:29 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-07-30 18:29 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-07-30 18:29 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-07-30 08:47 3,072 --a------ C:\DOCUME~1\ALEX\open.exe
2007-07-29 20:21 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-29 20:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-29 20:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-29 19:34 <DIR> d-------- C:\Program Files\Upsvzujh
2007-07-29 19:34 <DIR> d-------- C:\Program Files\Nkmwmiut
2007-07-29 18:41 126,976 --a------ C:\DOCUME~1\ALEX\gfmmjk.exe
2007-07-29 18:34 7,968 --a------ C:\WINDOWS\system32\spooldr.sys
2007-07-29 18:04 50 --a------ C:\1C9.bat
2007-07-29 17:32 168,960 --a------ C:\WINDOWS\system32\drivers\Tka23.sys
2007-07-29 17:32 155,648 --a------ C:\WINDOWS\BillGatesLoh.exe
2007-07-29 17:32 <DIR> d-------- C:\WINDOWS\system32\csaedtdh
2007-07-29 17:32 <DIR> d-------- C:\Program Files\yxyzunkh
2007-07-29 17:32 <DIR> d-------- C:\Program Files\SecCenter
2007-07-29 17:32 <DIR> d-------- C:\Program Files\Pscdfvvt
2007-07-29 17:32 <DIR> d-------- C:\Program Files\Lcjvnvux
2007-07-29 17:31 <DIR> d-------- C:\Temp\brr
2007-07-29 17:23 126,976 --a------ C:\DOCUME~1\ALEX\wbblli.exe
2007-07-26 08:18 <DIR> d-------- C:\DOCUME~1\ALEX\APPLIC~1\Nexon
2007-07-20 23:14 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-20 23:14 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-20 23:14 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-20 23:13 96,768 --a------ C:\WINDOWS\system32\logagent.exe
2007-07-20 23:13 940,544 --a------ C:\WINDOWS\system32\wmspdmoe.dll
2007-07-20 23:13 895,736 --a------ C:\WINDOWS\system32\wmvdmod.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-30 19:21 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\.purple
2007-07-30 19:01 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-30 18:50 --------- d-------- C:\Program Files\Movie Maker
2007-07-30 18:48 --------- d-------- C:\Program Files\Windows NT
2007-07-29 09:40 --------- d-------- C:\Program Files\Lx_cats
2007-06-29 16:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-28 13:44 --------- d-------- C:\Program Files\Common Files\Merge Modules
2007-06-28 13:39 --------- d-------- C:\Program Files\Microsoft Visual Studio .NET 2003
2007-06-19 19:07 515072 --a------ C:\WINDOWS\system32\logonuiX.exe
2007-06-17 18:27 6263 --a------ C:\WINDOWS\mozver.dat
2007-06-12 16:26 --------- d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-06-03 09:29 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-06-02 17:55 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\X-Chat 2
2007-06-02 17:40 --------- d-------- C:\Program Files\Common Files\aolshare
2007-06-02 15:36 --------- d-------- C:\Program Files\QuickTime
2007-05-28 18:11 --------- d-------- C:\Program Files\Microsoft.NET
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{397E4B56-67D2-47D5-9A04-80986EE4D927}]
C:\WINDOWS\system32\pmkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F2C9C90-529E-8145-2E89-06A7789C150D}]
2007-07-29 19:34 102400 --a------ C:\Program Files\Nkmwmiut\wfahopid.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-12-17 22:00]
"nwiz"="nwiz.exe" [2006-06-01 17:22 C:\WINDOWS\system32\nwiz.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-07-03 11:40]
"HostManager"="C:\Program Files\Common Files\AOL\1151955035\ee\AOLSoftware.exe" [2006-09-25 17:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 17:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-03 12:31]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 14:33]
"D-Link AirPlus XtremeG"="D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2004-10-27 16:07]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-14 10:17]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-20 23:07]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 05:05]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 06:36]
"ShellONStartup"="D:\Program Files\ShellON\ShellONInstall\ShellONStartup.exe" []
"nebyzkdm.exe"="C:\Documents and Settings\All Users\Application Data\nebyzkdm.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"BCWipeTM Startup"="D:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [2004-02-24 22:49]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"SysMetrix"="D:\Program Files\SysMetrix\SysMetrix.exe" [2006-02-25 13:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 18:38]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" []
"yxyzunkh"="C:\Program Files\yxyzunkh\gpwjcjox.dll" [2007-07-29 17:32]
"pqmegncl"="C:\Program Files\Pscdfvvt\pqmegncl.exe" [2007-07-29 17:32]
"vngaosxj"="C:\Program Files\Upsvzujh\vngaosxj.exe" [2007-07-29 19:34]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 12:39 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 05:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"Pidgin"="C:\Program Files\Pidgin\pidgin.exe" [2007-06-15 05:21]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-06-07 16:38 176128 D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"
R2 ANIO;ANIO Service;\??\C:\WINDOWS\system32\ANIO.SYS
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 NAVAPEL;NAVAPEL;\??\D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R3 NAVAP;NAVAP;\??\D:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\System32\DRIVERS\wanatw4.sys
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\System32\DRIVERS\A5AGU.sys
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\System32\Drivers\ATHFMWDL.sys
S3 ctljystk;Creative SBLive! Gameport;C:\WINDOWS\System32\DRIVERS\ctljystk.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys
S3 idrmkl;idrmkl;\??\C:\DOCUME~1\ALEX\LOCALS~1\Temp\idrmkl.sys
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys
S3 usbcm;USB Cable Modem 351000 NDIS Driver;C:\WINDOWS\System32\DRIVERS\usbcm.sys
S4 BCSWAP;BCSWAP;C:\WINDOWS\System32\drivers\BCSWAP.sys
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7AC5DF9C-0F1C-E2CB-6770-4B2C483A02CD}]
C:\WINDOWS\system32\Systemfiles\taskmgr.exe s
Contents of the 'Scheduled Tasks' folder
2007-07-28 23:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2007-07-31 02:37:37 C:\WINDOWS\Tasks\Sysmetrix.job - C:\Program Files\Hawkeye\Sysmetrix.hss
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 19:38:00
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\ATWPKT2]
"ImagePath"="\??\C:\WINDOWS\System32\drivers\ATWPKT2.SYS"
Completion time: 2007-07-30 19:40:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 19:40
--- E O F ---
And HJT log because the post was too long.
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:44:32 PM, on 7/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1151955035\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Pscdfvvt\pqmegncl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Tensons.Application.DownloadAcceleratorManager.BHO - {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {397E4B56-67D2-47D5-9A04-80986EE4D927} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F2C9C90-529E-8145-2E89-06A7789C150D} - C:\Program Files\Nkmwmiut\wfahopid.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151955035\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ShellONStartup] D:\Program Files\ShellON\ShellONInstall\ShellONStartup.exe
O4 - HKLM\..\Run: [nebyzkdm.exe] C:\Documents and Settings\All Users\Application Data\nebyzkdm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BCWipeTM Startup] "D:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [yxyzunkh] rundll32.exe "C:\Program Files\yxyzunkh\gpwjcjox.dll",Init
O4 - HKLM\..\Run: [pqmegncl] C:\Program Files\Pscdfvvt\pqmegncl.exe
O4 - HKLM\..\Run: [vngaosxj] C:\Program Files\Upsvzujh\vngaosxj.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - Startup: HoverDesk.lnk = D:\Program Files\HoverDesk\HoverDesk.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with DAM - D:\Program Files\Tensons\Download Accelerator Manager\Free Edition\addUrl.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WBSrv - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuns32 - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Good thing there's no limits on multiple posts. Safe Mode works now since i repaired my copy of windows with the CD. :laugh:
random/random
2007-07-31, 17:07
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Folder::
C:\Program Files\Upsvzujh
C:\Program Files\Nkmwmiut
C:\WINDOWS\system32\csaedtdh
C:\Program Files\yxyzunkh
C:\Program Files\SecCenter
C:\Program Files\Pscdfvvt
C:\Program Files\Lcjvnvux
C:\Temp\brr
C:\DOCUME~1\ALEX\LOCALS~1\Temp\idrmkl.sys
DirLook::
C:\Program Files\WindowsUpdate
C:\WINDOWS\system32\Systemfiles
File::
C:\DOCUME~1\ALEX\gfmmjk.exe
C:\WINDOWS\system32\spooldr.sys
C:\1C9.bat
C:\WINDOWS\system32\drivers\Tka23.sys
C:\WINDOWS\BillGatesLoh.exe
C:\DOCUME~1\ALEX\wbblli.exe
C:\Documents and Settings\All Users\Application Data\nebyzkdm.exe
C:\WINDOWS\system32\Systemfiles\taskmgr.exe
FileLook::
C:\Program Files\Hawkeye\Sysmetrix.hss
C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys
C:\WINDOWS\System32\drivers\BCSWAP.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{397E4B56-67D2-47D5-9A04-80986EE4D927}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F2C9C90-529E-8145-2E89-06A7789C150D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nebyzkdm.exe"=-
"yxyzunkh"=-
"pqmegncl"=-
"vngaosxj"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7AC5DF9C-0F1C-E2CB-6770-4B2C483A02CD}]
Driver::
idrmkl
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
ComboFix 07-07-30.2 - "ALEX" 2007-08-02 21:28:14.5 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\ALEX\cfscript.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\1C9.bat
C:\DOCUME~1\ALEX\gfmmjk.exe
C:\DOCUME~1\ALEX\wbblli.exe
C:\Program Files\Lcjvnvux
C:\Program Files\Lcjvnvux\sjrbvkth.dll
C:\Program Files\Nkmwmiut
C:\Program Files\Nkmwmiut\wfahopid.dll
C:\Program Files\Pscdfvvt
C:\Program Files\Pscdfvvt\pqmegncl.exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe~
C:\Program Files\Upsvzujh
C:\Program Files\Upsvzujh\vngaosxj.exe
C:\Program Files\yxyzunkh
C:\Program Files\yxyzunkh\gpwjcjox.dll
C:\Temp\brr
C:\WINDOWS\BillGatesLoh.exe
C:\WINDOWS\system32\csaedtdh
C:\WINDOWS\system32\csaedtdh\bg1.gif
C:\WINDOWS\system32\csaedtdh\bgtop.gif
C:\WINDOWS\system32\csaedtdh\bottom1.gif
C:\WINDOWS\system32\csaedtdh\essentials.gif
C:\WINDOWS\system32\csaedtdh\icon1.ico
C:\WINDOWS\system32\csaedtdh\install1.gif
C:\WINDOWS\system32\csaedtdh\left1.gif
C:\WINDOWS\system32\csaedtdh\li.gif
C:\WINDOWS\system32\csaedtdh\logo.gif
C:\WINDOWS\system32\csaedtdh\main.htm
C:\WINDOWS\system32\csaedtdh\mainframe.htm
C:\WINDOWS\system32\csaedtdh\reinstall1.gif
C:\WINDOWS\system32\csaedtdh\right1.gif
C:\WINDOWS\system32\csaedtdh\s1.htm
C:\WINDOWS\system32\csaedtdh\s2.htm
C:\WINDOWS\system32\csaedtdh\s3.htm
C:\WINDOWS\system32\csaedtdh\SMTop1.gif
C:\WINDOWS\system32\csaedtdh\SMTop2.gif
C:\WINDOWS\system32\csaedtdh\SMTop3.gif
C:\WINDOWS\system32\csaedtdh\SMTop4.gif
C:\WINDOWS\system32\csaedtdh\soft1_off.gif
C:\WINDOWS\system32\csaedtdh\soft1_off_ext.gif
C:\WINDOWS\system32\csaedtdh\soft1_on.gif
C:\WINDOWS\system32\csaedtdh\soft1_on_ext.gif
C:\WINDOWS\system32\csaedtdh\soft2_off.gif
C:\WINDOWS\system32\csaedtdh\soft2_off_ext.gif
C:\WINDOWS\system32\csaedtdh\soft2_on.gif
C:\WINDOWS\system32\csaedtdh\soft2_on_ext.gif
C:\WINDOWS\system32\csaedtdh\soft3_off.gif
C:\WINDOWS\system32\csaedtdh\soft3_off_ext.gif
C:\WINDOWS\system32\csaedtdh\soft3_on.gif
C:\WINDOWS\system32\csaedtdh\soft3_on_ext.gif
C:\WINDOWS\system32\csaedtdh\softbottom_off.gif
C:\WINDOWS\system32\csaedtdh\softbottom_on.gif
C:\WINDOWS\system32\csaedtdh\softleft_off.gif
C:\WINDOWS\system32\csaedtdh\softleft_on.gif
C:\WINDOWS\system32\csaedtdh\top1.gif
C:\WINDOWS\system32\csaedtdh\top2.gif
C:\WINDOWS\system32\csaedtdh\turnoff1.gif
C:\WINDOWS\system32\csaedtdh\turnon1.gif
C:\WINDOWS\system32\spooldr.sys
C:\WINDOWS\system32\Systemfiles\taskmgr.exe
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\idrmkl
((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))
2007-07-30 19:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 19:00 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-30 18:50 90,624 --a------ C:\WINDOWS\system32\msoert2.dll
2007-07-30 18:50 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2007-07-30 18:50 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2007-07-30 18:50 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-07-30 18:50 70,400 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-07-30 18:50 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2007-07-30 18:50 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2007-07-30 18:50 61,952 --a------ C:\WINDOWS\system32\srclient.dll
2007-07-30 18:50 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-07-30 18:50 47,616 --a------ C:\WINDOWS\system32\inetres.dll
2007-07-30 18:50 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2007-07-30 18:50 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-07-30 18:50 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-07-30 18:50 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-07-30 18:50 32,384 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-07-30 18:50 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-07-30 18:50 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-07-30 18:50 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2007-07-30 18:50 249,856 --a------ C:\WINDOWS\system32\mstask.dll
2007-07-30 18:50 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-07-30 18:50 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-07-30 18:50 218,112 --a------ C:\WINDOWS\system32\srrstr.dll
2007-07-30 18:50 179,200 --a------ C:\WINDOWS\system32\qmgr.dll
2007-07-30 18:50 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-07-30 18:50 158,720 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-07-30 18:50 155,136 --a------ C:\WINDOWS\system32\srsvc.dll
2007-07-30 18:48 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-07-30 18:48 95,744 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:48 88,576 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-07-30 18:48 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-07-30 18:48 8,704 --a------ C:\WINDOWS\system32\icaapi.dll
2007-07-30 18:48 73,864 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-07-30 18:48 61,952 --a------ C:\WINDOWS\system32\rdshost.exe
2007-07-30 18:48 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-07-30 18:48 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-07-30 18:48 54,784 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-07-30 18:48 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-07-30 18:48 503,296 --a------ C:\WINDOWS\system32\mstscax.dll
2007-07-30 18:48 41,984 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-07-30 18:48 40,448 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-07-30 18:48 4,096 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-07-30 18:48 385,536 --a------ C:\WINDOWS\system32\mstsc.exe
2007-07-30 18:48 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-07-30 18:48 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-07-30 18:48 20,232 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-07-30 18:48 197,632 --a------ C:\WINDOWS\system32\termsrv.dll
2007-07-30 18:48 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2007-07-30 18:48 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2007-07-30 18:48 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-07-30 18:48 134,656 --a------ C:\WINDOWS\system32\rdchost.dll
2007-07-30 18:48 130,048 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-07-30 18:48 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-07-30 18:48 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-07-30 18:48 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2007-07-30 18:48 112,128 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:48 11,144 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-07-30 18:47 57,344 --a------ C:\WINDOWS\system32\licwmi.dll
2007-07-30 18:47 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2007-07-30 18:47 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2007-07-30 18:47 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-07-30 18:43 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-07-30 18:43 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-30 18:42 55,808 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-07-30 18:42 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-30 18:41 23,070 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-07-30 18:38 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-07-30 18:30 37,896 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-07-30 18:30 181,632 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-07-30 18:29 70,656 --a------ C:\WINDOWS\system32\storprop.dll
2007-07-30 18:29 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-07-30 18:29 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-07-30 18:29 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-07-29 20:21 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-29 20:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-29 20:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-26 08:18 <DIR> d-------- C:\DOCUME~1\ALEX\APPLIC~1\Nexon
2007-07-20 23:14 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-20 23:14 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-20 23:14 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-20 23:13 96,768 --a------ C:\WINDOWS\system32\logagent.exe
2007-07-20 23:13 940,544 --a------ C:\WINDOWS\system32\wmspdmoe.dll
2007-07-20 23:13 895,736 --a------ C:\WINDOWS\system32\wmvdmod.dll
2007-07-20 23:13 774,904 --a------ C:\WINDOWS\system32\wmsdmod.dll
2007-07-20 23:13 716,288 --a------ C:\WINDOWS\system32\wmadmoe.dll
2007-07-20 23:13 66,560 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2007-07-20 23:13 61,952 --a------ C:\WINDOWS\system32\wpdconns.dll
2007-07-20 23:13 6,656 --a------ C:\WINDOWS\system32\laprxy.dll
2007-07-20 23:13 47,104 --a------ C:\WINDOWS\system32\uwdf.exe
2007-07-20 23:13 413,944 --a------ C:\WINDOWS\system32\wmspdmod.dll
2007-07-20 23:13 396,528 --a------ C:\WINDOWS\system32\wmadmod.dll
2007-07-20 23:13 38,912 --a------ C:\WINDOWS\system32\wdfmgr.exe
2007-07-20 23:13 364,784 --a------ C:\WINDOWS\system32\MSSCP.dll
2007-07-20 23:13 335,872 --a------ C:\WINDOWS\system32\WMDRMdev.dll
2007-07-20 23:13 331,776 --a------ C:\WINDOWS\system32\wpdmtpdr.dll
2007-07-20 23:13 331,264 --a------ C:\WINDOWS\system32\wpdsp.dll
2007-07-20 23:13 33,792 --a------ C:\WINDOWS\system32\WMDMPS.dll
2007-07-20 23:13 315,904 --a------ C:\WINDOWS\system32\MSWMDM.dll
2007-07-20 23:13 290,816 --a------ C:\WINDOWS\system32\WMDRMNet.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-02 21:35 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\.purple
2007-08-02 21:34 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\gtk-2.0
2007-07-30 19:01 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-30 18:50 --------- d-------- C:\Program Files\Movie Maker
2007-07-30 18:48 --------- d-------- C:\Program Files\Windows NT
2007-07-29 09:40 --------- d-------- C:\Program Files\Lx_cats
2007-07-02 14:12 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\Azureus
2007-06-29 16:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-29 16:16 --------- d-------- C:\Program Files\EPGY
2007-06-29 15:02 247903 --a------ C:\WINDOWS\system32\vtsqo.dll
2007-06-28 19:52 --------- d-------- C:\Program Files\RubikPlayer
2007-06-28 13:44 --------- d-------- C:\Program Files\Common Files\Merge Modules
2007-06-28 13:39 --------- d-------- C:\Program Files\Microsoft Visual Studio .NET 2003
2007-06-28 13:31 --------- d-------- C:\Program Files\HTML Help Workshop
2007-06-28 13:31 --------- d-------- C:\Program Files\Common Files\Crystal Decisions
2007-06-28 12:08 --------- d-------- C:\Program Files\Cheat Engine
2007-06-27 20:59 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\Dev-Cpp
2007-06-27 10:47 --------- d--h----- C:\Program Files\Zero G Registry
2007-06-27 10:47 --------- d-------- C:\Program Files\CubeTwister 1.0.3.1
2007-06-26 21:13 --------- d-------- C:\Program Files\Dev-C++
2007-06-26 08:37 --------- d-------- C:\Program Files\BotEditor
2007-06-25 16:12 --------- d-------- C:\Program Files\Common Files\DirectX
2007-06-25 16:08 --------- d-------- C:\Program Files\RobotArena
2007-06-25 06:54 53248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-21 09:57 --------- d-------- C:\Program Files\Pacific Tech
2007-06-19 19:07 515072 --a------ C:\WINDOWS\system32\logonuiX.exe
2007-06-19 19:04 --------- d-------- C:\Program Files\WinCustomize
2007-06-18 08:31 40083 --a------ C:\mevqvvvb2.exe
2007-06-17 20:12 77880 --a------ C:\mevqvvvb1.exe
2007-06-17 19:27 --------- d-------- C:\Program Files\Google
2007-06-17 19:27 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\Google
2007-06-17 18:27 6263 --a------ C:\WINDOWS\mozver.dat
2007-06-17 16:59 --------- d-------- C:\Program Files\WinDecrypto
2007-06-16 12:30 --------- d-------- C:\Program Files\WinPcap
2007-06-16 12:30 --------- d-------- C:\Program Files\SoftByte Labs
2007-06-15 17:53 --------- d-------- C:\Program Files\Pidgin
2007-06-12 16:26 --------- d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-06-11 16:51 --------- d-------- C:\Program Files\Hawkeye
2007-06-11 16:40 --------- d-------- C:\Program Files\JNetCube
2007-06-09 20:15 --------- d-------- C:\Program Files\Common Files\Stardock
2007-06-09 20:14 --------- d-------- C:\Program Files\Stardock
2007-06-09 18:35 --------- d-------- C:\Program Files\Elite Calculator
2007-06-09 18:23 --------- d-------- C:\Program Files\Equalizer
2007-06-09 13:32 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-06-09 13:28 7852 --a------ C:\WINDOWS\system32\mcdmsg7.dll
2007-06-09 13:12 --------- d-------- C:\Program Files\Microsoft IntelliType Pro
2007-06-08 17:32 --------- d-------- C:\Program Files\WinAce
2007-06-06 22:13 21200 --a------ C:\DOCUME~1\ALEX\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-06 19:34 --------- d-------- C:\Program Files\Glest_2.0.0
2007-06-06 17:59 242063 --a------ C:\WINDOWS\system32\ddayw.dll
2007-06-03 09:29 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-06-02 22:27 --------- d-------- C:\Program Files\Common Files\Borland Shared
2007-06-02 21:49 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\Lolindrath Development Group
2007-06-02 21:49 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\IsolatedStorage
2007-06-02 21:31 --------- d-------- C:\Program Files\Common Files\GTK
2007-06-02 18:07 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\Bersirc
2007-06-02 17:55 --------- d-------- C:\DOCUME~1\ALEX\APPLIC~1\X-Chat 2
2007-06-02 17:40 --------- d-------- C:\Program Files\Common Files\aolshare
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
- Not a PE file.
- Invalid filepath
---- C:\WINDOWS\System32\drivers\BCSWAP.sys ----
Company: Jetico, Inc.
File Description: BCSwap Driver
File Version: 1.14 built by: WinDDK
Product Name: Jetico(R) BestCrypt(TM) Security System for Windows NT(TM)
Copyright: Copyright (C) Jetico, Inc. 1993-2001
Original file name: bcswap.sys
---- Directory of C:\Program Files\WindowsUpdate ----
2007-07-30 19:01 20 --ah----- C:\Program Files\WindowsUpdate\pingstatus.dat
---- Directory of C:\WINDOWS\system32\Systemfiles ----
2007-07-07 17:25 692030 --ah----- C:\WINDOWS\system32\Systemfiles\klog.dat
2004-08-04 00:56 1268049 ---h----- C:\WINDOWS\system32\Systemfiles\taskmgr.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-12-17 22:00]
"nwiz"="nwiz.exe" [2006-06-01 17:22 C:\WINDOWS\system32\nwiz.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1151955035\ee\AOLSoftware.exe" [2006-09-25 17:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 17:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-03 12:31]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 14:33]
"D-Link AirPlus XtremeG"="D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2004-10-27 16:07]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-14 10:17]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-20 23:07]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 05:05]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 06:36]
"ShellONStartup"="D:\Program Files\ShellON\ShellONInstall\ShellONStartup.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"BCWipeTM Startup"="D:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [2004-02-24 22:49]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"SysMetrix"="D:\Program Files\SysMetrix\SysMetrix.exe" [2006-02-25 13:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 18:38]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" []
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 12:39 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 05:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"Pidgin"="C:\Program Files\Pidgin\pidgin.exe" [2007-06-15 05:21]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-06-07 16:38 176128 D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
R2 ANIO;ANIO Service;\??\C:\WINDOWS\system32\ANIO.SYS
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 NAVAPEL;NAVAPEL;\??\D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\System32\DRIVERS\wanatw4.sys
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\System32\DRIVERS\A5AGU.sys
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\System32\Drivers\ATHFMWDL.sys
S3 ctljystk;Creative SBLive! Gameport;C:\WINDOWS\System32\DRIVERS\ctljystk.sys
S3 NAVAP;NAVAP;\??\D:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys
S3 usbcm;USB Cable Modem 351000 NDIS Driver;C:\WINDOWS\System32\DRIVERS\usbcm.sys
S4 BCSWAP;BCSWAP;C:\WINDOWS\System32\drivers\BCSWAP.sys
Contents of the 'Scheduled Tasks' folder
2007-08-02 23:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2007-08-03 04:39:04 C:\WINDOWS\Tasks\Sysmetrix.job - C:\Program Files\Hawkeye\Sysmetrix.hss
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 21:39:17
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-02 21:41:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 21:40
C:\ComboFix2.txt ... 2007-07-30 19:40
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 9:44:54 PM, on 8/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\1151955035\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Tensons.Application.DownloadAcceleratorManager.BHO - {00000003-1118-11da-8cd6-0800200c9888} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1151955035\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] D:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ShellONStartup] D:\Program Files\ShellON\ShellONInstall\ShellONStartup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BCWipeTM Startup] "D:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SysMetrix] D:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - Startup: HoverDesk.lnk = D:\Program Files\HoverDesk\HoverDesk.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with DAM - D:\Program Files\Tensons\Download Accelerator Manager\Free Edition\addUrl.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WBSrv - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
random/random
2007-08-03, 14:24
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
Hide extensions for known file types
Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
Show hidden files and folders
Click Apply and then click OK
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
Then close all windows except HijackThis and click Fix Checked
Use windows explorer to find and delete these files:
C:\WINDOWS\uni_eh44.exe
C:\mevqvvvb2.exe
C:\mevqvvvb1.exe
C:\WINDOWS\system32\ddayw.dll
And this folder:
C:\WINDOWS\system32\Systemfiles\
Go here (http://www.kaspersky.com/virusscanner) to run an online scannner from Kaspersky.
Click on "Kaspersky Online Scanner"
A new smaller window will pop up. Press on "Accept". After reading the contents.
Now Kaspersky will update the anti-virus database. Let it run.
Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
Then click on "My Computer", and the scan will start.
Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post back with the kaspersky log, a new HijackThis log & let me know of any remaining problems
When I click "Accept" on the Kapersky window, nothing happens. :sad: Nothing at all.. It doesn't download anything.
Also, I'm using the latest version of Firefox, not IE7.
random/random
2007-08-05, 20:37
The Kaspersky scanner requires activex to run
Since firefox does not support activex please use internet explorer to run the scan
This topic has been archived due to lack of a response.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.